Git-Url:
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-0.8.git;a=commitdiff;h=8743fd062258b92c2e0f88d32eaf741cc5ac5d26
commit 8743fd062258b92c2e0f88d32eaf741cc5ac5d26
Author: Miklos Vajna <[EMAIL PROTECTED]>
Date: Tue Aug 26 17:57:04 2008 +0200
python-2.5.2-2kalgan2-i686
- added CVE-2008-2315, CVE-2008-2316, CVE-2008-3142 and CVE-2008-3144
- closes #3286
diff --git a/source/devel/python/CVE-2008-2315.patch
b/source/devel/python/CVE-2008-2315.patch
new file mode 100644
index 0000000..19a654b
--- /dev/null
+++ b/source/devel/python/CVE-2008-2315.patch
@@ -0,0 +1,581 @@
+Index: Python-2.5.2/Objects/unicodeobject.c
+===================================================================
+--- Python-2.5.2.orig/Objects/unicodeobject.c
++++ Python-2.5.2/Objects/unicodeobject.c
+@@ -240,6 +240,11 @@ PyUnicodeObject *_PyUnicode_New(Py_ssize
+ return unicode_empty;
+ }
+
++ /* Ensure we won't overflow the size. */
++ if (length > ((PY_SSIZE_T_MAX / sizeof(Py_UNICODE)) - 1)) {
++ return (PyUnicodeObject *)PyErr_NoMemory();
++ }
++
+ /* Unicode freelist & memory allocation */
+ if (unicode_freelist) {
+ unicode = unicode_freelist;
+@@ -1102,6 +1107,9 @@ PyObject *PyUnicode_EncodeUTF7(const Py_
+ char * out;
+ char * start;
+
++ if (cbAllocated / 5 != size)
++ return PyErr_NoMemory();
++
+ if (size == 0)
+ return PyString_FromStringAndSize(NULL, 0);
+
+@@ -1700,8 +1708,9 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *
+ {
+ PyObject *v;
+ unsigned char *p;
++ Py_ssize_t nsize, bytesize;
+ #ifdef Py_UNICODE_WIDE
+- int i, pairs;
++ Py_ssize_t i, pairs;
+ #else
+ const int pairs = 0;
+ #endif
+@@ -1724,8 +1733,15 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *
+ if (s[i] >= 0x10000)
+ pairs++;
+ #endif
+- v = PyString_FromStringAndSize(NULL,
+- 2 * (size + pairs + (byteorder == 0)));
++ /* 2 * (size + pairs + (byteorder == 0)) */
++ if (size > PY_SSIZE_T_MAX ||
++ size > PY_SSIZE_T_MAX - pairs - (byteorder == 0))
++ return PyErr_NoMemory();
++ nsize = (size + pairs + (byteorder == 0));
++ bytesize = nsize * 2;
++ if (bytesize / 2 != nsize)
++ return PyErr_NoMemory();
++ v = PyString_FromStringAndSize(NULL, bytesize);
+ if (v == NULL)
+ return NULL;
+
+@@ -2053,6 +2069,11 @@ PyObject *unicodeescape_string(const Py_
+ char *p;
+
+ static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++ const Py_ssize_t expandsize = 10;
++#else
++ const Py_ssize_t expandsize = 6;
++#endif
+
+ /* Initial allocation is based on the longest-possible unichr
+ escape.
+@@ -2068,13 +2089,12 @@ PyObject *unicodeescape_string(const Py_
+ escape.
+ */
+
++ if (size > (PY_SSIZE_T_MAX - 2 - 1) / expandsize)
++ return PyErr_NoMemory();
++
+ repr = PyString_FromStringAndSize(NULL,
+ 2
+-#ifdef Py_UNICODE_WIDE
+- + 10*size
+-#else
+- + 6*size
+-#endif
++ + expandsize*size
+ + 1);
+ if (repr == NULL)
+ return NULL;
+@@ -2315,12 +2335,16 @@ PyObject *PyUnicode_EncodeRawUnicodeEsca
+ char *q;
+
+ static const char *hexdigit = "0123456789abcdef";
+-
+ #ifdef Py_UNICODE_WIDE
+- repr = PyString_FromStringAndSize(NULL, 10 * size);
++ const Py_ssize_t expandsize = 10;
+ #else
+- repr = PyString_FromStringAndSize(NULL, 6 * size);
++ const Py_ssize_t expandsize = 6;
+ #endif
++
++ if (size > PY_SSIZE_T_MAX / expandsize)
++ return PyErr_NoMemory();
++
++ repr = PyString_FromStringAndSize(NULL, expandsize * size);
+ if (repr == NULL)
+ return NULL;
+ if (size == 0)
+@@ -4730,6 +4754,11 @@ PyUnicodeObject *pad(PyUnicodeObject *se
+ return self;
+ }
+
++ if (left > PY_SSIZE_T_MAX - self->length ||
++ right > PY_SSIZE_T_MAX - (left + self->length)) {
++ PyErr_SetString(PyExc_OverflowError, "padded string is too long");
++ return NULL;
++ }
+ u = _PyUnicode_New(left + self->length + right);
