Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2014-02-19 09:10:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2014-01-23 15:53:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python.new/python-base.changes 2014-02-19 09:10:35.000000000 +0100 @@ -1,0 +2,17 @@ +Mon Feb 10 14:24:52 UTC 2014 - [email protected] + +- added patches for CVE-2013-1752 (bnc#856836) issues that are + missing in 2.7.6: + python-2.7.6-imaplib.patch + python-2.7.6-poplib.patch + smtplib_maxline-2.7.patch +- CVE-2013-1753 (bnc#856835) gzip decompression bomb in xmlrpc client: + xmlrpc_gzip_27.patch +- python-2.7.6-bdist-rpm.patch: fix broken "setup.py bdist_rpm" command + (bnc#857470, issue18045) +- multilib patch: add "~/.local/lib64" paths to search path + (bnc#637176) +- CVE-2014-1912-recvfrom_into.patch: fix potential buffer overflow + in socket.recvfrom_into (CVE-2014-1912, bnc#863741) + +------------------------------------------------------------------- python.changes: same change New: ---- CVE-2014-1912-recvfrom_into.patch python-2.7.6-bdist-rpm.patch python-2.7.6-imaplib.patch python-2.7.6-poplib.patch smtplib_maxline-2.7.patch xmlrpc_gzip_27.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.utcRVe/_old 2014-02-19 09:10:36.000000000 +0100 +++ /var/tmp/diff_new_pack.utcRVe/_new 2014-02-19 09:10:36.000000000 +0100 @@ -52,6 +52,16 @@ Patch24: python-bsddb6.diff # PATCH-FIX-OPENSUSE Properly support ppc64le in _ctypes module Patch25: libffi-ppc64le.diff +# CVE-2013-1753 [bnc#856835] unbounded gzip decompression in xmlrpc client +Patch26: xmlrpc_gzip_27.patch +# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib +Patch27: python-2.7.6-imaplib.patch +Patch28: smtplib_maxline-2.7.patch +Patch29: python-2.7.6-poplib.patch +# [bnc#857470] add missing import to bdist_rpm command +Patch30: python-2.7.6-bdist-rpm.patch +# CVE-2014-1912 [bnc#863741] buffer overflow in recvfrom_into +Patch31: CVE-2014-1912-recvfrom_into.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -146,6 +156,12 @@ %patch23 -p1 %patch24 -p1 %patch25 -p0 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.utcRVe/_old 2014-02-19 09:10:36.000000000 +0100 +++ /var/tmp/diff_new_pack.utcRVe/_new 2014-02-19 09:10:36.000000000 +0100 @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - Name: python-doc Version: 2.7.6 Release: 0 @@ -58,6 +57,16 @@ Patch24: python-bsddb6.diff # PATCH-FIX-OPENSUSE Properly support ppc64le in _ctypes module Patch25: libffi-ppc64le.diff +# CVE-2013-1753 [bnc#856835] unbounded gzip decompression in xmlrpc client +Patch26: xmlrpc_gzip_27.patch +# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib +Patch27: python-2.7.6-imaplib.patch +Patch28: smtplib_maxline-2.7.patch +Patch29: python-2.7.6-poplib.patch +# [bnc#857470] add missing import to bdist_rpm command +Patch30: python-2.7.6-bdist-rpm.patch +# CVE-2014-1912 [bnc#863741] buffer overflow in recvfrom_into +Patch31: CVE-2014-1912-recvfrom_into.