Sun Feb 9 09:02:50 2014 UTC ()
Add fix for security vulnerability reported in SA56624.
Patch taken from Python Mercurial repository.


(tron)
diff -r1.33 -r1.34 pkgsrc/lang/python27/Makefile
diff -r1.29 -r1.30 pkgsrc/lang/python27/distinfo
diff -r0 -r1.1 pkgsrc/lang/python27/patches/patch-Modules_socketmodule.c
cvs diff -r1.33 -r1.34 pkgsrc/lang/python27/Makefile (switch to unified diff)

--- pkgsrc/lang/python27/Makefile 2013/12/12 11:34:23 1.33
+++ pkgsrc/lang/python27/Makefile 2014/02/09 09:02:50 1.34
@@ -1,194 +1,195 @@ @@ -1,194 +1,195 @@
1# $NetBSD: Makefile,v 1.33 2013/12/12 11:34:23 jperkin Exp $ 1# $NetBSD: Makefile,v 1.34 2014/02/09 09:02:50 tron Exp $
2 2
3.include "dist.mk" 3.include "dist.mk"
4 4
5PKGNAME= python27-${PY_DISTVERSION} 5PKGNAME= python27-${PY_DISTVERSION}
 6PKGREVISION= 1
6CATEGORIES= lang python 7CATEGORIES= lang python
7 8
8MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
9HOMEPAGE= http://www.python.org/ 10HOMEPAGE= http://www.python.org/
10COMMENT= Interpreted, interactive, object-oriented programming language 11COMMENT= Interpreted, interactive, object-oriented programming language
11LICENSE= python-software-foundation 12LICENSE= python-software-foundation
12 13
13CONFLICTS+= python-[0-9]* 14CONFLICTS+= python-[0-9]*
14 15
15GNU_CONFIGURE= yes 16GNU_CONFIGURE= yes
16CONFIGURE_ARGS+= --with-threads 17CONFIGURE_ARGS+= --with-threads
17CONFIGURE_ARGS+= --enable-shared 18CONFIGURE_ARGS+= --enable-shared
18CONFIGURE_ARGS+= OPT=${CFLAGS:Q} 19CONFIGURE_ARGS+= OPT=${CFLAGS:Q}
19CONFIGURE_ARGS+= --with-system-ffi 20CONFIGURE_ARGS+= --with-system-ffi
20CONFIGURE_ARGS+= --with-dbmliborder=ndbm:bdb 21CONFIGURE_ARGS+= --with-dbmliborder=ndbm:bdb
21CONFIGURE_ENV+= MKDIR_P=${MKDIR:Q} 22CONFIGURE_ENV+= MKDIR_P=${MKDIR:Q}
22 23
23PKGCONFIG_OVERRIDE+= Misc/python.pc.in 24PKGCONFIG_OVERRIDE+= Misc/python.pc.in
24 25
25LDFLAGS+= -L${WRKSRC} 26LDFLAGS+= -L${WRKSRC}
26 27
27# $RANDOM usage there is fine 28# $RANDOM usage there is fine
28CHECK_PORTABILITY_SKIP= Tools/faqwiz/move-faqwiz.sh 29CHECK_PORTABILITY_SKIP= Tools/faqwiz/move-faqwiz.sh
29 30
30USE_LANGUAGES= c c++ 31USE_LANGUAGES= c c++
31 32
32PTHREAD_OPTS+= require 33PTHREAD_OPTS+= require
33.include "../../mk/pthread.buildlink3.mk" 34.include "../../mk/pthread.buildlink3.mk"
34.if ${PTHREAD_TYPE} == "pth" 35.if ${PTHREAD_TYPE} == "pth"
35CONFIGURE_ARGS+= --with-pth 36CONFIGURE_ARGS+= --with-pth
36.endif 37.endif
37 38
38.include "../../mk/compiler.mk" 39.include "../../mk/compiler.mk"
39 40
40# Clang needs -fwrapv 41# Clang needs -fwrapv
41.if !empty(PKGSRC_COMPILER:Mclang) 42.if !empty(PKGSRC_COMPILER:Mclang)
42CFLAGS+= -fwrapv 43CFLAGS+= -fwrapv
43.endif 44.endif
44 45