+ if (u) {
+ if (left)
+Index: Python-2.5.2/Objects/tupleobject.c
+===================================================================
+--- Python-2.5.2.orig/Objects/tupleobject.c
++++ Python-2.5.2/Objects/tupleobject.c
+@@ -60,11 +60,12 @@ PyTuple_New(register Py_ssize_t size)
+ Py_ssize_t nbytes = size * sizeof(PyObject *);
+ /* Check for overflow */
+ if (nbytes / sizeof(PyObject *) != (size_t)size ||
+- (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
+- <= 0)
++ (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) -
sizeof(PyObject *)))
+ {
+ return PyErr_NoMemory();
+ }
++ nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
++
+ op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
+ if (op == NULL)
+ return NULL;
+Index: Python-2.5.2/Objects/bufferobject.c
+===================================================================
+--- Python-2.5.2.orig/Objects/bufferobject.c
++++ Python-2.5.2/Objects/bufferobject.c
+@@ -427,6 +427,10 @@ buffer_repeat(PyBufferObject *self, Py_s
+ count = 0;
+ if (!get_buf(self, &ptr, &size, ANY_BUFFER))
+ return NULL;
++ if (count > PY_SSIZE_T_MAX / size) {
++ PyErr_SetString(PyExc_MemoryError, "result too large");
++ return NULL;
++ }
+ ob = PyString_FromStringAndSize(NULL, size * count);
+ if ( ob == NULL )
+ return NULL;
+Index: Python-2.5.2/Objects/longobject.c
+===================================================================
+--- Python-2.5.2.orig/Objects/longobject.c
++++ Python-2.5.2/Objects/longobject.c
+@@ -70,6 +70,8 @@ _PyLong_New(Py_ssize_t size)
+ PyErr_NoMemory();
+ return NULL;
+ }
++ /* XXX(nnorwitz): This can overflow --
++ PyObject_NEW_VAR / _PyObject_VAR_SIZE need to detect overflow */
+ return PyObject_NEW_VAR(PyLongObject, &PyLong_Type, size);
+ }
+
+Index: Python-2.5.2/Objects/stringobject.c
+===================================================================
+--- Python-2.5.2.orig/Objects/stringobject.c
++++ Python-2.5.2/Objects/stringobject.c
+@@ -76,6 +76,11 @@ PyString_FromStringAndSize(const char *s
+ return (PyObject *)op;
+ }
+
++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
++ PyErr_SetString(PyExc_OverflowError, "string is too large");
++ return NULL;
++ }
++
+ /* Inline PyObject_NewVar */
+ op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+ if (op == NULL)
+@@ -111,7 +116,7 @@ PyString_FromString(const char *str)
+
+ assert(str != NULL);
+ size = strlen(str);
+- if (size > PY_SSIZE_T_MAX) {
++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+ PyErr_SetString(PyExc_OverflowError,
+ "string is too long for a Python string");
+ return NULL;
+@@ -972,14 +977,24 @@ string_concat(register PyStringObject *a
+ Py_INCREF(a);
+ return (PyObject *)a;
+ }
++ /* Check that string sizes are not negative, to prevent an
++ overflow in cases where we are passed incorrectly-created
++ strings with negative lengths (due to a bug in other code).
++ */
+ size = a->ob_size + b->ob_size;
+- if (size < 0) {
++ if (a->ob_size < 0 || b->ob_size < 0 ||
++ a->ob_size > PY_SSIZE_T_MAX - b->ob_size) {
+ PyErr_SetString(PyExc_OverflowError,
+ "strings are too large to concat");
+ return NULL;
+ }
+
+ /* Inline PyObject_NewVar */
++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
++ PyErr_SetString(PyExc_OverflowError,
++ "strings are too large to concat");
++ return NULL;
++ }
+ op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+ if (op == NULL)
+ return PyErr_NoMemory();
+Index: Python-2.5.2/Misc/NEWS
+===================================================================
+--- Python-2.5.2.orig/Misc/NEWS
++++ Python-2.5.2/Misc/NEWS
+@@ -32,6 +32,8 @@ What's New in Python 2.5.2c1?
+ Core and builtins
+ -----------------
+
++- Apply security patches from Apple.
