rpms / python2.7

Clone
Source Code
GIT

#9 Security fix for CVE-2021-3177
Merged 3 years ago by pviktori. Opened 3 years ago by churchyard.
rpms/ churchyard/python2.7 CVE-2021-3177  into  master

file added
+179 
@@ -0,0 +1,179 @@ 
 

+ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 

+ From: Petr Viktorin <pviktori@redhat.com>
 

+ Date: Mon, 1 Feb 2021 19:29:17 +0100
 

+ Subject: [PATCH] 00357-CVE-2021-3177.patch
 

+ 

+ 00357 #
 

+ CVE-2021-3177: Replace snprintf with Python unicode formatting in ctypes param reprs
 

+ 

+ Backport of Python3 commit 916610ef90a0d0761f08747f7b0905541f0977c7:
 

+ https://bugs.python.org/issue42938
 

+ https://github.com/python/cpython/pull/24239
 

+ ---
 

+  Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++++++
 

+  Modules/_ctypes/callproc.c         | 65 +++++++++++++++++-------------
 

+  2 files changed, 80 insertions(+), 28 deletions(-)
 

+ 

+ diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py
 

+ index 23c1b6e2259..77300d71ae1 100644
 

+ --- a/Lib/ctypes/test/test_parameters.py
 

+ +++ b/Lib/ctypes/test/test_parameters.py
 

+ @@ -206,6 +206,49 @@ class SimpleTypesTestCase(unittest.TestCase):
 

+          with self.assertRaises(ZeroDivisionError):
 

+              WorseStruct().__setstate__({}, b'foo')
 

+  

+ +    def test_parameter_repr(self):
 

+ +        from ctypes import (
 

+ +            c_bool,
 

+ +            c_char,
 

+ +            c_wchar,
 

+ +            c_byte,
 

+ +            c_ubyte,
 

+ +            c_short,
 

+ +            c_ushort,
 

+ +            c_int,
 

+ +            c_uint,
 

+ +            c_long,
 

+ +            c_ulong,
 

+ +            c_longlong,
 

+ +            c_ulonglong,
 

+ +            c_float,
 

+ +            c_double,
 

+ +            c_longdouble,
 

+ +            c_char_p,
 

+ +            c_wchar_p,
 

+ +            c_void_p,
 

+ +        )
 

+ +        self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
 

+ +        self.assertEqual(repr(c_char.from_param('a')), "<cparam 'c' ('a')>")
 

+ +        self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
 

+ +        self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
 

+ +        self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
 

+ +        self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
 

+ +        self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
 

+ +        self.assertRegexpMatches(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
 

+ +        self.assertRegexpMatches(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
 

+ +        self.assertRegexpMatches(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
 

+ +        self.assertRegexpMatches(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
 

+ +        self.assertRegexpMatches(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
 

+ +        self.assertRegexpMatches(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
 

+ +        self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
 

+ +        self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
 

+ +        self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
 

+ +        self.assertRegexpMatches(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
 

+ +        self.assertRegexpMatches(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
 

+ +        self.assertRegexpMatches(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
 

+ +        self.assertRegexpMatches(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
 

+ +
 

+  ################################################################
 

+  

+  if __name__ == '__main__':
 

+ diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
 

+ index 066fefc0cca..5cc3c4cf685 100644
 

+ --- a/Modules/_ctypes/callproc.c
 

+ +++ b/Modules/_ctypes/callproc.c
 

+ @@ -460,50 +460,62 @@ PyCArg_dealloc(PyCArgObject *self)
 

+  static PyObject *
 

+  PyCArg_repr(PyCArgObject *self)
 

+  {
 

+ -    char buffer[256];
 

+      switch(self->tag) {
 

+      case 'b':
 

+      case 'B':
 

+ -        sprintf(buffer, "<cparam '%c' (%d)>",
 

+ +        return PyString_FromFormat("<cparam '%c' (%d)>",
 

+              self->tag, self->value.b);
 

+ -        break;
 

+      case 'h':
 

+      case 'H':
 

+ -        sprintf(buffer, "<cparam '%c' (%d)>",
 

+ +        return PyString_FromFormat("<cparam '%c' (%d)>",
 

+              self->tag, self->value.h);
 

+ -        break;
 

+      case 'i':
 

+      case 'I':
 

+ -        sprintf(buffer, "<cparam '%c' (%d)>",
 

+ +        return PyString_FromFormat("<cparam '%c' (%d)>",
 

+              self->tag, self->value.i);
 

+ -        break;
 

+      case 'l':
 

+      case 'L':
 

+ -        sprintf(buffer, "<cparam '%c' (%ld)>",
 

+ +        return PyString_FromFormat("<cparam '%c' (%ld)>",
 

+              self->tag, self->value.l);
 

+ -        break;
 

+  

+  #ifdef HAVE_LONG_LONG
 

+      case 'q':
 

+      case 'Q':
 