45.include "../../mk/bsd.prefs.mk" 46.include "../../mk/bsd.prefs.mk"
46 47
47# fdatasync() 48# fdatasync()
48LIBS.SunOS+= -lrt 49LIBS.SunOS+= -lrt
49 50
50PY_VER_SUFFIX= 2.7 51PY_VER_SUFFIX= 2.7
51 52
52PLIST_SRC= ${.CURDIR}/../../lang/python27/PLIST.common 53PLIST_SRC= ${.CURDIR}/../../lang/python27/PLIST.common
53.if exists(${.CURDIR}/../../lang/python27/PLIST.${OPSYS}) 54.if exists(${.CURDIR}/../../lang/python27/PLIST.${OPSYS})
54PLIST_SRC+= ${.CURDIR}/../../lang/python27/PLIST.${OPSYS} 55PLIST_SRC+= ${.CURDIR}/../../lang/python27/PLIST.${OPSYS}
55.endif 56.endif
56PLIST_SRC+= ${.CURDIR}/../../lang/python27/PLIST.common_end 57PLIST_SRC+= ${.CURDIR}/../../lang/python27/PLIST.common_end
57 58
58.if ${OPSYS} == "NetBSD" 59.if ${OPSYS} == "NetBSD"
59. if !defined(USE_DESTDIR) || empty(USE_DESTDIR:M[Yy][Ee][Ss]) 60. if !defined(USE_DESTDIR) || empty(USE_DESTDIR:M[Yy][Ee][Ss])
60PRIVILEGED_STAGES+= clean 61PRIVILEGED_STAGES+= clean
61. endif 62. endif
62# XXX work around a botched autoconf check which ignores libintl 63# XXX work around a botched autoconf check which ignores libintl
63CONFIGURE_ENV+= ac_cv_func_bind_textdomain_codeset=yes 64CONFIGURE_ENV+= ac_cv_func_bind_textdomain_codeset=yes
64.endif 65.endif
65 66
66.if ${OPSYS} == "Cygwin" || ${OPSYS} == "Darwin" || ${OPSYS} == "Interix" 67.if ${OPSYS} == "Cygwin" || ${OPSYS} == "Darwin" || ${OPSYS} == "Interix"
67PY_PLATNAME= ${LOWER_OPSYS} 68PY_PLATNAME= ${LOWER_OPSYS}
68USE_TOOLS+= gmake 69USE_TOOLS+= gmake
69.elif ${OPSYS} == "IRIX" 70.elif ${OPSYS} == "IRIX"
70PY_PLATNAME= ${LOWER_OPSYS:C/\..*//} 71PY_PLATNAME= ${LOWER_OPSYS:C/\..*//}
71.elif ${OPSYS} == "SunOS" 72.elif ${OPSYS} == "SunOS"
72PY_PLATNAME= sunos${OS_VERSION:C/\..*//} 73PY_PLATNAME= sunos${OS_VERSION:C/\..*//}
73.elif ${OPSYS} == "HPUX" 74.elif ${OPSYS} == "HPUX"
74PY_PLATNAME= hp-ux11 75PY_PLATNAME= hp-ux11
75.elif ${OPSYS} == "Linux" 76.elif ${OPSYS} == "Linux"
76PY_PLATNAME= linux2 77PY_PLATNAME= linux2
77.else 78.else
78PY_PLATNAME= ${LOWER_OPSYS}${OS_VERSION:C/\..*//} 79PY_PLATNAME= ${LOWER_OPSYS}${OS_VERSION:C/\..*//}
79.endif 80.endif
80PLIST_SUBST+= PY_PLATNAME=${PY_PLATNAME:Q} 81PLIST_SUBST+= PY_PLATNAME=${PY_PLATNAME:Q}
81 82
82.if (${MACHINE_ARCH} == "alpha") || (${MACHINE_ARCH} == "amd64") || \ 83.if (${MACHINE_ARCH} == "alpha") || (${MACHINE_ARCH} == "amd64") || \
83 (${MACHINE_ARCH} == "sparc64") || (${MACHINE_ARCH} == "x86_64") || \ 84 (${MACHINE_ARCH} == "sparc64") || (${MACHINE_ARCH} == "x86_64") || \
84 (${MACHINE_ARCH} == "powerpc64") || (defined(ABI) && ${ABI} == "64") 85 (${MACHINE_ARCH} == "powerpc64") || (defined(ABI) && ${ABI} == "64")
85IS_64BIT_PLATFORM?= yes 86IS_64BIT_PLATFORM?= yes
86.else 87.else
