From 20f301a645612d553df43b5f03c4aff3ca1fbd21 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Jul 08 2016 19:27:11 +0000 Subject: Refactor patch for properly fixing CVE-2016-5636 --- diff --git a/00201-prevent-buffer-overflow-in-zipimport-module.patch b/00201-prevent-buffer-overflow-in-zipimport-module.patch deleted file mode 100644 index 319d57f..0000000 --- a/00201-prevent-buffer-overflow-in-zipimport-module.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/Modules/zipimport.c b/Modules/zipimport.c -index 7240cb4..a139a3f 100644 ---- a/Modules/zipimport.c -+++ b/Modules/zipimport.c -@@ -895,6 +895,11 @@ get_data(char *archive, PyObject *toc_entry) - PyMarshal_ReadShortFromFile(fp); /* local header size */ - file_offset += l; /* Start of file data */ - -+ if (data_size > LONG_MAX - 1) { -+ fclose(fp); -+ PyErr_NoMemory(); -+ return NULL; -+ } - raw_data = PyString_FromStringAndSize((char *)NULL, compress == 0 ? - data_size : data_size + 1); - if (raw_data == NULL) { diff --git a/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch new file mode 100644 index 0000000..f166d01 --- /dev/null +++ b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch @@ -0,0 +1,39 @@ +From 0f12cb75c708978f9201c1dd3464d2a8572b4544 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Fri, 8 Jul 2016 20:24:10 +0200 +Subject: [PATCH] CVE-2016-5636 fix + +--- + Modules/zipimport.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/Modules/zipimport.c b/Modules/zipimport.c +index 7240cb4..2e6a61f 100644 +--- a/Modules/zipimport.c ++++ b/Modules/zipimport.c +@@ -861,6 +861,10 @@ get_data(char *archive, PyObject *toc_entry) + &date, &crc)) { + return NULL; + } ++ if (data_size < 0) { ++ PyErr_Format(ZipImportError, "negative data size"); ++ return NULL; ++ } + + fp = fopen(archive, "rb"); + if (!fp) { +@@ -895,6 +899,11 @@ get_data(char *archive, PyObject *toc_entry) + PyMarshal_ReadShortFromFile(fp); /* local header size */ + file_offset += l; /* Start of file data */ + ++ if (data_size > LONG_MAX - 1) { ++ fclose(fp); ++ PyErr_NoMemory(); ++ return NULL; ++ } + raw_data = PyString_FromStringAndSize((char *)NULL, compress == 0 ? + data_size : data_size + 1); + if (raw_data == NULL) { +-- +2.7.4 + diff --git a/python.spec b/python.spec index 3249731..5e97b8e 100644 --- a/python.spec +++ b/python.spec @@ -108,7 +108,7 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{python} # Remember to also rebase python-docs when changing this: Version: 2.7.11 -Release: 7%{?dist} +Release: 8%{?dist} License: Python Group: Development/Languages Requires: %{python}-libs%{?_isa} = %{version}-%{release} @@ -848,7 +848,6 @@ Patch187: 00187-add-RPATH-to-pyexpat.patch Patch189: 00189-gdb-py-bt-dont-raise-exception-from-eval.patch # 00190 # -# # Importing get_python_version in bdist_rpm # http://bugs.python.org/issue18045 # rhbz#1029082 @@ -856,19 +855,16 @@ Patch189: 00189-gdb-py-bt-dont-raise-exception-from-eval.patch #Patch190: 00190-get_python_version.patch # 00191 # -# # Disabling NOOP test as it fails without internet connection Patch191: 00191-disable-NOOP.patch # 00192 # -# # Fixing buffer overflow (upstream patch) # rhbz#1062375 # FIXED UPSTREAM #Patch192: 00192-buffer-overflow.patch # 00193 # -# # Enable loading sqlite extensions. This patch isn't needed for # python3.spec, since Python 3 has a configuration option for this. # rhbz#1066708 @@ -876,13 +872,13 @@ Patch191: 00191-disable-NOOP.patch Patch193: 00193-enable-loading-sqlite-extensions.patch # 00194 # -# # Fix tests with SQLite >= 3.8.4 # http://bugs.python.org/issue20901 # http://hg.python.org/cpython/raw-rev/1763e27a182d # FIXED UPSTREAM #Patch194: 00194-fix-tests-with-sqlite-3.8.4.patch +# 00195 # # Since openssl-1.0.1h-5.fc21 SSLv2 and SSLV3 protocols # are disabled by default in openssl, according the comment in openssl # patch this affects only SSLv23_method, this patch enables SSLv2 @@ -892,30 +888,37 @@ Patch193: 00193-enable-loading-sqlite-extensions.patch # disables only sslv2 all tests pass #Patch195: 00195-enable-sslv23-in-ssl.patch +# 00196 # # http://bugs.python.org/issue21308 # Backport of ssl module from python3 # FIXED UPSTREAM # Patch196: 00196-ssl-backport.patch +# 00197 # # http://bugs.python.org/issue22023 # Patch seg fault in unicodeobject.c # FIXED UPSTREAM # Patch197: 00197-unicode_fromformat.patch +# 00198 # %if 0%{with_rewheel} Patch198: 00198-add-rewheel-module.patch %endif +# 00200 # # test_gdb.test_threads fails when run within rpmbuild # I couldnt reproduce the issue outside of rpmbuild, therefore # I skip test for now Patch200: 00200-skip-thread-test.patch -# https://bugs.python.org/issue26171 +# 00209 # +# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560 +# rhbz#1345858: https://bugzilla.redhat.com/show_bug.cgi?id=1345858 # https://hg.python.org/cpython/rev/985fc64c60d6/ +# https://hg.python.org/cpython/rev/2edbdb79cd6d # Fix possible integer overflow and heap corruption in zipimporter.get_data() -# FIXED UPSTREAM -Patch201: 00201-prevent-buffer-overflow-in-zipimport-module.patch +# FIXED UPSTREAM: https://bugs.python.org/issue26171 +Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch # 00210 # # CVE-2016-0772 python: smtplib StartTLS stripping attack @@ -1295,7 +1298,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c %patch198 -p1 %endif %patch200 -p1 -%patch201 -p1 +%patch209 -p1 %patch210 -p1 %patch211 -p1 @@ -2149,6 +2152,9 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Fri Jul 08 2016 Charalampos Stratakis - 2.7.11-8 +- Refactor patch for properly fixing CVE-2016-5636 + * Fri Jul 08 2016 Charalampos Stratakis - 2.7.11-7 - Fix test_pyexpat failure with Expat version of 2.2.0