Refactor patch for properly fixing CVE-2016-5636

2016-07-08 18:47:00 +02:00 · 2016-07-08 18:47:00 +02:00 · 3702d0d8e2
commit 3702d0d8e2
parent 92512b0b14
3 changed files with 56 additions and 23 deletions
--- a/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
+++ b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
@ -0,0 +1,39 @@
+From 531dfa4bcfe55d5cd1524425944b07c5b02bddf9 Mon Sep 17 00:00:00 2001
+From: Charalampos Stratakis <cstratak@redhat.com>
+Date: Fri, 8 Jul 2016 17:16:41 +0200
+Subject: [PATCH] CVE-2016-5636 fix
+
+---
+ Modules/zipimport.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/Modules/zipimport.c b/Modules/zipimport.c
+index 06abb31..4d0d1de 100644
+--- a/Modules/zipimport.c
+++ b/Modules/zipimport.c
+@@ -1076,6 +1076,10 @@ get_data(PyObject *archive, PyObject *toc_entry)
+                           &date, &crc)) {
+         return NULL;
+     }
+    if (data_size < 0) {
+        PyErr_Format(ZipImportError, "negative data size");
+        return NULL;
+    }
+ 
+     fp = _Py_fopen_obj(archive, "rb");
+     if (!fp)
+@@ -1112,6 +1116,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
+     }
+     file_offset += l;           /* Start of file data */
+ 
+    if (data_size > LONG_MAX - 1) {
+        fclose(fp);
+        PyErr_NoMemory();
+        return NULL;
+    }
+     bytes_size = compress == 0 ? data_size : data_size + 1;
+     if (bytes_size == 0)
+         bytes_size++;
+-- 
+2.7.4
+
--- a/00209-prevent-buffer-overflow-in-zipimport-module.patch
+++ b/00209-prevent-buffer-overflow-in-zipimport-module.patch
@ -1,16 +0,0 @@
-diff --git a/Modules/zipimport.c b/Modules/zipimport.c
-index 06abb31..914bf5d 100644
--- a/Modules/zipimport.c
-+++ b/Modules/zipimport.c
-@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
-     }
-     file_offset += l;           /* Start of file data */
- 
-+    if (data_size > LONG_MAX - 1) {
-+        fclose(fp);
-+        PyErr_NoMemory();
-+        return NULL;
-+    }
-     bytes_size = compress == 0 ? data_size : data_size + 1;
-     if (bytes_size == 0)
-         bytes_size++;
--- a/python3.spec
+++ b/python3.spec
@ -112,7 +112,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.1
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: Python
 Group: Development/Languages

@ -375,7 +375,6 @@ Patch186: 00186-dont-raise-from-py_compile.patch
 Patch188: 00188-fix-lib2to3-tests-when-hashlib-doesnt-compile-properly.patch

 # 00189 #
-#
 # Add the rewheel module, allowing to recreate wheels from already installed
 # ones
 # https://github.com/bkabrda/rewheel
@ -383,12 +382,12 @@ Patch188: 00188-fix-lib2to3-tests-when-hashlib-doesnt-compile-properly.patch
 Patch189: 00189-add-rewheel-module.patch
 %endif

+# 00194 #
 # Tests requiring SIGHUP to work don't work in Koji
 # see rhbz#1088233
 Patch194: temporarily-disable-tests-requiring-SIGHUP.patch

-# 00196
-#
+# 00196 #
 #  Fix test_gdb failure on ppc64le
 Patch196: 00196-test-gdb-match-addr-before-builtin.patch

@ -404,31 +403,39 @@ Patch200: 00200-gettext-plural-fix.patch
 # Note: Backported from scl
 Patch201: 00201-fix-memory-leak-in-gdbm.patch

+# 00203 #
 # test_threading fails in koji dues to it's handling of signals
 Patch203: 00203-disable-threading-test-koji.patch

+# 00205 #
 # LIBPL variable in makefile takes LIBPL from configure.ac
 # but the LIBPL variable defined there doesn't respect libdir macro
 Patch205: 00205-make-libpl-respect-lib64.patch

+# 00206 #
 # Remove hf flag from arm triplet which is used
 # by debian but fedora infra uses only eabi without hf
 Patch206: 00206-remove-hf-from-arm-triplet.patch

+# 00207 #
 # Avoid truncated _math.o files caused by parallel builds
 # modified version of https://bugs.python.org/issue24421
 # rhbz#1292461
 Patch207: 00207-math-once.patch

+# 00208 #
 # test_with_pip (test.test_venv.EnsurePipTest) fails on ppc64*
 # rhbz#1292467
 Patch208: 00208-disable-test_with_pip-on-ppc.patch

-# https://bugs.python.org/issue26171
+# 00209 #
+# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
+# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859
 # https://hg.python.org/cpython/rev/10dad6da1b28/
+# https://hg.python.org/cpython/rev/5533a9e02b21
 # Fix possible integer overflow and heap corruption in zipimporter.get_data()
-# FIXED UPSTREAM
-Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch
+# FIXED UPSTREAM: https://bugs.python.org/issue26171
+Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch

 # 00210 #
 # CVE-2016-0772 python: smtplib StartTLS stripping attack
@ -1595,6 +1602,9 @@ rm -fr %{buildroot}
 # ======================================================

 %changelog
+* Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-12
+- Refactor patch for properly fixing CVE-2016-5636
+
 * Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-11
 - Fix test_pyexpat failure with Expat version of 2.2.0