87IS_64BIT_PLATFORM?= no 88IS_64BIT_PLATFORM?= no
88.endif 89.endif
89 90
90# the dl module isn't built for 64 bit archs 91# the dl module isn't built for 64 bit archs
91PLIST_VARS+= dl 92PLIST_VARS+= dl
92.if empty(IS_64BIT_PLATFORM:M[yY][eE][sS]) 93.if empty(IS_64BIT_PLATFORM:M[yY][eE][sS])
93PLIST.dl= yes 94PLIST.dl= yes
94.endif 95.endif
95 96
96# builds additional modules if OpenSSL < 0.9.8 97# builds additional modules if OpenSSL < 0.9.8
97PLIST_VARS+= openssl097 98PLIST_VARS+= openssl097
98CHECK_BUILTIN.openssl:= yes 99CHECK_BUILTIN.openssl:= yes
99.include "../../security/openssl/builtin.mk" 100.include "../../security/openssl/builtin.mk"
100CHECK_BUILTIN.openssl:= no 101CHECK_BUILTIN.openssl:= no
101.if !empty(USE_BUILTIN.openssl:M[yY][eE][sS]) && \ 102.if !empty(USE_BUILTIN.openssl:M[yY][eE][sS]) && \
102 !empty(BUILTIN_PKG.openssl:Mopenssl-0.9.[67]*) 103 !empty(BUILTIN_PKG.openssl:Mopenssl-0.9.[67]*)
103PLIST.openssl097= yes 104PLIST.openssl097= yes
104.endif 105.endif
105 106
106# setup.py causes some modules to be built if the platform is *not* 64bit. 107# setup.py causes some modules to be built if the platform is *not* 64bit.
107PLIST_VARS+= extra-so 108PLIST_VARS+= extra-so
108.if !empty(IS_64BIT_PLATFORM:M[nN][oO]) 109.if !empty(IS_64BIT_PLATFORM:M[nN][oO])
109PLIST.extra-so= yes 110PLIST.extra-so= yes
110.endif 111.endif
111 112
112# Make sure python modules can link correctly 113# Make sure python modules can link correctly
113.if ${OPSYS} == "Darwin" 114.if ${OPSYS} == "Darwin"
114INSTALL_UNSTRIPPED= yes 115INSTALL_UNSTRIPPED= yes
115.endif 116.endif
116 117
117# For Xcode 5 we need to search the SDK path for headers, otherwise certain 118# For Xcode 5 we need to search the SDK path for headers, otherwise certain
118# modules will not be built. 119# modules will not be built.
119.if ${OPSYS} == "Darwin" && exists(${OSX_SDK_PATH}/usr/include) 120.if ${OPSYS} == "Darwin" && exists(${OSX_SDK_PATH}/usr/include)
120CFLAGS+= -I${OSX_SDK_PATH}/usr/include 121CFLAGS+= -I${OSX_SDK_PATH}/usr/include
121.endif 122.endif
122 123
123PLIST_VARS+= dll nis no-nis 124PLIST_VARS+= dll nis no-nis
124.if ${OPSYS} == "IRIX" 125.if ${OPSYS} == "IRIX"
125. if ${ABI} == "64" 126. if ${ABI} == "64"
126PLIST.no-nis= yes 127PLIST.no-nis= yes
127. else 128. else
128PLIST.nis= yes 129PLIST.nis= yes
129. endif 130. endif
130.else 131.else
131PLIST.dll= yes 132PLIST.dll= yes
132. if ${OPSYS} == "MirBSD" 133. if ${OPSYS} == "MirBSD"
133# neither nis nor no-nis 134# neither nis nor no-nis
134. elif ${OPSYS} != "NetBSD" || exists(/usr/bin/ypcat) 135. elif ${OPSYS} != "NetBSD" || exists(/usr/bin/ypcat)
135PLIST.nis= yes 136PLIST.nis= yes
136. else 137. else