++
+ - Issue #2620: Overflow checking when allocating or reallocating memory
+ was not always being done properly in some python types and extension
+ modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
+Index: Python-2.5.2/Lib/test/seq_tests.py
+===================================================================
+--- Python-2.5.2.orig/Lib/test/seq_tests.py
++++ Python-2.5.2/Lib/test/seq_tests.py
+@@ -307,11 +307,13 @@ class CommonTest(unittest.TestCase):
+ self.assertEqual(id(s), id(s*1))
+
+ def test_bigrepeat(self):
+- x = self.type2test([0])
+- x *= 2**16
+- self.assertRaises(MemoryError, x.__mul__, 2**16)
+- if hasattr(x, '__imul__'):
+- self.assertRaises(MemoryError, x.__imul__, 2**16)
++ import sys
++ if sys.maxint <= 2147483647:
++ x = self.type2test([0])
++ x *= 2**16
++ self.assertRaises(MemoryError, x.__mul__, 2**16)
++ if hasattr(x, '__imul__'):
++ self.assertRaises(MemoryError, x.__imul__, 2**16)
+
+ def test_subscript(self):
+ a = self.type2test([10, 11])
+Index: Python-2.5.2/Lib/test/test_strop.py
+===================================================================
+--- Python-2.5.2.orig/Lib/test/test_strop.py
++++ Python-2.5.2/Lib/test/test_strop.py
+@@ -115,6 +115,25 @@ class StropFunctionTestCase(unittest.Tes
+ strop.uppercase
+ strop.whitespace
+
++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=5)
++ def test_stropjoin_huge_list(self, size):
++ a = "A" * size
++ try:
++ r = strop.join([a, a], a)
++ except OverflowError:
++ pass
++ else:
++ self.assertEquals(len(r), len(a) * 3)
++
++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=1)
++ def test_stropjoin_huge_tup(self, size):
++ a = "A" * size
++ try:
++ r = strop.join((a, a), a)
++ except OverflowError:
++ pass # acceptable on 32-bit
++ else:
++ self.assertEquals(len(r), len(a) * 3)
+
+ transtable =
'\000\001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037
!"#$%&\'()*+,-./0123456789:;<=>[EMAIL
PROTECTED]|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377'
+
+Index: Python-2.5.2/Lib/test/test_bigmem.py
+===================================================================
+--- Python-2.5.2.orig/Lib/test/test_bigmem.py
++++ Python-2.5.2/Lib/test/test_bigmem.py
+@@ -1,5 +1,5 @@
+ from test import test_support
+-from test.test_support import bigmemtest, _1G, _2G
++from test.test_support import bigmemtest, _1G, _2G, _4G, precisionbigmemtest
+
+ import unittest
+ import operator
+@@ -54,6 +54,22 @@ class StrTest(unittest.TestCase):
+ self.assertEquals(s[lpadsize:-rpadsize], SUBSTR)
+ self.assertEquals(s.strip(), SUBSTR.strip())
+
++ @precisionbigmemtest(size=_2G - 1, memuse=1)
++ def test_center_unicode(self, size):
++ SUBSTR = u' abc def ghi'
++ try:
++ s = SUBSTR.center(size)
++ except OverflowError:
++ pass # acceptable on 32-bit
++ else:
++ self.assertEquals(len(s), size)
++ lpadsize = rpadsize = (len(s) - len(SUBSTR)) // 2
++ if len(s) % 2:
++ lpadsize += 1
++ self.assertEquals(s[lpadsize:-rpadsize], SUBSTR)
++ self.assertEquals(s.strip(), SUBSTR.strip())
++ del s
++
+ @bigmemtest(minsize=_2G, memuse=2)
+ def test_count(self, size):
+ SUBSTR = ' abc def ghi'
+@@ -70,10 +86,44 @@ class StrTest(unittest.TestCase):
+ s = '.' * size
+ self.assertEquals(len(s.decode('utf-8')), size)
+
++ def basic_encode_test(self, size, enc, c=u'.', expectedsize=None):
++ if expectedsize is None:
++ expectedsize = size
++
++ s = c * size
++ self.assertEquals(len(s.encode(enc)), expectedsize)
++
+ @bigmemtest(minsize=_2G + 2, memuse=3)
+ def test_encode(self, size):
+- s = u'.' * size
+- self.assertEquals(len(s.encode('utf-8')), size)
++ return self.basic_encode_test(size, 'utf-8')
++
++ @precisionbigmemtest(size=_4G / 6 + 2, memuse=2)
++ def test_encode_raw_unicode_escape(self, size):
++ try:
++ return self.basic_encode_test(size, 'raw_unicode_escape')
++ except MemoryError:
++ pass # acceptable on 32-bit
++
++ @precisionbigmemtest(size=_4G / 5 + 70, memuse=3)
++ def test_encode_utf7(self, size):
++ try:
++ return self.basic_encode_test(size, 'utf7')
++ except MemoryError:
++ pass # acceptable on 32-bit
++
++ @precisionbigmemtest(size=_2G-1, memuse=2)
++ def test_decodeascii(self, size):
++ return self.basic_encode_test(size, 'ascii', c='A')
++
++ @precisionbigmemtest(size=_4G / 5, memuse=6+2)
++ def test_unicode_repr_oflw(self, size):
++ try:
++ s = u"\uAAAA"*size
++ r = repr(s)
++ except MemoryError:
++ pass # acceptable on 32-bit
++ else:
++ self.failUnless(s == eval(r))
+
+ @bigmemtest(minsize=_2G, memuse=2)
+ def test_endswith(self, size):
+@@ -459,6 +509,11 @@ class StrTest(unittest.TestCase):
+ self.assertEquals(s.count('\\'), size)
+ self.assertEquals(s.count('0'), size * 2)
+
++ @bigmemtest(minsize=2**32 / 5, memuse=6+2)
++ def test_unicode_repr(self, size):
++ s = u"\uAAAA" * size
++ self.failUnless(len(repr(s)) > size)
++
+ # This test is meaningful even with size < 2G, as long as the
+ # doubled string is > 2G (but it tests more if both are > 2G :)
+ @bigmemtest(minsize=_1G + 2, memuse=3)
+@@ -642,6 +697,35 @@ class TupleTest(unittest.TestCase):
+ def test_repeat_large(self, size):
+ return self.basic_test_repeat(size)
+
++ @bigmemtest(minsize=_1G - 1, memuse=12)
++ def test_repeat_large_2(self, size):
++ return self.basic_test_repeat(size)
++
++ @precisionbigmemtest(size=_1G - 1, memuse=9)
++ def test_from_2G_generator(self, size):
++ try:
++ t = tuple(xrange(size))
++ except MemoryError:
++ pass # acceptable on 32-bit
++ else:
++ count = 0
++ for item in t:
++ self.assertEquals(item, count)
++ count += 1
++ self.assertEquals(count, size)
++
++ @precisionbigmemtest(size=_1G - 25, memuse=9)
++ def test_from_almost_2G_generator(self, size):
++ try:
++ t = tuple(xrange(size))
++ count = 0
++ for item in t:
++ self.assertEquals(item, count)
++ count += 1
++ self.assertEquals(count, size)
++ except MemoryError:
++ pass # acceptable, expected on 32-bit
++
+ # Like test_concat, split in two.
