Tue Aug 5 10:45:46 2008 UTC ()
also apply upstream svn rev.65262, fixes overflow checks in memory
allocation (CVE-2008-3142), ride on PKGREVISION bump some minutes ago
(drochner)
diff -r1.29 -r1.30 pkgsrc/lang/python24/distinfo
diff -r0 -r1.1 pkgsrc/lang/python24/patches/patch-bh
diff -r0 -r1.1 pkgsrc/lang/python24/patches/patch-bi
diff -r0 -r1.1 pkgsrc/lang/python24/patches/patch-bj
diff -r0 -r1.1 pkgsrc/lang/python24/patches/patch-bk
diff -r0 -r1.1 pkgsrc/lang/python24/patches/patch-bl
--- pkgsrc/lang/python24/Attic/distinfo 2008/08/05 10:13:34 1.29
+++ pkgsrc/lang/python24/Attic/distinfo 2008/08/05 10:45:45 1.30
| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | $NetBSD: distinfo,v 1.29 2008/08/05 10:13:34 drochner Exp $ | | 1 | $NetBSD: distinfo,v 1.30 2008/08/05 10:45:45 drochner Exp $ |
2 | | | 2 | |
3 | SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107 | | 3 | SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107 |
4 | RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097 | | 4 | RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097 |
5 | Size (Python-2.4.5.tar.bz2) = 8159705 bytes | | 5 | Size (Python-2.4.5.tar.bz2) = 8159705 bytes |
6 | SHA1 (patch-aa) = 310309e6778fd809b7758efa8db7333ed498e5e5 | | 6 | SHA1 (patch-aa) = 310309e6778fd809b7758efa8db7333ed498e5e5 |
7 | SHA1 (patch-ab) = 98b94620baf5d9d5e8681529297124c2d07a901b | | 7 | SHA1 (patch-ab) = 98b94620baf5d9d5e8681529297124c2d07a901b |
8 | SHA1 (patch-ac) = 4a7a83c9a7bb26254d17907fe15f895276910364 | | 8 | SHA1 (patch-ac) = 4a7a83c9a7bb26254d17907fe15f895276910364 |
9 | SHA1 (patch-ad) = 44a13d3f9814d471f266ab641024ad74be046ec1 | | 9 | SHA1 (patch-ad) = 44a13d3f9814d471f266ab641024ad74be046ec1 |
10 | SHA1 (patch-ae) = 7e00d719044fa0f205692392d9ebe87146715206 | | 10 | SHA1 (patch-ae) = 7e00d719044fa0f205692392d9ebe87146715206 |
11 | SHA1 (patch-af) = f468e8c172fc5aaae1bf843898a30c00ec753537 | | 11 | SHA1 (patch-af) = f468e8c172fc5aaae1bf843898a30c00ec753537 |
12 | SHA1 (patch-ag) = 0cdc08af9d37ae7d00a06ab81c30efa021ef28ac | | 12 | SHA1 (patch-ag) = 0cdc08af9d37ae7d00a06ab81c30efa021ef28ac |
13 | SHA1 (patch-ah) = 154b40eec926a6dcc968c635467807766d1cfaa3 | | 13 | SHA1 (patch-ah) = 154b40eec926a6dcc968c635467807766d1cfaa3 |
14 | SHA1 (patch-ai) = 6435c5a7269c14d94eab6fb9777b9d059507e7b8 | | 14 | SHA1 (patch-ai) = 6435c5a7269c14d94eab6fb9777b9d059507e7b8 |
| @@ -20,13 +20,18 @@ SHA1 (patch-an) = 0ae5b3d547c7dbe1366c5a | | | @@ -20,13 +20,18 @@ SHA1 (patch-an) = 0ae5b3d547c7dbe1366c5a |
20 | SHA1 (patch-ao) = 1ef48142acd8b591b11013b46048d9145f235843 | | 20 | SHA1 (patch-ao) = 1ef48142acd8b591b11013b46048d9145f235843 |
21 | SHA1 (patch-ap) = 8fbfecdb80ee851db569b64201ccd94bd3552a81 | | 21 | SHA1 (patch-ap) = 8fbfecdb80ee851db569b64201ccd94bd3552a81 |
22 | SHA1 (patch-aq) = 10f1964892763e0d1b2345bd053d7929dd4b317e | | 22 | SHA1 (patch-aq) = 10f1964892763e0d1b2345bd053d7929dd4b317e |
23 | SHA1 (patch-ar) = f132998e3e81f3093f9bddf32fe6dcb40fcfa76f | | 23 | SHA1 (patch-ar) = f132998e3e81f3093f9bddf32fe6dcb40fcfa76f |