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -106,6 +115,12 @@ %patch23 -p1 %patch24 -p1 %patch25 -p0 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.utcRVe/_old 2014-02-19 09:10:36.000000000 +0100 +++ /var/tmp/diff_new_pack.utcRVe/_new 2014-02-19 09:10:36.000000000 +0100 @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - Name: python Version: 2.7.6 Release: 0 @@ -59,6 +58,16 @@ Patch24: python-bsddb6.diff # PATCH-FIX-OPENSUSE Properly support ppc64le in _ctypes module Patch25: libffi-ppc64le.diff +# CVE-2013-1753 [bnc#856835] unbounded gzip decompression in xmlrpc client +Patch26: xmlrpc_gzip_27.patch +# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib +Patch27: python-2.7.6-imaplib.patch +Patch28: smtplib_maxline-2.7.patch +Patch29: python-2.7.6-poplib.patch +# [bnc#857470] add missing import to bdist_rpm command +Patch30: python-2.7.6-bdist-rpm.patch +# CVE-2014-1912 [bnc#863741] buffer overflow in recvfrom_into +Patch31: CVE-2014-1912-recvfrom_into.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -183,6 +192,12 @@ %patch23 -p1 %patch24 -p1 %patch25 -p0 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ CVE-2014-1912-recvfrom_into.patch ++++++ # HG changeset patch # User Benjamin Peterson <[email protected]> # Date 1389671978 18000 # Node ID 87673659d8f7ba1623cd4914f09ad3d2ade034e9 # Parent 2631d33ee7fbd5f0288931ef37872218d511d2e8 complain when nbytes > buflen to fix possible buffer overflow (closes #20246) Index: Python-2.7.6/Lib/test/test_socket.py =================================================================== --- Python-2.7.6.orig/Lib/test/test_socket.py 2013-11-10 08:36:40.000000000 +0100 +++ Python-2.7.6/Lib/test/test_socket.py 2014-02-13 18:04:12.710244327 +0100 @@ -1616,6 +1616,16 @@ _testRecvFromIntoMemoryview = _testRecvFromIntoArray + def testRecvFromIntoSmallBuffer(self): + # See issue #20246. + buf = bytearray(8) + self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) + + def _testRecvFromIntoSmallBuffer(self): + with test_support.check_py3k_warnings(): + buf = buffer(MSG) + self.serv_conn.send(buf) + TIPC_STYPE = 2000 TIPC_LOWER = 200 Index: Python-2.7.6/Misc/ACKS =================================================================== --- Python-2.7.6.orig/Misc/ACKS 2013-11-10 08:36:41.000000000 +0100 +++ Python-2.7.6/Misc/ACKS 2014-02-13 18:04:12.710244327 +0100 @@ -973,6 +973,7 @@ Christopher Smith Gregory P. Smith Roy Smith +Ryan Smith-Roberts Rafal Smotrzyk Dirk Soede Paul Sokolovsky Index: Python-2.7.6/Modules/socketmodule.c =================================================================== --- Python-2.7.6.orig/Modules/socketmodule.c 2013-11-10 08:36:41.000000000 +0100 +++ Python-2.7.6/Modules/socketmodule.c 2014-02-13 18:04:12.711244332 +0100 @@ -2742,6 +2742,10 @@ if (recvlen == 0) { /* If nbytes was not specified, use the buffer's length */ recvlen = buflen; + } else if (recvlen > buflen) { + PyErr_SetString(PyExc_ValueError, + "nbytes is greater than the length of the buffer"); + goto error; } readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr); ++++++ python-2.7.5-multilib.patch ++++++ --- /var/tmp/diff_new_pack.utcRVe/_old 2014-02-19 09:10:36.000000000 +0100 +++ /var/tmp/diff_new_pack.utcRVe/_new 2014-02-19 09:10:36.000000000 +0100 @@ -1,7 +1,7 @@ Index: Python-2.7.6/configure.ac =================================================================== ---- Python-2.7.6.orig/configure.ac 2013-11-19 17:34:49.063388540 +0100 -+++ Python-2.7.6/configure.ac 2013-11-19 17:35:02.848465919 +0100 +--- Python-2.7.6.orig/configure.ac 2013-11-10 08:36:41.000000000 +0100 ++++ Python-2.7.6/configure.ac 