+ def basic_test_repr(self, size):
+ t = (0,) * size
+@@ -957,8 +1041,34 @@ class ListTest(unittest.TestCase):
+ self.assertEquals(l[:10], [1] * 10)
+ self.assertEquals(l[-10:], [5] * 10)
+
++class BufferTest(unittest.TestCase):
++
++ @precisionbigmemtest(size=_1G, memuse=4)
++ def test_repeat(self, size):
++ try:
++ b = buffer("AAAA")*size
++ except MemoryError:
++ pass # acceptable on 32-bit
++ else:
++ count = 0
++ for c in b:
++ self.assertEquals(c, 'A')
++ count += 1
++ self.assertEquals(count, size*4)
++
+ def test_main():
+- test_support.run_unittest(StrTest, TupleTest, ListTest)
++ test_support.run_unittest(StrTest, TupleTest, ListTest, BufferTest)
++
++# Expected failures (crashers)
++# del StrTest.test_center_unicode
++del StrTest.test_decodeascii
++# del StrTest.test_encode_utf32
++# del StrTest.test_encode_utf7
++# del StrTest.test_encode_raw_unicode_escape
++#
++# del TupleTest.test_from_2G_generator
++#
++# del BufferTest.test_repeat
+
+ if __name__ == '__main__':
+ if len(sys.argv) > 1:
+Index: Python-2.5.2/Lib/test/test_support.py
+===================================================================
+--- Python-2.5.2.orig/Lib/test/test_support.py
++++ Python-2.5.2/Lib/test/test_support.py
+@@ -33,6 +33,7 @@ verbose = 1 # Flag set to 0
+ use_resources = None # Flag set to [] by regrtest.py
+ max_memuse = 0 # Disable bigmem tests (they will still be run with
+ # small sizes, to make sure they work.)
++real_max_memuse = 0
+
+ # _original_stdout is meant to hold stdout at the time regrtest began.
+ # This may be "the real" stdout, or IDLE's emulation of stdout, or whatever.
+@@ -323,6 +324,7 @@ def run_with_locale(catstr, *locales):
+ _1M = 1024*1024
+ _1G = 1024 * _1M
+ _2G = 2 * _1G
++_4G = 4 * _1G
+
+ # Hack to get at the maximum value an internal index can take.
+ class _Dummy:
+@@ -333,6 +335,7 @@ MAX_Py_ssize_t = _Dummy()[:]
+ def set_memlimit(limit):
+ import re
+ global max_memuse
++ global real_max_memuse
+ sizes = {
+ 'k': 1024,
+ 'm': _1M,
+@@ -344,6 +347,7 @@ def set_memlimit(limit):
+ if m is None:
+ raise ValueError('Invalid memory limit %r' % (limit,))
+ memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()])
++ real_max_memuse = memlimit
+ if memlimit > MAX_Py_ssize_t:
+ memlimit = MAX_Py_ssize_t
+ if memlimit < _2G - 1:
+@@ -389,6 +393,27 @@ def bigmemtest(minsize, memuse, overhead
+ return wrapper
+ return decorator
+
++def precisionbigmemtest(size, memuse, overhead=5*_1M):
++ def decorator(f):
++ def wrapper(self):
++ if not real_max_memuse:
++ maxsize = 5147
++ else:
++ maxsize = size
++
++ if real_max_memuse and real_max_memuse < maxsize * memuse:
++ if verbose:
++ sys.stderr.write("Skipping %s because of memory "
++ "constraint\n" % (f.__name__,))
++ return
++
++ return f(self, maxsize)
++ wrapper.size = size
++ wrapper.memuse = memuse
++ wrapper.overhead = overhead
++ return wrapper
++ return decorator
++
+ def bigaddrspacetest(f):
+ """Decorator for tests that fill the address space."""
