aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-04-22 14:57:28 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-04-27 15:20:32 +0100
commit2590eb53a6dac90cba52edd09ea56a6bdf4c4533 (patch)
tree24d75564a6a1551596a763c91a3154010b3dbce9
parenta2966949e68bbdce8d0a0fd5946d078b84ae63e9 (diff)
downloadopenembedded-core-2590eb53a6dac90cba52edd09ea56a6bdf4c4533.zip
openembedded-core-2590eb53a6dac90cba52edd09ea56a6bdf4c4533.tar.gz
openembedded-core-2590eb53a6dac90cba52edd09ea56a6bdf4c4533.tar.bz2
python: CVE-2014-7185
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. PoC: Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch75
-rw-r--r--meta/recipes-devtools/python/python_2.7.3.bb1
2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch
new file mode 100644
index 0000000..60ef145
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch
@@ -0,0 +1,75 @@
+From 104eb318283dde5203aa6cf7384287bef181e308 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Wed, 12 Nov 2014 01:58:02 -0500
+Subject: [PATCH] python: fix CVE-2014-7185
+
+Reference: http://bugs.python.org/issue21831
+
+CVE-2014-7185: Integer overflow in bufferobject.c in Python before
+2.7.8 allows context-dependent attackers to obtain sensitive
+information from process memory via a large size and offset in a
+"buffer" function.
+
+Upstream-Status: Backport
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ Lib/test/test_buffer.py | 6 ++++++
+ Misc/NEWS | 3 +++
+ Objects/bufferobject.c | 2 +-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py
+index 6bdc34d..3ac1f8c 100644
+--- a/Lib/test/test_buffer.py
++++ b/Lib/test/test_buffer.py
+@@ -4,6 +4,7 @@ For now, tests just new or changed functionality.
+
+ """
+
++import sys
+ import unittest
+ from test import test_support
+
+@@ -21,6 +22,11 @@ class BufferTests(unittest.TestCase):
+ self.assertEqual(b[start:stop:step],
+ s[start:stop:step])
+
++ def test_large_buffer_size_and_offset(self):
++ data = bytearray('hola mundo')
++ buf = buffer(data, sys.maxsize, sys.maxsize)
++ self.assertEqual(buf[:4096], "")
++
+
+ def test_main():
+ with test_support.check_py3k_warnings(("buffer.. not supported",
+diff --git a/Misc/NEWS b/Misc/NEWS
+index e8778ad..77396c5 100644
+--- a/Misc/NEWS
++++ b/Misc/NEWS
+@@ -1896,6 +1896,9 @@ What's New in Python 2.7 Release Candidate 1?
+ Core and Builtins
+ -----------------
+
++- Issue #21831: Avoid integer overflow when large sizes and offsets are given to
++ the buffer type. CVE-2014-7185.
++
+ - Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the
+ start byte and the continuation byte(s) are now considered invalid, instead
+ of the number of bytes specified by the start byte.
+diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
+index c52f0bc..c542506 100644
+--- a/Objects/bufferobject.c
++++ b/Objects/bufferobject.c
+@@ -88,7 +88,7 @@ get_buf(PyBufferObject *self, void **ptr, Py_ssize_t *size,
+ *size = count;
+ else
+ *size = self->b_size;
+- if (offset + *size > count)
++ if (*size > count - offset)
+ *size = count - offset;
+ }
+ return 1;
+--
+1.7.9.5
+
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index 4d2594a..ccae3fa 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -37,6 +37,7 @@ SRC_URI += "\
file://python-fix-build-error-with-Readline-6.3.patch \
file://python-2.7.3-CVE-2014-1912.patch \
file://python2.7.3-nossl3.patch \
+ file://python-2.7.3-CVE-2014-7185.patch \
"
S = "${WORKDIR}/Python-${PV}"