2014-02-11 20:08:16.265571499 +0100 @@ -733,6 +733,41 @@ ;; esac @@ -46,8 +46,8 @@ AC_MSG_CHECKING(LIBRARY) Index: Python-2.7.6/Include/pythonrun.h =================================================================== ---- Python-2.7.6.orig/Include/pythonrun.h 2013-11-19 17:34:49.063388540 +0100 -+++ Python-2.7.6/Include/pythonrun.h 2013-11-19 17:35:02.848465919 +0100 +--- Python-2.7.6.orig/Include/pythonrun.h 2013-11-10 08:36:39.000000000 +0100 ++++ Python-2.7.6/Include/pythonrun.h 2014-02-11 20:08:16.265571499 +0100 @@ -108,6 +108,8 @@ /* In their own files */ PyAPI_FUNC(const char *) Py_GetVersion(void); @@ -59,8 +59,8 @@ PyAPI_FUNC(const char *) Py_GetBuildInfo(void); Index: Python-2.7.6/Lib/distutils/command/install.py =================================================================== ---- Python-2.7.6.orig/Lib/distutils/command/install.py 2013-11-19 17:34:49.064388546 +0100 -+++ Python-2.7.6/Lib/distutils/command/install.py 2013-11-19 17:35:02.849465924 +0100 +--- Python-2.7.6.orig/Lib/distutils/command/install.py 2014-02-11 20:08:15.760568524 +0100 ++++ Python-2.7.6/Lib/distutils/command/install.py 2014-02-11 20:08:16.265571499 +0100 @@ -22,6 +22,8 @@ from site import USER_SITE @@ -81,8 +81,8 @@ 'data' : '$base', Index: Python-2.7.6/Lib/distutils/sysconfig.py =================================================================== ---- Python-2.7.6.orig/Lib/distutils/sysconfig.py 2013-11-19 17:34:49.064388546 +0100 -+++ Python-2.7.6/Lib/distutils/sysconfig.py 2013-11-19 17:35:02.849465924 +0100 +--- Python-2.7.6.orig/Lib/distutils/sysconfig.py 2013-11-10 08:36:40.000000000 +0100 ++++ Python-2.7.6/Lib/distutils/sysconfig.py 2014-02-11 20:08:16.265571499 +0100 @@ -119,8 +119,11 @@ prefix = plat_specific and EXEC_PREFIX or PREFIX @@ -99,8 +99,8 @@ else: Index: Python-2.7.6/Lib/pydoc.py =================================================================== ---- Python-2.7.6.orig/Lib/pydoc.py 2013-11-19 17:34:49.064388546 +0100 -+++ Python-2.7.6/Lib/pydoc.py 2013-11-19 17:35:02.849465924 +0100 +--- Python-2.7.6.orig/Lib/pydoc.py 2013-11-10 08:36:40.000000000 +0100 ++++ Python-2.7.6/Lib/pydoc.py 2014-02-11 20:08:16.266571506 +0100 @@ -352,7 +352,7 @@ docloc = os.environ.get("PYTHONDOCS", @@ -112,9 +112,70 @@ (object.__name__ in ('errno', 'exceptions', 'gc', 'imp', Index: Python-2.7.6/Lib/site.py =================================================================== ---- Python-2.7.6.orig/Lib/site.py 2013-11-19 17:34:49.065388551 +0100 -+++ Python-2.7.6/Lib/site.py 2013-11-19 17:35:02.849465924 +0100 -@@ -288,13 +288,18 @@ +--- Python-2.7.6.orig/Lib/site.py 2013-11-10 08:36:40.000000000 +0100 ++++ Python-2.7.6/Lib/site.py 2014-02-11 20:12:51.208189992 +0100 +@@ -231,29 +231,38 @@ + USER_BASE = get_config_var('userbase') + return USER_BASE + +-def getusersitepackages(): ++def getusersitepackages(lib_kind = 'purelib'): + """Returns the user-specific site-packages directory path. + + If the global variable ``USER_SITE`` is not initialized yet, this + function will also set it. + """ ++ ++ set_user_site = (lib_kind == 'purelib') ++ + global USER_SITE + user_base = getuserbase() # this will also set USER_BASE + +- if USER_SITE is not None: ++ if USER_SITE is not None and set_user_site: + return USER_SITE + + from sysconfig import