137PLIST.no-nis= yes 138PLIST.no-nis= yes
138. endif 139. endif
139.endif 140.endif
140 141
141.include "../../mk/bdb.buildlink3.mk" 142.include "../../mk/bdb.buildlink3.mk"
142MAKE_ENV+= PY_BDB_TYPE=${BDB_TYPE} 143MAKE_ENV+= PY_BDB_TYPE=${BDB_TYPE}
143.if empty(BDB_LIBS) 144.if empty(BDB_LIBS)
144BUILDLINK_TRANSFORM+= rm:-ldb 145BUILDLINK_TRANSFORM+= rm:-ldb
145.endif 146.endif
146CFLAGS+= -DHAVE_DB_185_H 147CFLAGS+= -DHAVE_DB_185_H
147 148
148.if ${OPSYS} == "OSF1" 149.if ${OPSYS} == "OSF1"
149# configure complains about buggy getaddrinfo() 150# configure complains about buggy getaddrinfo()
150CONFIGURE_ARGS+= --disable-ipv6 151CONFIGURE_ARGS+= --disable-ipv6
151.endif 152.endif
152 153
153.if defined(BUILDLINK_TRANSFORM) 154.if defined(BUILDLINK_TRANSFORM)
154MAKE_ENV+= PY_BDB_TRANSFORM=${BUILDLINK_TRANSFORM:Q} 155MAKE_ENV+= PY_BDB_TRANSFORM=${BUILDLINK_TRANSFORM:Q}
155.endif 156.endif
156 157
157PLIST_SUBST+= PY_VER_SUFFIX=${PY_VER_SUFFIX:Q} 158PLIST_SUBST+= PY_VER_SUFFIX=${PY_VER_SUFFIX:Q}
158 159
159TEST_TARGET= test 160TEST_TARGET= test
160INSTALL_TARGET= altinstall 161INSTALL_TARGET= altinstall
161 162
162REPLACE_INTERPRETER+= py27 163REPLACE_INTERPRETER+= py27
163REPLACE.py27.old= .*python[^ ]* 164REPLACE.py27.old= .*python[^ ]*
164REPLACE.py27.new= ${PREFIX}/bin/python${PY_VER_SUFFIX} 165REPLACE.py27.new= ${PREFIX}/bin/python${PY_VER_SUFFIX}
165REPLACE_FILES.py27= Lib/*.py Lib/*/*.py Lib/*/*/*.py 166REPLACE_FILES.py27= Lib/*.py Lib/*/*.py Lib/*/*/*.py
166REPLACE_FILES.py27+= Lib/*/*/*/*.py 167REPLACE_FILES.py27+= Lib/*/*/*/*.py
167 168
168SUBST_CLASSES+= findlib 169SUBST_CLASSES+= findlib
169SUBST_MESSAGE.findlib= Fixing find_library_file on Darwin. 170SUBST_MESSAGE.findlib= Fixing find_library_file on Darwin.
170SUBST_STAGE.findlib= pre-configure 171SUBST_STAGE.findlib= pre-configure
171SUBST_FILES.findlib= Lib/distutils/unixccompiler.py 172SUBST_FILES.findlib= Lib/distutils/unixccompiler.py
172SUBST_SED.findlib= -e 's,/usr/local,${PREFIX},' 173SUBST_SED.findlib= -e 's,/usr/local,${PREFIX},'
173 174
174post-extract: 175post-extract:
175 ${MV} ${WRKSRC}/Lib/smtpd.py ${WRKSRC}/Lib/smtpd${PY_VER_SUFFIX}.py 176 ${MV} ${WRKSRC}/Lib/smtpd.py ${WRKSRC}/Lib/smtpd${PY_VER_SUFFIX}.py
176 ${MV} ${WRKSRC}/Tools/scripts/pydoc ${WRKSRC}/Tools/scripts/pydoc${PY_VER_SUFFIX} 177 ${MV} ${WRKSRC}/Tools/scripts/pydoc ${WRKSRC}/Tools/scripts/pydoc${PY_VER_SUFFIX}
177 ${MV} ${WRKSRC}/Tools/scripts/2to3 ${WRKSRC}/Tools/scripts/2to3-${PY_VER_SUFFIX} 178 ${MV} ${WRKSRC}/Tools/scripts/2to3 ${WRKSRC}/Tools/scripts/2to3-${PY_VER_SUFFIX}
178 179
179.if ${OPSYS} == "HPUX" 180.if ${OPSYS} == "HPUX"
180post-install: 181post-install:
181 ${LN} -fs ${DESTDIR}${PREFIX}/lib/libpython2.7.sl \ 182 ${LN} -fs ${DESTDIR}${PREFIX}/lib/libpython2.7.sl \
182 ${DESTDIR}${PREFIX}/lib/libpython2.7.sl.1.0 183 ${DESTDIR}${PREFIX}/lib/libpython2.7.sl.1.0
183.endif 184.endif
184 185
185BUILDLINK_DEPMETHOD.readline= build 186BUILDLINK_DEPMETHOD.readline= build
186 187
187.include "../../archivers/bzip2/buildlink3.mk" 188.include "../../archivers/bzip2/buildlink3.mk"
188.include "../../devel/gettext-lib/buildlink3.mk" 189.include "../../devel/gettext-lib/buildlink3.mk"
189.include "../../devel/libffi/buildlink3.mk" 190.include "../../devel/libffi/buildlink3.mk"
190.include "../../devel/readline/buildlink3.mk" 191.include "../../devel/readline/buildlink3.mk"
191.include "../../devel/zlib/buildlink3.mk" 192.include "../../devel/zlib/buildlink3.mk"
192.include "../../security/openssl/buildlink3.mk" 193.include "../../security/openssl/buildlink3.mk"
193.include "../../mk/dlopen.buildlink3.mk" 194.include "../../mk/dlopen.buildlink3.mk"
194.include "../../mk/bsd.pkg.mk" 195.include "../../mk/bsd.pkg.mk"
cvs diff -r1.29 -r1.30 pkgsrc/lang/python27/distinfo (switch to unified diff)

--- pkgsrc/lang/python27/distinfo 2013/12/14 18:59:55 1.29
+++ pkgsrc/lang/python27/distinfo 2014/02/09 09:02:50 1.30
@@ -1,26 +1,27 @@ @@ -1,26 +1,27 @@
1$NetBSD: distinfo,v 1.29 2013/12/14 18:59:55 bsiegert Exp $ 1$NetBSD: distinfo,v 1.30 2014/02/09 09:02:50 tron Exp $
2 2
3SHA1 (Python-2.7.6.tar.xz) = 8321636af2acbeaa68fc635d7dda7369ed446a80 3SHA1 (Python-2.7.6.tar.xz) = 8321636af2acbeaa68fc635d7dda7369ed446a80
4RMD160 (Python-2.7.6.tar.xz) = 8efc73a01a466d8fa16c5c1734c89be79c2c538a 4RMD160 (Python-2.7.6.tar.xz) = 8efc73a01a466d8fa16c5c1734c89be79c2c538a
5Size (Python-2.7.6.tar.xz) = 10431288 bytes 5Size (Python-2.7.6.tar.xz) = 10431288 bytes
6SHA1 (patch-Include_node.h) = 673d148b625711ac47e4bfeb0f5b0d5b31f94d7e 6SHA1 (patch-Include_node.h) = 673d148b625711ac47e4bfeb0f5b0d5b31f94d7e
7SHA1 (patch-Include_pyerrors.h) = 3eba043c83b1d1df4918524f7b53047a6ed372ae 7SHA1 (patch-Include_pyerrors.h) = 3eba043c83b1d1df4918524f7b53047a6ed372ae
8SHA1 (patch-Lib_distutils_unixccompiler.py) = 39b967dc2ae648143d5841f22602a21063b4d5ea 8SHA1 (patch-Lib_distutils_unixccompiler.py) = 39b967dc2ae648143d5841f22602a21063b4d5ea
9SHA1 (patch-Modules___ssl.c) = aaddaea5bcd6c84d3d896c7c37f710933b8228bc 9SHA1 (patch-Modules___ssl.c) = aaddaea5bcd6c84d3d896c7c37f710933b8228bc
10SHA1 (patch-Modules_getpath.c) = f68b38eb90f974b67ceab3922ce7f92eb77f25c3 10SHA1 (patch-Modules_getpath.c) = f68b38eb90f974b67ceab3922ce7f92eb77f25c3
 11SHA1 (patch-Modules_socketmodule.c) = 07c76dcf6dc8605446bc8e01d80e1f1e30a5ebf7
11SHA1 (patch-aa) = 990e4025bb6a37715e1f5df1831499f0ab08acfa 12SHA1 (patch-aa) = 990e4025bb6a37715e1f5df1831499f0ab08acfa
