diff options
author | Andras Timar <andras.timar@collabora.com> | 2018-07-02 23:11:36 +0200 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2018-07-02 23:11:36 +0200 |
commit | bb9c949c31d8a17a34baeaebb7bbac81f9056d61 (patch) | |
tree | 34146de60a1aea0fce55c763955231b038372030 /external | |
parent | 695489e29958ac66e6941afdedfdf9dd7e2cdde7 (diff) |
Fix Python CVE-2017-1000158
Change-Id: Id686120f85d44c8a0d65ae8683bcb7ed6e42854b
Diffstat (limited to 'external')
-rw-r--r-- | external/python3/UnpackedTarball_python3.mk | 1 | ||||
-rw-r--r-- | external/python3/python-3.5.5-CVE-2017-1000158.patch.1 | 62 |
2 files changed, 63 insertions, 0 deletions
diff --git a/external/python3/UnpackedTarball_python3.mk b/external/python3/UnpackedTarball_python3.mk index 35d6e643a1b0..9ed7a1ccce38 100644 --- a/external/python3/UnpackedTarball_python3.mk +++ b/external/python3/UnpackedTarball_python3.mk @@ -26,6 +26,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,python3,\ external/python3/python-3.3.5-pyexpat-symbols.patch.1 \ external/python3/ubsan.patch.0 \ external/python3/python-3.5.tweak.strip.soabi.patch \ + external/python3/python-3.5.5-CVE-2017-1000158.patch.1 \ )) ifneq ($(filter DRAGONFLY FREEBSD LINUX NETBSD OPENBSD SOLARIS,$(OS)),) diff --git a/external/python3/python-3.5.5-CVE-2017-1000158.patch.1 b/external/python3/python-3.5.5-CVE-2017-1000158.patch.1 new file mode 100644 index 000000000000..9bd472fd713d --- /dev/null +++ b/external/python3/python-3.5.5-CVE-2017-1000158.patch.1 @@ -0,0 +1,62 @@ +From fd8614c5c5466a14a945db5b059c10c0fb8f76d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz> +Date: Fri, 8 Dec 2017 22:34:12 +0100 +Subject: [PATCH] bpo-30657: Fix CVE-2017-1000158 (#4664) + +Fixes possible integer overflow in PyBytes_DecodeEscape. + +Co-Authored-By: Jay Bosamiya <jaybosamiya@gmail.com> +--- + Misc/ACKS | 2 ++ + .../NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst | 2 ++ + Objects/bytesobject.c | 8 +++++++- + 3 files changed, 11 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst + +diff --git a/Misc/ACKS b/Misc/ACKS +index fbf110d801b5..1a35aad66ce7 100644 +--- a/Misc/ACKS ++++ b/Misc/ACKS +@@ -167,6 +167,7 @@ Médéric Boquien + Matias Bordese + Jonas Borgström + Jurjen Bos ++Jay Bosamiya + Peter Bosch + Dan Boswell + Eric Bouck +@@ -651,6 +652,7 @@ Ken Howard + Brad Howes + Mike Hoy + Ben Hoyt ++Miro Hrončok + Chiu-Hsiang Hsu + Chih-Hao Huang + Christian Hudon +diff --git a/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst +new file mode 100644 +index 000000000000..75359b6d8833 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2017-12-01-18-51-03.bpo-30657.Fd8kId.rst +@@ -0,0 +1,2 @@ ++Fixed possible integer overflow in PyBytes_DecodeEscape, CVE-2017-1000158. ++Original patch by Jay Bosamiya; rebased to Python 3 by Miro Hrončok. +diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c +index 77dd45e84af8..9b29dc38b44f 100644 +--- a/Objects/bytesobject.c ++++ b/Objects/bytesobject.c +@@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const char *s, + char *p, *buf; + const char *end; + PyObject *v; +- Py_ssize_t newlen = recode_encoding ? 4*len:len; ++ Py_ssize_t newlen; ++ /* Check for integer overflow */ ++ if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { ++ PyErr_SetString(PyExc_OverflowError, "string is too large"); ++ return NULL; ++ } ++ newlen = recode_encoding ? 4*len:len; + v = PyBytes_FromStringAndSize((char *)NULL, newlen); + if (v == NULL) + return NULL; |