get_path + import os + ++ user_site = None ++ + if sys.platform == 'darwin': + from sysconfig import get_config_var + if get_config_var('PYTHONFRAMEWORK'): +- USER_SITE = get_path('purelib', 'osx_framework_user') +- return USER_SITE ++ user_site = get_path(lib_kind, 'osx_framework_user') + +- USER_SITE = get_path('purelib', '%s_user' % os.name) +- return USER_SITE ++ if user_site is None: ++ user_site = get_path(lib_kind, '%s_user' % os.name) ++ ++ if set_user_site: ++ USER_SITE = user_site ++ ++ return user_site + + def addusersitepackages(known_paths): + """Add a per user site-package to sys.path +@@ -263,10 +272,12 @@ + """ + # get the per user site-package path + # this call will also make sure USER_BASE and USER_SITE are set +- user_site = getusersitepackages() ++ for kind in ('purelib', 'platlib'): ++ user_site = getusersitepackages(kind) ++ ++ if ENABLE_USER_SITE and os.path.isdir(user_site): ++ addsitedir(user_site, known_paths) + +- if ENABLE_USER_SITE and os.path.isdir(user_site): +- addsitedir(user_site, known_paths) + return known_paths + + def getsitepackages(): +@@ -288,13 +299,18 @@ if sys.platform in ('os2emx', 'riscos'): sitepackages.append(os.path.join(prefix, "Lib", "site-packages")) elif os.sep == '/': @@ -138,8 +199,8 @@ # locations. Index: Python-2.7.6/Lib/sysconfig.py =================================================================== ---- Python-2.7.6.orig/Lib/sysconfig.py 2013-11-19 17:34:49.065388551 +0100 -+++ Python-2.7.6/Lib/sysconfig.py 2013-11-19 17:35:02.849465924 +0100 +--- Python-2.7.6.orig/Lib/sysconfig.py 2013-11-10 08:36:40.000000000 +0100 ++++ Python-2.7.6/Lib/sysconfig.py 2014-02-11 20:08:16.266571506 +0100 @@ -7,10 +7,10 @@ _INSTALL_SCHEMES = { @@ -170,8 +231,8 @@ 'data' : '{userbase}', Index: Python-2.7.6/Lib/test/test_dl.py =================================================================== ---- Python-2.7.6.orig/Lib/test/test_dl.py 2013-11-19 17:34:49.065388551 +0100 -+++ Python-2.7.6/Lib/test/test_dl.py 2013-11-19 17:35:02.849465924 +0100 +--- Python-2.7.6.orig/Lib/test/test_dl.py 2013-11-10 08:36:40.000000000 +0100 ++++ Python-2.7.6/Lib/test/test_dl.py 2014-02-11 20:08:16.266571506 +0100 @@ -5,10 +5,11 @@ import unittest from test.test_support import verbose, import_module @@ -188,8 +249,8 @@ ] Index: Python-2.7.6/Lib/test/test_site.py =================================================================== ---- Python-2.7.6.orig/Lib/test/test_site.py 2013-11-19 17:34:49.065388551 +0100 -+++ Python-2.7.6/Lib/test/test_site.py 2013-11-19 17:35:02.850465930 +0100 +--- Python-2.7.6.orig/Lib/test/test_site.py 2013-11-10 08:36:40.000000000 +0100 ++++ Python-2.7.6/Lib/test/test_site.py 2014-02-11 20:08:16.266571506 +0100 @@ -241,12 +241,16 @@ self.assertEqual(dirs[2], wanted) elif os.sep == '/': @@ -212,8 +273,8 @@ self.assertEqual(len(dirs), 2) Index: Python-2.7.6/Lib/trace.py =================================================================== ---- Python-2.7.6.orig/Lib/trace.py 2013-11-19 17:34:49.065388551 +0100 -+++ Python-2.7.6/Lib/trace.py 2013-11-19 17:35:02.850465930 +0100 +--- Python-2.7.6.orig/Lib/trace.py 2013-11-10 08:36:40.000000000 +0100 ++++ Python-2.7.6/Lib/trace.py 2014-02-11 20:08:16.266571506 +0100 @@ -754,10 +754,10 @@ # should I also call expanduser? (after all, could