Re: [Python-Dev] Security Advisory for unicode repr() bug?
On Oct 7, 2006, at 3:36 PM, M.-A. Lemburg wrote: > Georg Brandl wrote: >> [EMAIL PROTECTED] wrote: >>> I don't know if Apple has picked up on it (or if the version they >>> currently >>> distribute is affected - 2.3.5 built Oct 5 2005). > Note that the bug refers to a UCS4 Python build. Most Linux > distros ship UCS4 builds nowadays, so they care. The Windows > builds are UCS2 (except maybe the ones for Win64 - don't know) > which doesn't seem to be affected. AFAIK the version Apple ship is a UCS2 build, therefore not affected. Kind regards, Alastair. -- http://alastairs-place.net ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Can't check in on release25-maint branch
(I sent a note to pydotorg yesterday but got no response. Trying here.) I checked in a change to Doc/lib/libcsv.tex on the trunk yesterday, then tried backporting it to the release25-maint branch but failed due to permission problems. Thinking it might be lock contention, I waited a few minutes and tried a couple more times. Same result. I just tried again: subversion/libsvn_client/commit.c:832: (apr_err=13) svn: Commit failed (details follow): subversion/libsvn_ra_dav/util.c:368: (apr_err=13) svn: Can't create directory '/data/repos/projects/db/transactions/52226-1.txn': Permission denied subversion/clients/cmdline/util.c:380: (apr_err=13) svn: Your commit message was left in a temporary file: subversion/clients/cmdline/util.c:380: (apr_err=13) svn: '/Users/skip/src/python-svn/release25-maint/Doc/lib/svn-commit.4.tmp' Here's my svn status output: Path: . URL: http://svn.python.org/projects/python/branches/release25-maint Repository UUID: 6015fed2-1504-0410-9fe1-9d1591cc4771 Revision: 52226 Node Kind: directory Schedule: normal Last Changed Author: hyeshik.chang Last Changed Rev: 52225 Last Changed Date: 2006-10-08 09:01:45 -0500 (Sun, 08 Oct 2006) Properties Last Updated: 2006-08-17 11:05:19 -0500 (Thu, 17 Aug 2006) I believe I've got the right thing checked out. Can someone look into this? Thanks, Skip ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] what's really new in python 2.5 ?
On 2006-10-03 20:10:14 +0200, A.M. Kuchling wrote: > I've added a robots.txt to keep crawlers out of /dev/. Isn't there a lot of useful, search-engine worthy stuff in /dev? I search for peps with google, and I suppose the 'explanation' section, as well as the developer faq and subversion instructions, are good pages that deserve to be in the google index. Should /dev really be Disallow:'ed entirely in robots.txt? kind regards, Gerrit Holl. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] PSF Infrastructure Committee's recommendation for anew issue tracker
I am willing to volunteer. I emailed previously, but it bounced back. Hope this time it reaches you. Chuzo ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] PSF Infrastructure Committee's recommendation for anew issue tracker
I received the bounced email as follow. How do I become a member? Thank you Chuzo Your mail to 'Python-Dev' with the subject [Python-Dev] PSF Infrastructure Committee's recommendation for anew issue tracker Is being held until the list moderator can review it for approval. The reason it is being held: Post by non-member to a members-only list ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Security Advisory for unicode repr() bug?
(i'm not on python-dev, so i dunno whether this will make it through...)
basically, this bug does not affect the vast majority (mac and windows
users with UTF-16 "narrow" unicode Python builds) because the unpatched
code allocates sufficient memory in this case. only the minority
treating this as a serious vulnerability (linux users with UTF-32 "wide"
unicode Python builds, possibly some other Unix-like operating systems
too) are affected by the buffer overrun.
as for secunia, they need to do their own homework ;)
i found this bug and wrote the patch that's been applied by the linux
distros, so i thought i should clear up a couple of apparent
misconceptions. please pardon me if i'm writing stuff you already
know...