+ def wrapper(self):
+Index: Python-2.5.2/Modules/mmapmodule.c
+===================================================================
+--- Python-2.5.2.orig/Modules/mmapmodule.c
++++ Python-2.5.2/Modules/mmapmodule.c
+@@ -223,7 +223,7 @@ mmap_read_method(mmap_object *self,
+ return(NULL);
+
+ /* silently 'adjust' out-of-range requests */
+- if ((self->pos + num_bytes) > self->size) {
++ if (num_bytes > self->size - self->pos) {
+ num_bytes -= (self->pos+num_bytes) - self->size;
+ }
+ result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
+Index: Python-2.5.2/Modules/stropmodule.c
+===================================================================
+--- Python-2.5.2.orig/Modules/stropmodule.c
++++ Python-2.5.2/Modules/stropmodule.c
+@@ -216,6 +216,13 @@ strop_joinfields(PyObject *self, PyObjec
+ return NULL;
+ }
+ slen = PyString_GET_SIZE(item);
++ if (slen > PY_SSIZE_T_MAX - reslen ||
++ seplen > PY_SSIZE_T_MAX - reslen - seplen) {
++ PyErr_SetString(PyExc_OverflowError,
++ "input too long");
++ Py_DECREF(res);
++ return NULL;
++ }
+ while (reslen + slen + seplen >= sz) {
+ if (_PyString_Resize(&res, sz * 2) < 0)
+ return NULL;
+@@ -253,6 +260,14 @@ strop_joinfields(PyObject *self, PyObjec
+ return NULL;
+ }
+ slen = PyString_GET_SIZE(item);
++ if (slen > PY_SSIZE_T_MAX - reslen ||
++ seplen > PY_SSIZE_T_MAX - reslen - seplen) {
++ PyErr_SetString(PyExc_OverflowError,
++ "input too long");
++ Py_DECREF(res);
++ Py_XDECREF(item);
++ return NULL;
++ }
+ while (reslen + slen + seplen >= sz) {
+ if (_PyString_Resize(&res, sz * 2) < 0) {
+ Py_DECREF(item);
+Index: Python-2.5.2/Modules/gcmodule.c
+===================================================================
+--- Python-2.5.2.orig/Modules/gcmodule.c
++++ Python-2.5.2/Modules/gcmodule.c
+@@ -1318,7 +1318,10 @@ PyObject *
+ _PyObject_GC_Malloc(size_t basicsize)
+ {
+ PyObject *op;
+- PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC(
++ PyGC_Head *g;
++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
++ return PyErr_NoMemory();
++ g = (PyGC_Head *)PyObject_MALLOC(
+ sizeof(PyGC_Head) + basicsize);
+ if (g == NULL)
+ return PyErr_NoMemory();
+@@ -1361,6 +1364,8 @@ _PyObject_GC_Resize(PyVarObject *op, Py_
+ {
+ const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
+ PyGC_Head *g = AS_GC(op);
++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
++ return (PyVarObject *)PyErr_NoMemory();
+ g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize);
+ if (g == NULL)
+ return (PyVarObject *)PyErr_NoMemory();
diff --git a/source/devel/python/CVE-2008-2316.patch
b/source/devel/python/CVE-2008-2316.patch
new file mode 100644
index 0000000..30b7364
--- /dev/null
+++ b/source/devel/python/CVE-2008-2316.patch
@@ -0,0 +1,153 @@
+Index: Python-2.5.2/Lib/test/test_hashlib.py
+===================================================================
+--- Python-2.5.2.orig/Lib/test/test_hashlib.py
++++ Python-2.5.2/Lib/test/test_hashlib.py
+@@ -9,7 +9,7 @@
+ import hashlib
+ import unittest
+ from test import test_support
+-
++from test.test_support import _4G, precisionbigmemtest
+
+ def hexstr(s):
+ import string
+@@ -55,7 +55,6 @@ class HashLibTestCase(unittest.TestCase)
+ m2.update(aas + bees + cees)
+ self.assertEqual(m1.digest(), m2.digest())
+
+-
+ def check(self, name, data, digest):
+ # test the direct constructors
+ computed = getattr(hashlib, name)(data).hexdigest()
+@@ -74,7 +73,22 @@ class HashLibTestCase(unittest.TestCase)
+ def test_case_md5_2(self):
+ self.check('md5',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',
+ 'd174ab98d277d9f5a5611c2c9f419d9f')
+-
++
++ @precisionbigmemtest(size=_4G + 5, memuse=1)
++ def test_case_md5_huge(self, size):
++ if size == _4G + 5:
++ try:
++ self.check('md5', 'A'*size,
'c9af2dff37468ce5dfee8f2cfc0a9c6d')
++ except OverflowError:
++ pass # 32-bit arch
++
++ @precisionbigmemtest(size=_4G - 1, memuse=1)
++ def test_case_md5_uintmax(self, size):
++ if size == _4G - 1:
++ try:
++ self.check('md5', 'A'*size,
'28138d306ff1b8281f1a9067e1a1a2b3')
++ except OverflowError:
++ pass # 32-bit arch
+
+ # use the three examples from Federal Information Processing Standards
+ # Publication 180-1, Secure Hash Standard, 1995 April 17
+Index: Python-2.5.2/Modules/_hashopenssl.c
+===================================================================
+--- Python-2.5.2.orig/Modules/_hashopenssl.c
++++ Python-2.5.2/Modules/_hashopenssl.c
+@@ -19,6 +19,8 @@
+ /* EVP is the preferred interface to hashing in OpenSSL */
+ #include <openssl/evp.h>