use $HOME) @@ -229,8 +290,8 @@ ignore_dirs.append(s) Index: Python-2.7.6/Makefile.pre.in =================================================================== ---- Python-2.7.6.orig/Makefile.pre.in 2013-11-19 17:34:49.066388557 +0100 -+++ Python-2.7.6/Makefile.pre.in 2013-11-19 17:35:02.850465930 +0100 +--- Python-2.7.6.orig/Makefile.pre.in 2014-02-11 20:08:15.175565077 +0100 ++++ Python-2.7.6/Makefile.pre.in 2014-02-11 20:08:16.267571511 +0100 @@ -87,6 +87,8 @@ # Machine-dependent subdirectories @@ -259,8 +320,8 @@ $(CC) -c $(PY_CFLAGS) -I$(DLINCLDIR) -o $@ $(srcdir)/Python/importdl.c Index: Python-2.7.6/Modules/getpath.c =================================================================== ---- Python-2.7.6.orig/Modules/getpath.c 2013-11-19 17:34:49.066388557 +0100 -+++ Python-2.7.6/Modules/getpath.c 2013-11-19 17:35:02.850465930 +0100 +--- Python-2.7.6.orig/Modules/getpath.c 2013-11-10 08:36:41.000000000 +0100 ++++ Python-2.7.6/Modules/getpath.c 2014-02-11 20:08:16.267571511 +0100 @@ -116,9 +116,11 @@ #define EXEC_PREFIX PREFIX #endif @@ -286,8 +347,8 @@ reduce(char *dir) Index: Python-2.7.6/Python/getplatform.c =================================================================== ---- Python-2.7.6.orig/Python/getplatform.c 2013-11-19 17:34:49.066388557 +0100 -+++ Python-2.7.6/Python/getplatform.c 2013-11-19 17:35:02.850465930 +0100 +--- Python-2.7.6.orig/Python/getplatform.c 2013-11-10 08:36:41.000000000 +0100 ++++ Python-2.7.6/Python/getplatform.c 2014-02-11 20:08:16.267571511 +0100 @@ -10,3 +10,23 @@ { return PLATFORM; @@ -314,8 +375,8 @@ +} Index: Python-2.7.6/Python/sysmodule.c =================================================================== ---- Python-2.7.6.orig/Python/sysmodule.c 2013-11-19 17:34:49.066388557 +0100 -+++ Python-2.7.6/Python/sysmodule.c 2013-11-19 17:35:02.850465930 +0100 +--- Python-2.7.6.orig/Python/sysmodule.c 2013-11-10 08:36:41.000000000 +0100 ++++ Python-2.7.6/Python/sysmodule.c 2014-02-11 20:08:16.267571511 +0100 @@ -1419,6 +1419,10 @@ PyString_FromString(Py_GetCopyright())); SET_SYS_FROM_STRING("platform", @@ -329,8 +390,8 @@ SET_SYS_FROM_STRING("prefix", Index: Python-2.7.6/setup.py =================================================================== ---- Python-2.7.6.orig/setup.py 2013-11-19 17:34:49.067388562 +0100 -+++ Python-2.7.6/setup.py 2013-11-19 17:35:35.826650956 +0100 +--- Python-2.7.6.orig/setup.py 2013-11-10 08:36:41.000000000 +0100 ++++ Python-2.7.6/setup.py 2014-02-11 20:08:16.268571517 +0100 @@ -438,7 +438,7 @@ def detect_modules(self): # Ensure that /usr/local is always used ++++++ python-2.7.6-bdist-rpm.patch ++++++ Index: Python-2.7.6/Lib/distutils/command/bdist_rpm.py =================================================================== --- Python-2.7.6.orig/Lib/distutils/command/bdist_rpm.py 2013-11-10 08:36:40.000000000 +0100 +++ Python-2.7.6/Lib/distutils/command/bdist_rpm.py 2014-02-11 19:19:26.739708837 +0100 @@ -14,6 +14,7 @@ from distutils.file_util import write_file from distutils.errors import (DistutilsOptionError, DistutilsPlatformError, DistutilsFileError, DistutilsExecError) +from distutils.sysconfig import get_python_version from distutils import log class bdist_rpm (Command): ++++++ python-2.7.6-imaplib.patch ++++++ # HG changeset patch # User R David Murray <[email protected]> # Date 1388775562 18000 # Node ID dd906f4ab9237020a7a275c2d361fa288e553481 # Parent 69b5f692455306c98aa27ecea17e6290787ebd3f closes 16039: CVE-2013-1752: limit line length in imaplib readline calls. diff --git a/Lib/imaplib.py b/Lib/imaplib.py --- a/Lib/imaplib.py +++ b/Lib/imaplib.py @@ -35,6 +35,15 @@ IMAP4_PORT = 143 IMAP4_SSL_PORT = 993 AllowedVersions = ('IMAP4REV1', 'IMAP4') # Most recent first +# Maximal line length when calling readline(). This is to prevent +# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1) +# don't specify a line length. RFC 2683 however suggests limiting client +# command lines to 1000 octets and server command lines to 8000 octets. +# We have selected 10000 for some extra margin and since that is supposedly +# also what UW and Panda IMAP does. +_MAXLINE = 10000 + + # Commands Commands = { @@ -237,7 +246,10 @@ class IMAP4: def readline(self): """Read line from remote.""" - return self.file.readline() + line = self.file.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise self.error("got more than %d bytes" % _MAXLINE) + return line def send(self, data): diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py --- a/Lib/test/test_imaplib.py +++ b/Lib/test/test_imaplib.py @@ -165,6 +165,16 @@ class BaseThreadedNetworkedTests(unittes self.imap_class, *server.server_address) + def test_linetoolong(self): + class TooLongHandler(SimpleIMAPHandler): + def handle(self): + # Send a very long response line + self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n') + + with self.reaped_server(TooLongHandler) as server: + self.assertRaises(imaplib.IMAP4.error, + self.imap_class, *server.server_address) + class ThreadedNetworkedTests(BaseThreadedNetworkedTests): server_class = SocketServer.TCPServer ++++++ python-2.7.6-poplib.patch ++++++ # HG changeset patch # User Georg Brandl <[email protected]> # Date 1382855033 -3600 # Node ID 68029048c9c6833b71c3121e5178f7f57f21b565 # Parent 10d0edadbcddfd983c2c6c22d06c5a535197f8bf Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen. Index: Python-2.7.6/Lib/poplib.py =================================================================== --- Python-2.7.6.orig/Lib/poplib.py 2013-11-10 08:36:40.000000000 +0100 +++ Python-2.7.6/Lib/poplib.py 2014-02-07 18:45:45.454259311 +0100 @@ -32,6 +32,12 @@ LF = '\n' CRLF = CR+LF +# maximal line length when calling readline(). This is to prevent +# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to +# 512 characters, including CRLF. We have selected 2048 just to be on +# the safe side. +_MAXLINE = 2048 + class POP3: @@ -103,7 +109,10 @@ # Raise error_proto('-ERR EOF') if the connection is closed. def _getline(self): - line = self.file.readline() + line = self.file.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise error_proto('line too long') + if self._debugging > 1: print '*get*', repr(line) if not line: raise error_proto('-ERR EOF') octets = len(line) Index: Python-2.7.6/Lib/test/test_poplib.py =================================================================== --- Python-2.7.6.orig/Lib/test/test_poplib.py 2013-11-10 08:36:40.000000000 +0100 +++ Python-2.7.6/Lib/test/test_poplib.py 2014-02-07 18:44:24.419856656 +0100 @@ -81,7 +81,7 @@ def cmd_list(self, arg): if arg: - self.push('+OK %s %s' %(arg, arg)) + self.push('+OK %s %s' % (arg, arg)) else: self.push('+OK') asynchat.async_chat.push(self, LIST_RESP) @@ -198,6 +198,10 @@ 113) self.assertEqual(self.client.retr('foo'), expected) + def test_too_long_lines(self): + self.assertRaises(poplib.error_proto, self.client._shortcmd, + 'echo +%s' % ((poplib._MAXLINE + 10) * 'a')) + def test_dele(self): self.assertOK(self.client.dele('foo')) ++++++ smtplib_maxline-2.7.patch ++++++ diff -r 44ac81e6d584 Lib/smtplib.py --- a/Lib/smtplib.py Sun Oct 20 16:57:07 2013 +0300 +++ b/Lib/smtplib.py Sun Oct 20 17:44:15 2013 +0300 @@ -57,6 +57,7 @@ SMTP_PORT = 25 SMTP_SSL_PORT = 465 CRLF = "\r\n" +_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3 OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I) @@ -179,10 +180,14 @@ def __init__(self, sslobj): self.sslobj = sslobj - def readline(self): + def readline(self, size=-1): + if size < 0: + size = None str = "" chr = None while chr != "\n": + if size is not None and len(str) >= size: + break chr = self.sslobj.read(1) if not chr: break @@ -353,7 +358,7 @@ self.file = self.sock.makefile('rb') while 1: try: - line = self.file.readline() + line = self.file.readline(_MAXLINE + 1) except socket.error as e: self.close() raise SMTPServerDisconnected("Connection unexpectedly closed: " @@ -363,6 +368,8 @@ raise SMTPServerDisconnected("Connection unexpectedly closed") if self.debuglevel > 0: print>>stderr, 'reply:', repr(line) + if len(line) > _MAXLINE: + raise SMTPResponseException(500, "Line too long.") resp.append(line[4:].strip()) code = line[:3] # Check that the error code is syntactically correct. diff -r 44ac81e6d584 Lib/test/test_smtplib.py --- a/Lib/test/test_smtplib.py Sun Oct 20 16:57:07 2013 +0300 +++ b/Lib/test/test_smtplib.py Sun Oct 20 17:44:15 2013 +0300 @@ -292,6 +292,33 @@ HOST, self.port, 'localhost', 3) [email protected](threading, 'Threading required for this test.') +class TooLongLineTests(unittest.TestCase): + respdata = '250 OK' + ('.' * smtplib._MAXLINE * 2) + '\n' + + def setUp(self): + self.old_stdout = sys.stdout + self.output = StringIO.StringIO() + sys.stdout = self.output + + self.evt = threading.Event() + self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.sock.settimeout(15) + self.port = test_support.bind_port(self.sock) + servargs = (self.evt, self.respdata, self.sock) + threading.Thread(target=server, args=servargs).start() + self.evt.wait() + self.evt.clear() + + def tearDown(self): + self.evt.wait() + sys.stdout = self.old_stdout + + def testLineTooLong(self): + self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP, + HOST, self.port, 'localhost', 3) + + sim_users = {'[email protected]':'John A', '[email protected]':'Sally B', '[email protected]':'Ruth C', @@ -511,7 +538,8 @@ def test_main(verbose=None): test_support.run_unittest(GeneralTests, DebuggingServerTests, NonConnectingTests, - BadHELOServerTests, SMTPSimTests) + BadHELOServerTests, SMTPSimTests, + TooLongLineTests) if __name__ == '__main__': test_main() ++++++ xmlrpc_gzip_27.patch ++++++ diff --git a/Doc/library/xmlrpclib.rst b/Doc/library/xmlrpclib.rst --- a/Doc/library/xmlrpclib.rst +++ b/Doc/library/xmlrpclib.rst @@ -120,6 +120,15 @@ *__dict__* attribute and don't have a base class that is marshalled in a special