the bug concerns allocation in repr() for unicode objects. previously
repr() always allocated 6 bytes in the output buffer per input unicode
string element; this is enough for the six-byte "\u" notation and on
UTF-16 python builds enough for the ten-byte "\U0010" notation,
since on UTF-16 python builds the input unicode string contains a
surrogate pair (two consecutive elements) to represent unicode
characters requiring this longer notation, meaning five bytes per
element. however on UTF-32 builds ten bytes per unicode string element
are needed, and this is what the patch accomplishes. the previous
(incorrect) algorithm extended the buffer by 100 bytes in some cases
when encountering such a character, however this fixed-size heuristic
extension fails when the string contains many subsequent characters in
the six-byte "\u" form, as demonstrated by this test which will fail
in an unpatched non-debug wide python build:
python2.4 -c 'assert(repr(u"\U0001" * 39 + u"\u" * 4096)) ==
(repr(u"\U0001" * 39 + u"\u" * 4096))'
yes, a sufficiently motivated person could probably discover enough
about the memory layout of a process to use this for data or code
injection, but the more usual (and sometimes accidental) consequence is
a crash.
more background:
python comes in two flavors, UTF-16 ("narrow") and UTF-32 ("wide"),
depending on whether the unicode chars are represented. This is
generally configured to match the C library's wchar_t.
UTF-16: Windows (at least 32-bit builds), Mac OS X (at least 32-bit
builds), probably others too -- this uses a 16-bit variable-length
encoding for Unicode characters: 1 16-bit word for U+ ... U+
(identity mapped to 0x ... 0x resp., a.k.a. the "UCS-2" range or
Basic Multilingual Plane) and 2 16-bit words for U+0001 ... U
+0010 (mapped as "surrogate pairs" to 0xd800; 0xdc00 ... 0xdbff;
0xdfff resp., corresponding to planes 1 through 16.)
UTF-32/UCS-4: Linux, possibly others? -- this uses 1 32-bit word per
unicode character: 1 word for all codepoints allowed by Python U
+ ... U+0010 (identity mapped to 0xL ... 0x0010L
resp.)
> On 10/7/06, skip[at]pobox.com wrote:
> >
> > Georg> [ Bug http://python.org/sf/1541585 ]
> >
> > Georg> This seems to be handled like a security issue by linux
> > Georg> distributors, it's also a news item on security related
> pages.
> >
> > Georg> Should a security advisory be written and official patches
> be
> > Georg> provided?
> >
> > I asked about this a few weeks ago. I got no direct response.
> Secunia sent
> > mail to webmaster and the SF project admins asking about how this
> could be
> > exploited. (Isn't figuring that stuff out their job?)
>
> FWIW, I responded to the original mail from Secunia with what little
> I
> know about the problem. Everyone on the original mail was copied.
> However, I got ~30 bounces for all the Source Forge addresses due to
> some issue between SF and Google mail.
>
> n
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Can't check in on release25-maint branch
[EMAIL PROTECTED] wrote: > (I sent a note to pydotorg yesterday but got no response. Trying here.) > > I checked in a change to Doc/lib/libcsv.tex on the trunk yesterday, then > tried backporting it to the release25-maint branch but failed due to > permission problems. Thinking it might be lock contention, I waited a few > minutes and tried a couple more times. Same result. I just tried again: > > subversion/libsvn_client/commit.c:832: (apr_err=13) > svn: Commit failed (details follow): > subversion/libsvn_ra_dav/util.c:368: (apr_err=13) > svn: Can't create directory > '/data/repos/projects/db/transactions/52226-1.txn': Permission denied > subversion/clients/cmdline/util.c:380: (apr_err=13) > svn: Your commit message was left in a temporary file: > subversion/clients/cmdline/util.c:380: (apr_err=13) > svn: > '/Users/skip/src/python-svn/release25-maint/Doc/lib/svn-commit.4.tmp' > > Here's my svn status output: > > Path: . > URL: http://svn.python.org/projects/python/branches/release25-maint > Repository UUID: 6015fed2-1504-0410-9fe1-9d1591cc4771 > Revision: 52226 > Node Kind: directory > Schedule: normal > Last Changed Author: hyeshik.chang > Last Changed Rev: 52225 > Last Changed Date: 2006-10-08 09:01:45 -0500 (Sun, 08 Oct 2006) > Properties Last Updated: 2006-08-17 11:05:19 -0500 (Thu, 17 Aug 2006) > > I believe I've got the right thing checked out. It looks like you checked out from http://..., IIRC that's read-only. svn+ssh://[EMAIL PROTECTED]/python/... might work better. Georg ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] what's really new in python 2.5 ?