24 | SHA1 (patch-at) = 9d66115cc561c99dcc3478678aa286c1c0c3df6b | | 24 | SHA1 (patch-at) = 9d66115cc561c99dcc3478678aa286c1c0c3df6b |
25 | SHA1 (patch-au) = d0a234efabe7d6a1f2b1dcbf26780fdc6b452214 | | 25 | SHA1 (patch-au) = d0a234efabe7d6a1f2b1dcbf26780fdc6b452214 |
26 | SHA1 (patch-ba) = c9b88da8efc334771eff578585e2e9e7e21a0634 | | 26 | SHA1 (patch-ba) = c9b88da8efc334771eff578585e2e9e7e21a0634 |
27 | SHA1 (patch-bb) = 89829819c5a38f3bbd8be1737568f87b9ffbd598 | | 27 | SHA1 (patch-bb) = 89829819c5a38f3bbd8be1737568f87b9ffbd598 |
28 | SHA1 (patch-bc) = e72dc346087f78760e623344e9eff147283c202c | | 28 | SHA1 (patch-bc) = e72dc346087f78760e623344e9eff147283c202c |
29 | SHA1 (patch-bd) = f760e4995888e22997d27598872fcf25cb89cbfe | | 29 | SHA1 (patch-bd) = f760e4995888e22997d27598872fcf25cb89cbfe |
30 | SHA1 (patch-be) = ce192dc8ec7b53b691288f1fecc8abbd9b61e9ea | | 30 | SHA1 (patch-be) = ce192dc8ec7b53b691288f1fecc8abbd9b61e9ea |
31 | SHA1 (patch-bf) = c0ae4152a0991d1c814462a5a8e925c9a9a6c254 | | 31 | SHA1 (patch-bf) = c0ae4152a0991d1c814462a5a8e925c9a9a6c254 |
32 | SHA1 (patch-bg) = 30a6d65a10bc0e6df5229635ad89a27e1093a347 | | 32 | SHA1 (patch-bg) = 30a6d65a10bc0e6df5229635ad89a27e1093a347 |
| | | 33 | SHA1 (patch-bh) = 4eee3ae6ff7ea9ca5c599dd782d78fb35a0562f4 |
| | | 34 | SHA1 (patch-bi) = 735906d3fb35bfe0d3b8d410b3a240e358215e05 |
| | | 35 | SHA1 (patch-bj) = ee23fac376746e48ee00e73b9ecc688086b7bc98 |
| | | 36 | SHA1 (patch-bk) = 4af3c66a3f6b773dc5fc14943a36b0906024e885 |
| | | 37 | SHA1 (patch-bl) = 9a192f5f4afd4296493599414a714bba6085d897 |
$NetBSD: patch-bh,v 1.1 2008/08/05 10:45:45 drochner Exp $
--- Include/pymem.h.orig 2008-03-02 20:20:32.000000000 +0100
+++ Include/pymem.h
@@ -66,8 +66,12 @@ PyAPI_FUNC(void) PyMem_Free(void *);
for malloc(0), which would be treated as an error. Some platforms
would return a pointer with no memory behind it, which would break
pymalloc. To solve these problems, allocate an extra byte. */
-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1)
-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1)
+/* Returns NULL to indicate error if a negative size or size larger than
+ Py_ssize_t can represent is supplied. Helps prevents security holes. */
+#define PyMem_MALLOC(n) (((n) < 0 || (n) > INT_MAX) ? NULL \
+ : malloc((n) ? (n) : 1))
+#define PyMem_REALLOC(p, n) (((n) < 0 || (n) > INT_MAX) ? NULL \
+ : realloc((p), (n) ? (n) : 1))
#endif /* PYMALLOC_DEBUG */
@@ -80,24 +84,31 @@ PyAPI_FUNC(void) PyMem_Free(void *);
* Type-oriented memory interface
* ==============================
*
- * These are carried along for historical reasons. There's rarely a good
- * reason to use them anymore (you can just as easily do the multiply and
- * cast yourself).
+ * Allocate memory for n objects of the given type. Returns a new pointer
+ * or NULL if the request was too large or memory allocation failed. Use
+ * these macros rather than doing the multiplication yourself so that proper
+ * overflow checking is always done.