+
++#define MUNCH_SIZE INT_MAX
++
+
+ #ifndef HASH_OBJ_CONSTRUCTOR
+ #define HASH_OBJ_CONSTRUCTOR 0
+@@ -164,9 +166,18 @@ EVP_update(EVPobject *self, PyObject *ar
+ if (!PyArg_ParseTuple(args, "s#:update", &cp, &len))
+ return NULL;
+
++ if (len > 0 && len <= MUNCH_SIZE) {
+ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
+ unsigned int));
+-
++ } else {
++ Py_ssize_t offset = 0;
++ while (len) {
++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
++ EVP_DigestUpdate(&self->ctx, cp + offset, process);
++ len -= process;
++ offset += process;
++ }
++ }
+ Py_INCREF(Py_None);
+ return Py_None;
+ }
+@@ -255,10 +266,21 @@ EVP_tp_init(EVPobject *self, PyObject *a
+ self->name = name_obj;
+ Py_INCREF(self->name);
+
+- if (cp && len)
++ if (cp && len) {
++ if (len > 0 && len <= MUNCH_SIZE) {
+ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
+ unsigned int));
+-
++ } else {
++ Py_ssize_t offset = 0;
++ while (len) {
++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
++ EVP_DigestUpdate(&self->ctx, cp + offset, process);
++ len -= process;
++ offset += process;
++ }
++ }
++ }
++
+ return 0;
+ }
+ #endif
+@@ -328,7 +350,7 @@ static PyTypeObject EVPtype = {
+ static PyObject *
+ EVPnew(PyObject *name_obj,
+ const EVP_MD *digest, const EVP_MD_CTX *initial_ctx,
+- const unsigned char *cp, unsigned int len)
++ const unsigned char *cp, Py_ssize_t len)
+ {
+ EVPobject *self;
+
+@@ -346,8 +368,20 @@ EVPnew(PyObject *name_obj,
+ EVP_DigestInit(&self->ctx, digest);
+ }
+
+- if (cp && len)
+- EVP_DigestUpdate(&self->ctx, cp, len);
++ if (cp && len) {
++ if (len > 0 && len <= MUNCH_SIZE) {
++ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
++ unsigned int));
++ } else {
++ Py_ssize_t offset = 0;
++ while (len) {
++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
++ EVP_DigestUpdate(&self->ctx, cp + offset, process);
++ len -= process;
++ offset += process;
++ }
++ }
++ }
+
+ return (PyObject *)self;
+ }
+@@ -384,8 +418,7 @@ EVP_new(PyObject *self, PyObject *args,
+
+ digest = EVP_get_digestbyname(name);
+
+- return EVPnew(name_obj, digest, NULL, cp, Py_SAFE_DOWNCAST(len,
Py_ssize_t,
+- unsigned int));
++ return EVPnew(name_obj, digest, NULL, cp, len);
+ }
+
+ /*
+@@ -410,7 +443,7 @@ EVP_new(PyObject *self, PyObject *args,
+ CONST_ ## NAME ## _name_obj, \
+ NULL, \
+ CONST_new_ ## NAME ## _ctx_p, \
+- cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int)); \
++ cp, len); \
+ }
+
+ /* a PyMethodDef structure for the constructor */
diff --git a/source/devel/python/CVE-2008-3142.patch
b/source/devel/python/CVE-2008-3142.patch
new file mode 100644
index 0000000..531bef4
--- /dev/null
+++ b/source/devel/python/CVE-2008-3142.patch
@@ -0,0 +1,194 @@
+r65261 | neal.norwitz | 2008-07-28 07:06:20 +0200 (Mon, 28 Jul 2008) | 10 lines
+
+Backport code from r65182:
+
+Issue #2620: Overflow checking when allocating or reallocating memory
+was not always being done properly in some python types and extension
+modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
+all been updated to perform better checks and places in the code that
+would previously leak memory on the error path when such an allocation
+failed have been fixed.
+
+Index: Python-2.5.2/Include/pymem.h
+===================================================================
+--- Python-2.5.2.orig/Include/pymem.h
++++ Python-2.5.2/Include/pymem.h
+@@ -67,8 +67,12 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+ for malloc(0), which would be treated as an error. Some platforms
+ would return a pointer with no memory behind it, which would break
+ pymalloc. To solve these problems, allocate an extra byte. */
+-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1)
+-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1)
++/* Returns NULL to indicate error if a negative size or size larger than
++ Py_ssize_t can represent is supplied. Helps prevents security holes. */
++#define PyMem_MALLOC(n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ?
NULL \
++ : malloc((n) ? (n) : 1))
++#define PyMem_REALLOC(p, n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \
++ : realloc((p), (n) ? (n) : 1))
+ #define PyMem_FREE free
+
+ #endif /* PYMALLOC_DEBUG */
+@@ -77,24 +81,31 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+ * Type-oriented memory interface
+ * ==============================
+ *
+- * These are carried along for historical reasons. There's rarely a good
+- * reason to use them anymore (you can just as easily do the multiply and
+- * cast yourself).