12SHA1 (patch-ab) = 0d0ae9802dfe3b85659adb16793affd8c4ffce43 13SHA1 (patch-ab) = 0d0ae9802dfe3b85659adb16793affd8c4ffce43
13SHA1 (patch-ad) = de730b9f5a5efb56afa8bed05824b5f6579242ec 14SHA1 (patch-ad) = de730b9f5a5efb56afa8bed05824b5f6579242ec
14SHA1 (patch-ae) = ff6d8c6164fe3c6dc4fb33d88eb8a49d5c5442f6 15SHA1 (patch-ae) = ff6d8c6164fe3c6dc4fb33d88eb8a49d5c5442f6
15SHA1 (patch-ah) = ae3ce0656d890ca34292920bf0185f94ba847139 16SHA1 (patch-ah) = ae3ce0656d890ca34292920bf0185f94ba847139
16SHA1 (patch-al) = dd8bed847f797b97df1a9ad7ffe17645b0f08925 17SHA1 (patch-al) = dd8bed847f797b97df1a9ad7ffe17645b0f08925
17SHA1 (patch-am) = 80718042f67a22489b1ae0806e71f28c1515c28e 18SHA1 (patch-am) = 80718042f67a22489b1ae0806e71f28c1515c28e
18SHA1 (patch-an) = 6098fbf0fc31422196cc40d3a227934523db11ca 19SHA1 (patch-an) = 6098fbf0fc31422196cc40d3a227934523db11ca
19SHA1 (patch-ao) = 3a1cd2b255340fd23fc1fce8680e692581ffcec1 20SHA1 (patch-ao) = 3a1cd2b255340fd23fc1fce8680e692581ffcec1
20SHA1 (patch-au) = 2a2a988ac92553d17eb898870d1adb3c30a59b66 21SHA1 (patch-au) = 2a2a988ac92553d17eb898870d1adb3c30a59b66
21SHA1 (patch-av) = a14eaf4d5db6fc3b79ed896fbfcc34ca98051af2 22SHA1 (patch-av) = a14eaf4d5db6fc3b79ed896fbfcc34ca98051af2
22SHA1 (patch-aw) = 15652e241f371a22c7300f46771825ea74514fa0 23SHA1 (patch-aw) = 15652e241f371a22c7300f46771825ea74514fa0
23SHA1 (patch-ax) = be7498a37a89c86d278d07c38666237215308498 24SHA1 (patch-ax) = be7498a37a89c86d278d07c38666237215308498
24SHA1 (patch-az) = 56a3adedfc87cbbb0307ccb4b452665f79bde582 25SHA1 (patch-az) = 56a3adedfc87cbbb0307ccb4b452665f79bde582
25SHA1 (patch-pyconfig.h.in) = c4544178ecceffb6ed911df39d3a64bff665cb34 26SHA1 (patch-pyconfig.h.in) = c4544178ecceffb6ed911df39d3a64bff665cb34
26SHA1 (patch-xa) = 25f02b03f1c5534e1d839a5489d5a046071f32c0 27SHA1 (patch-xa) = 25f02b03f1c5534e1d839a5489d5a046071f32c0
File Added: pkgsrc/lang/python27/patches/patch-Modules_socketmodule.c
$NetBSD: patch-Modules_socketmodule.c,v 1.1 2014/02/09 09:02:50 tron Exp $

Fix vulnerability reported in SA56624. Patch taken from here:

http://hg.python.org/cpython/rev/87673659d8f7

--- Modules/socketmodule.c.orig	2013-11-10 07:36:41.000000000 +0000
+++ Modules/socketmodule.c	2014-02-09 08:41:25.000000000 +0000
@@ -2742,6 +2742,10 @@
     if (recvlen == 0) {
         /* If nbytes was not specified, use the buffer's length */
         recvlen = buflen;
+    } else if (recvlen > buflen) {
+        PyErr_SetString(PyExc_ValueError,
+                        "nbytes is greater than the length of the buffer");
+        goto error;
     }
 
     readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);