summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorWenzong Fan <wenzong.fan@windriver.com>2014-11-12 08:25:48 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-11-20 14:08:10 (GMT)
commit07a31ed4d19edf7eec47cdf2a65b0dc53e2c713c (patch)
tree99b5211a3de9fd73ec08da91cd269d8186ed0f70 /meta
parent587b28b551308c8b772d088788452f6ca7420909 (diff)
downloadpoky-07a31ed4d19edf7eec47cdf2a65b0dc53e2c713c.tar.gz
python: Fix CVE-2014-7185
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. This back-ported patch fixes CVE-2014-7185 (From OE-Core rev: 49ceed974e39ab8ac4be410e5caa5e1ef7a646d9) Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch75
-rw-r--r--meta/recipes-devtools/python/python_2.7.3.bb1
2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch
new file mode 100644
index 0000000..60ef145
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch
@@ -0,0 +1,75 @@
1From 104eb318283dde5203aa6cf7384287bef181e308 Mon Sep 17 00:00:00 2001
2From: Wenzong Fan <wenzong.fan@windriver.com>
3Date: Wed, 12 Nov 2014 01:58:02 -0500
4Subject: [PATCH] python: fix CVE-2014-7185
5
6Reference: http://bugs.python.org/issue21831
7
8CVE-2014-7185: Integer overflow in bufferobject.c in Python before
92.7.8 allows context-dependent attackers to obtain sensitive
10information from process memory via a large size and offset in a
11"buffer" function.
12
13Upstream-Status: Backport
14
15Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
16---
17 Lib/test/test_buffer.py | 6 ++++++
18 Misc/NEWS | 3 +++
19 Objects/bufferobject.c | 2 +-
20 3 files changed, 10 insertions(+), 1 deletion(-)
21
22diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py
23index 6bdc34d..3ac1f8c 100644
24--- a/Lib/test/test_buffer.py
25+++ b/Lib/test/test_buffer.py
26@@ -4,6 +4,7 @@ For now, tests just new or changed functionality.
27
28 """
29
30+import sys
31 import unittest
32 from test import test_support
33
34@@ -21,6 +22,11 @@ class BufferTests(unittest.TestCase):
35 self.assertEqual(b[start:stop:step],
36 s[start:stop:step])
37
38+ def test_large_buffer_size_and_offset(self):
39+ data = bytearray('hola mundo')
40+ buf = buffer(data, sys.maxsize, sys.maxsize)
41+ self.assertEqual(buf[:4096], "")
42+
43
44 def test_main():
45 with test_support.check_py3k_warnings(("buffer.. not supported",
46diff --git a/Misc/NEWS b/Misc/NEWS
47index e8778ad..77396c5 100644
48--- a/Misc/NEWS
49+++ b/Misc/NEWS
50@@ -1896,6 +1896,9 @@ What's New in Python 2.7 Release Candidate 1?
51 Core and Builtins
52 -----------------
53
54+- Issue #21831: Avoid integer overflow when large sizes and offsets are given to
55+ the buffer type. CVE-2014-7185.
56+
57 - Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the
58 start byte and the continuation byte(s) are now considered invalid, instead
59 of the number of bytes specified by the start byte.
60diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
61index c52f0bc..c542506 100644
62--- a/Objects/bufferobject.c
63+++ b/Objects/bufferobject.c
64@@ -88,7 +88,7 @@ get_buf(PyBufferObject *self, void **ptr, Py_ssize_t *size,
65 *size = count;
66 else
67 *size = self->b_size;
68- if (offset + *size > count)
69+ if (*size > count - offset)
70 *size = count - offset;
71 }
72 return 1;
73--
741.7.9.5
75
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index f2e6fde..50c751e 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -39,6 +39,7 @@ SRC_URI += "\
39 file://json-flaw-fix.patch \ 39 file://json-flaw-fix.patch \
40 file://posix_close.patch \ 40 file://posix_close.patch \
41 file://remove-BOM-insection-code.patch \ 41 file://remove-BOM-insection-code.patch \
42 file://python-2.7.3-CVE-2014-7185.patch \
42" 43"
43 44
44S = "${WORKDIR}/Python-${PV}" 45S = "${WORKDIR}/Python-${PV}"