++ * Allocate memory for n objects of the given type. Returns a new pointer
++ * or NULL if the request was too large or memory allocation failed. Use
++ * these macros rather than doing the multiplication yourself so that proper
++ * overflow checking is always done.
+ */
+
+ #define PyMem_New(type, n) \
+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+ ( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
+ #define PyMem_NEW(type, n) \
+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+ ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+
++/*
++ * The value of (p) is always clobbered by this macro regardless of success.
++ * The caller MUST check if (p) is NULL afterwards and deal with the memory
++ * error if so. This means the original value of (p) MUST be saved for the
++ * caller's memory error handler to not lose track of it.
++ */
+ #define PyMem_Resize(p, type, n) \
+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
++ (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+ #define PyMem_RESIZE(p, type, n) \
+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
++ (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+
+ /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used
+ * anymore. They're just confusing aliases for PyMem_{Free,FREE} now.
+Index: Python-2.5.2/Objects/obmalloc.c
+===================================================================
+--- Python-2.5.2.orig/Objects/obmalloc.c
++++ Python-2.5.2/Objects/obmalloc.c
+@@ -727,6 +727,15 @@ PyObject_Malloc(size_t nbytes)
+ uint size;
+
+ /*
++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
++ * Most python internals blindly use a signed Py_ssize_t to track
++ * things without checking for overflows or negatives.
++ * As size_t is unsigned, checking for nbytes < 0 is not required.
++ */
++ if (nbytes > PY_SSIZE_T_MAX)
++ return NULL;
++
++ /*
+ * This implicitly redirects malloc(0).
+ */
+ if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
+@@ -1130,6 +1139,15 @@ PyObject_Realloc(void *p, size_t nbytes)
+ if (p == NULL)
+ return PyObject_Malloc(nbytes);
+
++ /*
++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
++ * Most python internals blindly use a signed Py_ssize_t to track
++ * things without checking for overflows or negatives.
++ * As size_t is unsigned, checking for nbytes < 0 is not required.
++ */
++ if (nbytes > PY_SSIZE_T_MAX)
++ return NULL;
++
+ pool = POOL_ADDR(p);
+ if (Py_ADDRESS_IN_RANGE(p, pool)) {
+ /* We're in charge of this block */
+Index: Python-2.5.2/Misc/NEWS
+===================================================================
+--- Python-2.5.2.orig/Misc/NEWS
++++ Python-2.5.2/Misc/NEWS
+@@ -32,6 +32,13 @@ What's New in Python 2.5.2c1?
+ Core and builtins
+ -----------------
+
++- Issue #2620: Overflow checking when allocating or reallocating memory
++ was not always being done properly in some python types and extension
++ modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
++ all been updated to perform better checks and places in the code that
++ would previously leak memory on the error path when such an allocation
++ failed have been fixed.
++
+ - Added checks for integer overflows, contributed by Google. Some are
+ only available if asserts are left in the code, in cases where they
+ can't be triggered from Python code.
+Index: Python-2.5.2/Modules/almodule.c
+===================================================================
+--- Python-2.5.2.orig/Modules/almodule.c
++++ Python-2.5.2/Modules/almodule.c
+@@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject
+ if (nvals < 0)
+ goto cleanup;
+ if (nvals > setsize) {
++ ALvalue *old_return_set = return_set;
+ setsize = nvals;
+ PyMem_RESIZE(return_set, ALvalue, setsize);
+ if (return_set == NULL) {
++ return_set = old_return_set;
+ PyErr_NoMemory();
+ goto cleanup;
+ }
+Index: Python-2.5.2/Modules/arraymodule.c
+===================================================================
+--- Python-2.5.2.orig/Modules/arraymodule.c
++++ Python-2.5.2/Modules/arraymodule.c
+@@ -816,6 +816,7 @@ static int
+ array_do_extend(arrayobject *self, PyObject *bb)
+ {
+ Py_ssize_t size;
++ char *old_item;
+
+ if (!array_Check(bb))
+ return array_iter_extend(self, bb);
+@@ -831,10 +832,11 @@ array_do_extend(arrayobject *self, PyObj
+ return -1;
+ }
+ size = self->ob_size + b->ob_size;
++ old_item = self->ob_item;
+ PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
+ if (self->ob_item == NULL) {
+- PyObject_Del(self);
+- PyErr_NoMemory();
++ self->ob_item = old_item;
++ PyErr_NoMemory();
+ return -1;
+ }
+ memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize,
+@@ -886,7 +888,7 @@ array_inplace_repeat(arrayobject *self,
+ if (size > PY_SSIZE_T_MAX / n) {
+ return PyErr_NoMemory();
+ }
+- PyMem_Resize(items, char, n * size);
++ PyMem_RESIZE(items, char, n * size);
+ if (items == NULL)
+ return PyErr_NoMemory();
+ p = items;
+Index: Python-2.5.2/Modules/selectmodule.c
+===================================================================
+--- Python-2.5.2.orig/Modules/selectmodule.c
++++ Python-2.5.2/Modules/selectmodule.c
+@@ -349,10 +349,12 @@ update_ufd_array(pollObject *self)
+ {
+ Py_ssize_t i, pos;
+ PyObject *key, *value;
++ struct pollfd *old_ufds = self->ufds;
+
+ self->ufd_len = PyDict_Size(self->dict);
+- PyMem_Resize(self->ufds, struct pollfd, self->ufd_len);
++ PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len);
+ if (self->ufds == NULL) {
++ self->ufds = old_ufds;
+ PyErr_NoMemory();
+ return 0;
+ }
diff --git a/source/devel/python/CVE-2008-3144.patch
b/source/devel/python/CVE-2008-3144.patch
new file mode 100644
index 0000000..fc30585
--- /dev/null
+++ b/source/devel/python/CVE-2008-3144.patch
@@ -0,0 +1,78 @@
+r63883 | gregory.p.smith | 2008-06-02 02:07:25 +0200 (Mon, 02 Jun 2008) | 5
lines
+
+- Issue #2588, #2589: Fix potential integer underflow and overflow
+ conditions in the PyOS_vsnprintf C API function.
