Refactor patch for properly fixing CVE-2016-5636

This commit is contained in:
Charalampos Stratakis 2016-07-08 18:47:00 +02:00
parent 92512b0b14
commit 3702d0d8e2
3 changed files with 56 additions and 23 deletions

View File

@ -0,0 +1,39 @@
From 531dfa4bcfe55d5cd1524425944b07c5b02bddf9 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Fri, 8 Jul 2016 17:16:41 +0200
Subject: [PATCH] CVE-2016-5636 fix
---
Modules/zipimport.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/Modules/zipimport.c b/Modules/zipimport.c
index 06abb31..4d0d1de 100644
--- a/Modules/zipimport.c
+++ b/Modules/zipimport.c
@@ -1076,6 +1076,10 @@ get_data(PyObject *archive, PyObject *toc_entry)
&date, &crc)) {
return NULL;
}
+ if (data_size < 0) {
+ PyErr_Format(ZipImportError, "negative data size");
+ return NULL;
+ }
fp = _Py_fopen_obj(archive, "rb");
if (!fp)
@@ -1112,6 +1116,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
}
file_offset += l; /* Start of file data */
+ if (data_size > LONG_MAX - 1) {
+ fclose(fp);
+ PyErr_NoMemory();
+ return NULL;
+ }
bytes_size = compress == 0 ? data_size : data_size + 1;
if (bytes_size == 0)
bytes_size++;
--
2.7.4

View File

@ -1,16 +0,0 @@
diff --git a/Modules/zipimport.c b/Modules/zipimport.c
index 06abb31..914bf5d 100644
--- a/Modules/zipimport.c
+++ b/Modules/zipimport.c
@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
}
file_offset += l; /* Start of file data */
+ if (data_size > LONG_MAX - 1) {
+ fclose(fp);
+ PyErr_NoMemory();
+ return NULL;
+ }
bytes_size = compress == 0 ? data_size : data_size + 1;
if (bytes_size == 0)
bytes_size++;

View File

@ -112,7 +112,7 @@
Summary: Version 3 of the Python programming language aka Python 3000 Summary: Version 3 of the Python programming language aka Python 3000
Name: python3 Name: python3
Version: %{pybasever}.1 Version: %{pybasever}.1
Release: 11%{?dist} Release: 12%{?dist}
License: Python License: Python
Group: Development/Languages Group: Development/Languages
@ -375,7 +375,6 @@ Patch186: 00186-dont-raise-from-py_compile.patch
Patch188: 00188-fix-lib2to3-tests-when-hashlib-doesnt-compile-properly.patch Patch188: 00188-fix-lib2to3-tests-when-hashlib-doesnt-compile-properly.patch
# 00189 # # 00189 #
#
# Add the rewheel module, allowing to recreate wheels from already installed # Add the rewheel module, allowing to recreate wheels from already installed
# ones # ones
# https://github.com/bkabrda/rewheel # https://github.com/bkabrda/rewheel
@ -383,12 +382,12 @@ Patch188: 00188-fix-lib2to3-tests-when-hashlib-doesnt-compile-properly.patch
Patch189: 00189-add-rewheel-module.patch Patch189: 00189-add-rewheel-module.patch
%endif %endif
# 00194 #
# Tests requiring SIGHUP to work don't work in Koji # Tests requiring SIGHUP to work don't work in Koji
# see rhbz#1088233 # see rhbz#1088233
Patch194: temporarily-disable-tests-requiring-SIGHUP.patch Patch194: temporarily-disable-tests-requiring-SIGHUP.patch
# 00196 # 00196 #
#
# Fix test_gdb failure on ppc64le # Fix test_gdb failure on ppc64le
Patch196: 00196-test-gdb-match-addr-before-builtin.patch Patch196: 00196-test-gdb-match-addr-before-builtin.patch
@ -404,31 +403,39 @@ Patch200: 00200-gettext-plural-fix.patch
# Note: Backported from scl # Note: Backported from scl
Patch201: 00201-fix-memory-leak-in-gdbm.patch Patch201: 00201-fix-memory-leak-in-gdbm.patch
# 00203 #
# test_threading fails in koji dues to it's handling of signals # test_threading fails in koji dues to it's handling of signals
Patch203: 00203-disable-threading-test-koji.patch Patch203: 00203-disable-threading-test-koji.patch
# 00205 #
# LIBPL variable in makefile takes LIBPL from configure.ac # LIBPL variable in makefile takes LIBPL from configure.ac
# but the LIBPL variable defined there doesn't respect libdir macro # but the LIBPL variable defined there doesn't respect libdir macro
Patch205: 00205-make-libpl-respect-lib64.patch Patch205: 00205-make-libpl-respect-lib64.patch
# 00206 #
# Remove hf flag from arm triplet which is used # Remove hf flag from arm triplet which is used
# by debian but fedora infra uses only eabi without hf # by debian but fedora infra uses only eabi without hf
Patch206: 00206-remove-hf-from-arm-triplet.patch Patch206: 00206-remove-hf-from-arm-triplet.patch
# 00207 #
# Avoid truncated _math.o files caused by parallel builds # Avoid truncated _math.o files caused by parallel builds
# modified version of https://bugs.python.org/issue24421 # modified version of https://bugs.python.org/issue24421
# rhbz#1292461 # rhbz#1292461
Patch207: 00207-math-once.patch Patch207: 00207-math-once.patch
# 00208 #
# test_with_pip (test.test_venv.EnsurePipTest) fails on ppc64* # test_with_pip (test.test_venv.EnsurePipTest) fails on ppc64*
# rhbz#1292467 # rhbz#1292467
Patch208: 00208-disable-test_with_pip-on-ppc.patch Patch208: 00208-disable-test_with_pip-on-ppc.patch
# https://bugs.python.org/issue26171 # 00209 #
# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859
# https://hg.python.org/cpython/rev/10dad6da1b28/ # https://hg.python.org/cpython/rev/10dad6da1b28/
# https://hg.python.org/cpython/rev/5533a9e02b21
# Fix possible integer overflow and heap corruption in zipimporter.get_data() # Fix possible integer overflow and heap corruption in zipimporter.get_data()
# FIXED UPSTREAM # FIXED UPSTREAM: https://bugs.python.org/issue26171
Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
# 00210 # # 00210 #
# CVE-2016-0772 python: smtplib StartTLS stripping attack # CVE-2016-0772 python: smtplib StartTLS stripping attack
@ -1595,6 +1602,9 @@ rm -fr %{buildroot}
# ====================================================== # ======================================================
%changelog %changelog
* Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-12
- Refactor patch for properly fixing CVE-2016-5636
* Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-11 * Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-11
- Fix test_pyexpat failure with Expat version of 2.2.0 - Fix test_pyexpat failure with Expat version of 2.2.0