Security fix for CVE-2022-48560

RHEL-16702
2023-11-30 10:12:13 +01:00 · 2023-11-30 10:12:13 +01:00 · 70a4f6fadd
commit 70a4f6fadd
parent cec2df2191
2 changed files with 150 additions and 1 deletions
--- a/00408-cve-2022-48560.patch
+++ b/00408-cve-2022-48560.patch
@ -0,0 +1,136 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Thu, 23 Nov 2023 13:25:44 +0100
 Subject: [PATCH] 00408-cve-2022-48560.patch
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Security fix for CVE-2022-48560: python3: use after free in heappushpop()
 of heapq module
 Resolved upstream: https://github.com/python/cpython/issues/83602
 Backported from Python 3.6.11.
 Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
 Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
 ---
 Lib/test/test_heapq.py | 32 ++++++++++++++++++++++++++++++++
 Modules/_heapqmodule.c | 31 ++++++++++++++++++++++++-------
 2 files changed, 56 insertions(+), 7 deletions(-)
 diff --git a/Lib/test/test_heapq.py b/Lib/test/test_heapq.py
 index c4de593bb82..29cefb5d1a6 100644
 --- a/Lib/test/test_heapq.py
 +++ b/Lib/test/test_heapq.py
@@ -396,6 +396,38 @@ class TestErrorHandling(TestCase):
         with self.assertRaises((IndexError, RuntimeError)):
             self.module.heappop(heap)
 +    def test_comparison_operator_modifiying_heap(self):
 +        # See bpo-39421: Strong references need to be taken
 +        # when comparing objects as they can alter the heap
 +        class EvilClass(int):
 +            def __lt__(self, o):
 +                heap[:] = []
 +                return NotImplemented
 +
 +        heap = []
 +        self.module.heappush(heap, EvilClass(0))
 +        self.assertRaises(IndexError, self.module.heappushpop, heap, 1)
 +
 +    def test_comparison_operator_modifiying_heap_two_heaps(self):
 +
 +        class h(int):
 +            def __lt__(self, o):
 +                list2[:] = []
 +                return NotImplemented
 +
 +        class g(int):
 +            def __lt__(self, o):
 +                list1[:] = []
 +                return NotImplemented
 +
 +        list1, list2 = [], []
 +
 +        self.module.heappush(list1, h(0))
 +        self.module.heappush(list2, g(0))
 +
 +        self.assertRaises((IndexError, RuntimeError), self.module.heappush, list1, g(1))
 +        self.assertRaises((IndexError, RuntimeError), self.module.heappush, list2, h(1))
 +
 class TestErrorHandlingPython(TestErrorHandling):
     module = py_heapq
 diff --git a/Modules/_heapqmodule.c b/Modules/_heapqmodule.c
 index 5b0ef691545..c013aee1ebf 100644
 --- a/Modules/_heapqmodule.c
 +++ b/Modules/_heapqmodule.c
@@ -52,7 +52,11 @@ _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
     while (pos > startpos) {
         parentpos = (pos - 1) >> 1;
         parent = PyList_GET_ITEM(heap, parentpos);
 +        Py_INCREF(newitem);
 +        Py_INCREF(parent);
         cmp = cmp_lt(newitem, parent);
 +        Py_DECREF(parent);
 +        Py_DECREF(newitem);
         if (cmp == -1)
             return -1;
         if (size != PyList_GET_SIZE(heap)) {
@@ -93,9 +97,13 @@ _siftup(PyListObject *heap, Py_ssize_t pos)
         childpos = 2*pos + 1;    /* leftmost child position  */
         rightpos = childpos + 1;
         if (rightpos < endpos) {
 -            cmp = cmp_lt(
 -                PyList_GET_ITEM(heap, childpos),
 -                PyList_GET_ITEM(heap, rightpos));
 +            PyObject* a = PyList_GET_ITEM(heap, childpos);
 +            PyObject* b = PyList_GET_ITEM(heap, rightpos);
 +            Py_INCREF(a);
 +            Py_INCREF(b);
 +            cmp = cmp_lt(a, b);
 +            Py_DECREF(a);
 +            Py_DECREF(b);
             if (cmp == -1)
                 return -1;
             if (cmp == 0)
@@ -236,7 +244,10 @@ heappushpop(PyObject *self, PyObject *args)
         return item;
     }
 -    cmp = cmp_lt(PyList_GET_ITEM(heap, 0), item);
 +    PyObject* top = PyList_GET_ITEM(heap, 0);
 +    Py_INCREF(top);
 +    cmp = cmp_lt(top, item);
 +    Py_DECREF(top);
     if (cmp == -1)
         return NULL;
     if (cmp == 0) {
@@ -395,7 +406,9 @@ _siftdownmax(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
     while (pos > startpos){
         parentpos = (pos - 1) >> 1;
         parent = PyList_GET_ITEM(heap, parentpos);
 +        Py_INCREF(parent);
         cmp = cmp_lt(parent, newitem);
 +        Py_DECREF(parent);
         if (cmp == -1) {
             Py_DECREF(newitem);
             return -1;
@@ -436,9 +449,13 @@ _siftupmax(PyListObject *heap, Py_ssize_t pos)
         childpos = 2*pos + 1;    /* leftmost child position  */
         rightpos = childpos + 1;
         if (rightpos < endpos) {
 -            cmp = cmp_lt(
 -                PyList_GET_ITEM(heap, rightpos),
 -                PyList_GET_ITEM(heap, childpos));
 +            PyObject* a = PyList_GET_ITEM(heap, rightpos);
 +            PyObject* b = PyList_GET_ITEM(heap, childpos);
 +            Py_INCREF(a);
 +            Py_INCREF(b);
 +            cmp = cmp_lt(a, b);
 +            Py_DECREF(a);
 +            Py_DECREF(b);
             if (cmp == -1) {
                 Py_DECREF(newitem);
                 return -1;
--- a/python2.spec
+++ b/python2.spec
@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python2-docs when changing this:
 Version: 2.7.18
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@ -845,6 +845,14 @@ Patch404: 00404-cve-2023-40217.patch
 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-48565
 Patch406: 00406-cve-2022-48565.patch
 # 00408 # 7cfb7e151bb64b384c47bfe0dddf5c2d6837772f
 # Security fix for CVE-2022-48560: python3: use after free in heappushpop()
 # of heapq module
 # Resolved upstream: https://github.com/python/cpython/issues/83602
 #
 # Backported from Python 3.6.11.
 Patch408: 00408-cve-2022-48560.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
@ -1184,6 +1192,7 @@ git apply %{PATCH351}
 %patch399 -p1
 %patch404 -p1
 %patch406 -p1
 %patch408 -p1
 # This shouldn't be necesarry, but is right now (2.2a3)
@ -2123,6 +2132,10 @@ fi
 # ======================================================
 %changelog
 * Thu Nov 30 2023 Lumír Balhar <lbalhar@redhat.com> - 2.7.18-17
 - Security fix for CVE-2022-48560
 Resolves: RHEL-16702
 * Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 2.7.18-16
 - Fix for CVE-2022-48565
 Resolves: RHEL-7088