+
+This is a backport of r63728 and r63734 from trunk.
+
+Index: Python-2.5.2/Python/mysnprintf.c
+===================================================================
+--- Python-2.5.2.orig/Python/mysnprintf.c
++++ Python-2.5.2/Python/mysnprintf.c
+@@ -54,18 +54,28 @@ int
+ PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va)
+ {
+ int len; /* # bytes written, excluding \0 */
+-#ifndef HAVE_SNPRINTF
++#ifdef HAVE_SNPRINTF
++#define _PyOS_vsnprintf_EXTRA_SPACE 1
++#else
++#define _PyOS_vsnprintf_EXTRA_SPACE 512
+ char *buffer;
+ #endif
+ assert(str != NULL);
+ assert(size > 0);
+ assert(format != NULL);
++ /* We take a size_t as input but return an int. Sanity check
++ * our input so that it won't cause an overflow in the
++ * vsnprintf return value or the buffer malloc size. */
++ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) {
++ len = -666;
++ goto Done;
++ }
+
+ #ifdef HAVE_SNPRINTF
+ len = vsnprintf(str, size, format, va);
+ #else
+ /* Emulate it. */
+- buffer = PyMem_MALLOC(size + 512);
++ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE);
+ if (buffer == NULL) {
+ len = -666;
+ goto Done;
+@@ -75,7 +85,7 @@ PyOS_vsnprintf(char *str, size_t size, c
+ if (len < 0)
+ /* ignore the error */;
+
+- else if ((size_t)len >= size + 512)
++ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE)
+ Py_FatalError("Buffer overflow in
PyOS_snprintf/PyOS_vsnprintf");
+
+ else {
+@@ -86,8 +96,10 @@ PyOS_vsnprintf(char *str, size_t size, c
+ str[to_copy] = '\0';
+ }
+ PyMem_FREE(buffer);
+-Done:
+ #endif
+- str[size-1] = '\0';
++Done:
++ if (size > 0)
++ str[size-1] = '\0';
+ return len;
++#undef _PyOS_vsnprintf_EXTRA_SPACE
+ }
+Index: Python-2.5.2/Misc/NEWS
+===================================================================
+--- Python-2.5.2.orig/Misc/NEWS
++++ Python-2.5.2/Misc/NEWS
+@@ -109,6 +109,9 @@ Core and builtins
+ threading.enumerate() list after the join() for a brief period until
+ it actually exited.
+
++- Issue #2588, #2589: Fix potential integer underflow and overflow
++ conditions in the PyOS_vsnprintf C API function.
++
+
+ Library
+ -------
diff --git a/source/devel/python/FrugalBuild b/source/devel/python/FrugalBuild
index 3748b53..dbef8be 100644
--- a/source/devel/python/FrugalBuild
+++ b/source/devel/python/FrugalBuild
@@ -4,7 +4,7 @@
pkgname=python
pkgver=2.5.2
shortpkgver=2.5 # 2.3 if $pkgver=2.3.4
-pkgrel=2kalgan1
+pkgrel=2kalgan2
pkgdesc="A high-level scripting language"
url="http://www.python.org";
depends=('glibc' 'db>=4.6.18' 'bzip2' 'gdbm' 'openssl' 'glib2')
@@ -17,8 +17,12 @@
source=(http://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.bz2 \
Python-2.4.1-gdbm-1.patch \
insecure_pathnames.diff \
http://bugs.python.org/file8452/python-2.5.CVE-2007-4965-int-overflow.patch \
- http://bugs.python.org/file9975/python-2.5-int-overflow-2.patch)
-signatures=($source.asc '' '' '' '')
+ http://bugs.python.org/file9975/python-2.5-int-overflow-2.patch \
+ CVE-2008-3144.patch \
+ CVE-2008-3142.patch \
+ CVE-2008-2316.patch \
+ CVE-2008-2315.patch)
+signatures=($source.asc '' '' '' '' '' '' '' '')
subpkgs=("$pkgname-tools")
subdescs=("Optional development tools to extending Python")
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git