*/
#define PyMem_New(type, n) \
- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+ ( ((n) > INT_MAX / sizeof(type)) ? NULL : \
( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
#define PyMem_NEW(type, n) \
- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+ ( ((n) > INT_MAX / sizeof(type)) ? NULL : \
( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+/*
+ * The value of (p) is always clobbered by this macro regardless of success.
+ * The caller MUST check if (p) is NULL afterwards and deal with the memory
+ * error if so. This means the original value of (p) MUST be saved for the
+ * caller's memory error handler to not lose track of it.
+ */
#define PyMem_Resize(p, type, n) \
- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
+ ( (p) = ((n) > INT_MAX / sizeof(type)) ? NULL : \
+ (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
#define PyMem_RESIZE(p, type, n) \
- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
+ ( (p) = ((n) > INT_MAX / sizeof(type)) ? NULL : \
+ (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
/* In order to avoid breaking old code mixing PyObject_{New, NEW} with
PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"
$NetBSD: patch-bi,v 1.1 2008/08/05 10:45:45 drochner Exp $
--- Modules/almodule.c.orig 2006-09-27 21:17:32.000000000 +0200
+++ Modules/almodule.c
@@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject
if (nvals < 0)
goto cleanup;
if (nvals > setsize) {
+ ALvalue *old_return_set = return_set;
setsize = nvals;
PyMem_RESIZE(return_set, ALvalue, setsize);
if (return_set == NULL) {
+ return_set = old_return_set;
PyErr_NoMemory();
goto cleanup;
}
$NetBSD: patch-bj,v 1.1 2008/08/05 10:45:45 drochner Exp $
--- Modules/arraymodule.c.orig 2008-03-02 20:20:32.000000000 +0100
+++ Modules/arraymodule.c
@@ -814,6 +814,7 @@ static int
array_do_extend(arrayobject *self, PyObject *bb)
{
int size;
+ char *old_item;
if (!array_Check(bb))
return array_iter_extend(self, bb);
@@ -829,10 +830,11 @@ array_do_extend(arrayobject *self, PyObj
return -1;
}
size = self->ob_size + b->ob_size;
+ old_item = self->ob_item;
PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
if (self->ob_item == NULL) {
- PyObject_Del(self);
- PyErr_NoMemory();
+ self->ob_item = old_item;
+ PyErr_NoMemory();
return -1;
}
memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize,
@@ -884,7 +886,7 @@ array_inplace_repeat(arrayobject *self,
if (size > INT_MAX / n) {
return PyErr_NoMemory();
}
- PyMem_Resize(items, char, n * size);
+ PyMem_RESIZE(items, char, n * size);
if (items == NULL)
return PyErr_NoMemory();
p = items;
$NetBSD: patch-bk,v 1.1 2008/08/05 10:45:45 drochner Exp $
--- Modules/selectmodule.c.orig 2006-09-27 21:17:32.000000000 +0200
+++ Modules/selectmodule.c
@@ -342,10 +342,12 @@ update_ufd_array(pollObject *self)
{
int i, pos;
PyObject *key, *value;
+ struct pollfd *old_ufds = self->ufds;
self->ufd_len = PyDict_Size(self->dict);
- PyMem_Resize(self->ufds, struct pollfd, self->ufd_len);
+ PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len);
if (self->ufds == NULL) {
+ self->ufds = old_ufds;
PyErr_NoMemory();
return 0;
}
$NetBSD: patch-bl,v 1.1 2008/08/05 10:45:46 drochner Exp $
--- Objects/obmalloc.c.orig 2005-07-11 07:57:11.000000000 +0200
+++ Objects/obmalloc.c
@@ -585,6 +585,15 @@ PyObject_Malloc(size_t nbytes)
uint size;
/*
+ * Limit ourselves to INT_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > INT_MAX)
+ return NULL;
+
+ /*
* This implicitly redirects malloc(0).
*/
if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
@@ -814,6 +823,15 @@ PyObject_Realloc(void *p, size_t nbytes)
if (p == NULL)
return PyObject_Malloc(nbytes);
+ /*
+ * Limit ourselves to INT_MAX bytes to prevent security holes.
+ * Most python internals blindly use a signed Py_ssize_t to track
+ * things without checking for overflows or negatives.
+ * As size_t is unsigned, checking for nbytes < 0 is not required.
+ */
+ if (nbytes > INT_MAX)
+ return NULL;
+
pool = POOL_ADDR(p);
if (Py_ADDRESS_IN_RANGE(p, pool)) {
/* We're in charge of this block */