+ -        sprintf(buffer,
 

+ -            "<cparam '%c' (%" PY_FORMAT_LONG_LONG "d)>",
 

+ +        return PyString_FromFormat("<cparam '%c' (%lld)>",
 

+              self->tag, self->value.q);
 

+ -        break;
 

+  #endif
 

+      case 'd':
 

+ -        sprintf(buffer, "<cparam '%c' (%f)>",
 

+ -            self->tag, self->value.d);
 

+ -        break;
 

+ -    case 'f':
 

+ -        sprintf(buffer, "<cparam '%c' (%f)>",
 

+ -            self->tag, self->value.f);
 

+ -        break;
 

+ -
 

+ +    case 'f': {
 

+ +        PyObject *s = PyString_FromFormat("<cparam '%c' (", self->tag);
 

+ +        if (s == NULL) {
 

+ +            return NULL;
 

+ +        }
 

+ +        PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
 

+ +        if (f == NULL) {
 

+ +            Py_DECREF(s);
 

+ +            return NULL;
 

+ +        }
 

+ +        PyObject *r = PyObject_Repr(f);
 

+ +        Py_DECREF(f);
 

+ +        if (r == NULL) {
 

+ +            Py_DECREF(s);
 

+ +            return NULL;
 

+ +        }
 

+ +        PyString_ConcatAndDel(&s, r);
 

+ +        if (s == NULL) {
 

+ +            return NULL;
 

+ +        }
 

+ +        r = PyString_FromString(")>");
 

+ +        if (r == NULL) {
 

+ +            Py_DECREF(s);
 

+ +            return NULL;
 

+ +        }
 

+ +        PyString_ConcatAndDel(&s, r);
 

+ +        return s;
 

+ +    }
 

+      case 'c':
 

+ -        sprintf(buffer, "<cparam '%c' (%c)>",
 

+ +        return PyString_FromFormat("<cparam '%c' ('%c')>",
 

+              self->tag, self->value.c);
 

+ -        break;
 

+  

+  /* Hm, are these 'z' and 'Z' codes useful at all?
 

+     Shouldn't they be replaced by the functionality of c_string
 

+ @@ -512,16 +524,13 @@ PyCArg_repr(PyCArgObject *self)
 

+      case 'z':
 

+      case 'Z':
 

+      case 'P':
 

+ -        sprintf(buffer, "<cparam '%c' (%p)>",
 

+ +        return PyUnicode_FromFormat("<cparam '%c' (%p)>",
 

+              self->tag, self->value.p);
 

+ -        break;
 

+  

+      default:
 

+ -        sprintf(buffer, "<cparam '%c' at %p>",
 

+ -            self->tag, self);
 

+ -        break;
 

+ +        return PyString_FromFormat("<cparam '%c' at %p>",
 

+ +            (unsigned char)self->tag, (void *)self);
 

+      }
 

+ -    return PyString_FromString(buffer);
 

+  }
 

+  

+  static PyMemberDef PyCArgType_members[] = {

file modified
+13 -1 
@@ -57,7 +57,7 @@ 
 

  #global prerel ...
 

  %global upstream_version %{general_version}%{?prerel}
 

  Version: %{general_version}%{?prerel:~%{prerel}}
 

- Release: 7%{?dist}
 

+ Release: 8%{?dist}
 

  %if %{with rpmwheels}
 

  License: Python
 

  %else
 
@@ -762,6 +762,14 @@ 
 

  # Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
 

  Patch354: 00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch
 

  

+ # 00357 # c4b8cabe4e772e4b8eea3e4dab5de12a3e9b5bc2
 

+ # CVE-2021-3177: Replace snprintf with Python unicode formatting in ctypes param reprs
 

+ #
 

+ # Backport of Python3 commit 916610ef90a0d0761f08747f7b0905541f0977c7:
 

+ # https://bugs.python.org/issue42938
 

+ # https://github.com/python/cpython/pull/24239
 

+ Patch357: 00357-CVE-2021-3177.patch
 

+ 

  # (New patches go here ^^^)
 

  #
 

  # When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
 
@@ -919,6 +927,7 @@ 
 

  git apply %{PATCH351}
 

  

  %patch354 -p1
 

+ %patch357 -p1
 

  

  # This shouldn't be necesarry, but is right now (2.2a3)
 

  find -name "*~" |xargs rm -f
 
@@ -1593,6 +1602,9 @@ 
 

  # ======================================================
 

  

  %changelog
 

+ * Mon Feb 01 2021 Miro Hrončok <mhroncok@redhat.com> - 2.7.18-8
 

+ - Security fix for CVE-2021-3177
 

+ 

  * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.18-7
 

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

no initial comment

rebased onto 3ea06b5
3 years ago

Build succeeded.

Pull-Request has been merged by pviktori
3 years ago
Metadata
None
No Tags
Flags
Zuul
success
Jobs result is success
3 years ago
Changes Summary 2
+179
file added
00357-CVE-2021-3177.patch
+13 -1
file changed
python2.7.spec
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.