From 3702d0d8e2d9c1af62b1d8928cee8a90fb02d11d Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 8 Jul 2016 18:47:00 +0200 Subject: [PATCH] Refactor patch for properly fixing CVE-2016-5636 --- ...fer-overflow-in-zipimport-module-fix.patch | 39 +++++++++++++++++++ ...-buffer-overflow-in-zipimport-module.patch | 16 -------- python3.spec | 24 ++++++++---- 3 files changed, 56 insertions(+), 23 deletions(-) create mode 100644 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch delete mode 100644 00209-prevent-buffer-overflow-in-zipimport-module.patch diff --git a/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch new file mode 100644 index 0000000..e2c8581 --- /dev/null +++ b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch @@ -0,0 +1,39 @@ +From 531dfa4bcfe55d5cd1524425944b07c5b02bddf9 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Fri, 8 Jul 2016 17:16:41 +0200 +Subject: [PATCH] CVE-2016-5636 fix + +--- + Modules/zipimport.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/Modules/zipimport.c b/Modules/zipimport.c +index 06abb31..4d0d1de 100644 +--- a/Modules/zipimport.c ++++ b/Modules/zipimport.c +@@ -1076,6 +1076,10 @@ get_data(PyObject *archive, PyObject *toc_entry) + &date, &crc)) { + return NULL; + } ++ if (data_size < 0) { ++ PyErr_Format(ZipImportError, "negative data size"); ++ return NULL; ++ } + + fp = _Py_fopen_obj(archive, "rb"); + if (!fp) +@@ -1112,6 +1116,11 @@ get_data(PyObject *archive, PyObject *toc_entry) + } + file_offset += l; /* Start of file data */ + ++ if (data_size > LONG_MAX - 1) { ++ fclose(fp); ++ PyErr_NoMemory(); ++ return NULL; ++ } + bytes_size = compress == 0 ? data_size : data_size + 1; + if (bytes_size == 0) + bytes_size++; +-- +2.7.4 + diff --git a/00209-prevent-buffer-overflow-in-zipimport-module.patch b/00209-prevent-buffer-overflow-in-zipimport-module.patch deleted file mode 100644 index ea23556..0000000 --- a/00209-prevent-buffer-overflow-in-zipimport-module.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/Modules/zipimport.c b/Modules/zipimport.c -index 06abb31..914bf5d 100644 ---- a/Modules/zipimport.c -+++ b/Modules/zipimport.c -@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *toc_entry) - } - file_offset += l; /* Start of file data */ - -+ if (data_size > LONG_MAX - 1) { -+ fclose(fp); -+ PyErr_NoMemory(); -+ return NULL; -+ } - bytes_size = compress == 0 ? data_size : data_size + 1; - if (bytes_size == 0) - bytes_size++; diff --git a/python3.spec b/python3.spec index 01c9966..d094297 100644 --- a/python3.spec +++ b/python3.spec @@ -112,7 +112,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python3 Version: %{pybasever}.1 -Release: 11%{?dist} +Release: 12%{?dist} License: Python Group: Development/Languages @@ -375,7 +375,6 @@ Patch186: 00186-dont-raise-from-py_compile.patch Patch188: 00188-fix-lib2to3-tests-when-hashlib-doesnt-compile-properly.patch # 00189 # -# # Add the rewheel module, allowing to recreate wheels from already installed # ones # https://github.com/bkabrda/rewheel @@ -383,12 +382,12 @@ Patch188: 00188-fix-lib2to3-tests-when-hashlib-doesnt-compile-properly.patch Patch189: 00189-add-rewheel-module.patch %endif +# 00194 # # Tests requiring SIGHUP to work don't work in Koji # see rhbz#1088233 Patch194: temporarily-disable-tests-requiring-SIGHUP.patch -# 00196 -# +# 00196 # # Fix test_gdb failure on ppc64le Patch196: 00196-test-gdb-match-addr-before-builtin.patch @@ -404,31 +403,39 @@ Patch200: 00200-gettext-plural-fix.patch # Note: Backported from scl Patch201: 00201-fix-memory-leak-in-gdbm.patch +# 00203 # # test_threading fails in koji dues to it's handling of signals Patch203: 00203-disable-threading-test-koji.patch +# 00205 # # LIBPL variable in makefile takes LIBPL from configure.ac # but the LIBPL variable defined there doesn't respect libdir macro Patch205: 00205-make-libpl-respect-lib64.patch +# 00206 # # Remove hf flag from arm triplet which is used # by debian but fedora infra uses only eabi without hf Patch206: 00206-remove-hf-from-arm-triplet.patch +# 00207 # # Avoid truncated _math.o files caused by parallel builds # modified version of https://bugs.python.org/issue24421 # rhbz#1292461 Patch207: 00207-math-once.patch +# 00208 # # test_with_pip (test.test_venv.EnsurePipTest) fails on ppc64* # rhbz#1292467 Patch208: 00208-disable-test_with_pip-on-ppc.patch -# https://bugs.python.org/issue26171 +# 00209 # +# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560 +# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859 # https://hg.python.org/cpython/rev/10dad6da1b28/ +# https://hg.python.org/cpython/rev/5533a9e02b21 # Fix possible integer overflow and heap corruption in zipimporter.get_data() -# FIXED UPSTREAM -Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch +# FIXED UPSTREAM: https://bugs.python.org/issue26171 +Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch # 00210 # # CVE-2016-0772 python: smtplib StartTLS stripping attack @@ -1595,6 +1602,9 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Fri Jul 08 2016 Charalampos Stratakis - 3.5.1-12 +- Refactor patch for properly fixing CVE-2016-5636 + * Fri Jul 08 2016 Charalampos Stratakis - 3.5.1-11 - Fix test_pyexpat failure with Expat version of 2.2.0