way. +.. data:: MAX_GZIP_DECODE + + The module constant specifies the amount of bytes that are decompressed by + :func:`gzip_decode`. The default value is *20 MB*. A value of *-1* disables + the protection. + + .. versionadded:: 2.7.4 + The constant was added to strengthen the module against gzip bomb + attacks. .. seealso:: diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py --- a/Lib/test/test_xmlrpc.py +++ b/Lib/test/test_xmlrpc.py @@ -19,6 +19,11 @@ threading = None try: + import gzip +except ImportError: + gzip = None + +try: unicode except NameError: have_unicode = False @@ -731,7 +736,7 @@ with cm: p.pow(6, 8) - def test_gsip_response(self): + def test_gzip_response(self): t = self.Transport() p = xmlrpclib.ServerProxy(URL, transport=t) old = self.requestHandler.encode_threshold @@ -744,6 +749,27 @@ self.requestHandler.encode_threshold = old self.assertTrue(a>b) + def test_gzip_decode_limit(self): + data = '\0' * xmlrpclib.MAX_GZIP_DECODE + encoded = xmlrpclib.gzip_encode(data) + decoded = xmlrpclib.gzip_decode(encoded) + self.assertEqual(len(decoded), xmlrpclib.MAX_GZIP_DECODE) + + data = '\0' * (xmlrpclib.MAX_GZIP_DECODE + 1) + encoded = xmlrpclib.gzip_encode(data) + + with self.assertRaisesRegexp(ValueError, + "max gzipped payload length exceeded"): + xmlrpclib.gzip_decode(encoded) + + oldmax = xmlrpclib.MAX_GZIP_DECODE + try: + xmlrpclib.MAX_GZIP_DECODE = -1 + xmlrpclib.gzip_decode(encoded) + finally: + xmlrpclib.MAX_GZIP_DECODE = oldmax + + #Test special attributes of the ServerProxy object class ServerProxyTestCase(unittest.TestCase): def setUp(self): @@ -1011,11 +1037,8 @@ xmlrpc_tests.append(SimpleServerTestCase) xmlrpc_tests.append(KeepaliveServerTestCase1) xmlrpc_tests.append(KeepaliveServerTestCase2) - try: - import gzip + if gzip is not None: xmlrpc_tests.append(GzipServerTestCase) - except ImportError: - pass #gzip not supported in this build xmlrpc_tests.append(MultiPathServerTestCase) xmlrpc_tests.append(ServerProxyTestCase) xmlrpc_tests.append(FailingServerTestCase) diff --git a/Lib/xmlrpclib.py b/Lib/xmlrpclib.py --- a/Lib/xmlrpclib.py +++ b/Lib/xmlrpclib.py @@ -49,6 +49,7 @@ # 2003-07-12 gp Correct marshalling of Faults # 2003-10-31 mvl Add multicall support # 2004-08-20 mvl Bump minimum supported Python version to 2.1 +# 2013-01-20 ch Add workaround for gzip bomb vulnerability # # Copyright (c) 1999-2002 by Secret Labs AB. # Copyright (c) 1999-2002 by Fredrik Lundh. @@ -147,6 +148,10 @@ except ImportError: gzip = None #python can be built without zlib/gzip support +# Limit the maximum amount of decoded data that is decompressed. The +# limit prevents gzip bomb attacks. +MAX_GZIP_DECODE = 20 * 1024 * 1024 # 20 MB + # -------------------------------------------------------------------- # Internal stuff @@ -1178,11 +1183,16 @@ f = StringIO.StringIO(data) gzf = gzip.GzipFile(mode="rb", fileobj=f) try: - decoded = gzf.read() + if MAX_GZIP_DECODE < 0: # no limit + decoded = gzf.read() + else: + decoded = gzf.read(MAX_GZIP_DECODE + 1) except IOError: raise ValueError("invalid data") f.close() gzf.close() + if MAX_GZIP_DECODE >= 0 and len(decoded) > MAX_GZIP_DECODE: + raise ValueError("max gzipped payload length exceeded") return decoded ## -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