Gerrit Holl wrote: > On 2006-10-03 20:10:14 +0200, A.M. Kuchling wrote: >> I've added a robots.txt to keep crawlers out of /dev/. > > Isn't there a lot of useful, search-engine worthy stuff in /dev? > I search for peps with google, and I suppose the 'explanation' section, > as well as the developer faq and subversion instructions, are good pages > that deserve to be in the google index. Should /dev really be > Disallow:'ed entirely in robots.txt? I think that refers to docs.python.org/dev. Georg ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Can't check in on release25-maint branch
[Skip] > I checked in a change to Doc/lib/libcsv.tex on the trunk yesterday, then > tried backporting it to the release25-maint branch but failed due to > permission problems. Thinking it might be lock contention, I waited a few > minutes and tried a couple more times. Same result. I just tried again: ... > Here's my svn status output: > > Path: . > URL: http://svn.python.org/projects/python/branches/release25-maint As Georg said, looks like you did a read-only checkout. It /may/ (can't recall for sure, but think so) get you unstuck to do: svn switch --relocate \ http://svn.python.org/projects/python/branches/release25-maint \ svn+ssh://svn.python.org/python/branches/release25-maint from your checkout directory. If that works, it will go fast; if not, start over with an svn+ssh checkout. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] what's really new in python 2.5 ?
On Friday 06 October 2006 08:35, Gerrit Holl wrote: > Isn't there a lot of useful, search-engine worthy stuff in /dev? > I search for peps with google, and I suppose the 'explanation' section, > as well as the developer faq and subversion instructions, are good pages > that deserve to be in the google index. Should /dev really be > Disallow:'ed entirely in robots.txt? As Georg noted, we've been discussing docs.python.org/dev/, which contains nightly builds of the documentation on a couple of branches. The material at www.python.org/dev/ is generally interesting, as you note, and remains open to crawlers. -Fred -- Fred L. Drake, Jr. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PSF Infrastructure Committee's recommendation for anew issue tracker
On Fri, Oct 06, 2006, Chuzo Okuda wrote: > > I received the bounced email as follow. How do I become a member? Subscribe to the list. -- Aahz ([EMAIL PROTECTED]) <*> http://www.pythoncraft.com/ "If you don't know what your program is supposed to do, you'd better not start writing it." --Dijkstra ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Can't check in on release25-maint branch
Tim> As Georg said, looks like you did a read-only checkout. Thanks Georg & Tim. That was indeed the problem. I don't know why I've had such a hard time wrapping my head around Subversion. Skip ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Can't check in on release25-maint branch
[Skip] > Thanks Georg & Tim. That was indeed the problem. I don't know why I've had > such a hard time wrapping my head around Subversion. I have a theory about that: it's software <0.5 wink>. If it's any consolation, at the NFS sprint earlier this year, I totally blanked out on how to do a merge using SVN, despite that I've merged hundreds of times when working on ZODB's seemingly infinite collection of active branches. Luckily, I was only trying to help someone else do a merge at the time, so it frustrated them more than me ;-) ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PSF Infrastructure Committee's recommendation for anew issue tracker
Chuzo Okuda wrote: > I received the bounced email as follow. How do I become a member? the moderator has approved your message, and it has reached the right persons. I'm sure they'll get back to you soon. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PSF Infrastructure Committee's recommendation for anew issue tracker
The email didn't bounce; it was just held for moderator approval (and it made it through). Just sit tight and we will be getting back to all of the volunteers in the near future (probably next week, no later than after this upcoming week). -BrettOn 10/6/06, Chuzo Okuda <[EMAIL PROTECTED]> wrote: I am willing to volunteer. I emailed previously, but it bounced back.Hope this time it reaches you.Chuzo___Python-Dev mailing list Python-Dev@python.orghttp://mail.python.org/mailman/listinfo/python-devUnsubscribe: http://mail.python.org/mailman/options/python-dev/brett%40python.org ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PATCH submitted: Speed up + for string concatenation, now as fast as "".join(x) idiom
Fredrik Lundh wrote: > [EMAIL PROTECTED] wrote: > >> MAL's pybench would probably be better for this presuming it does some >> addition with string operands. >> > or stringbench. > I ran 'em, and they are strangely consistent with pystone. With concat, stringbench is ever-so-slightly faster overall. "172.82" vs "174.85" for the "ascii" column, I guess that's in seconds. I'm just happy it's not slower. (I only ran stringbench once; it seems to take *forever*). I ran pybench three times for each build. The slowest concat overall time was still 2.9% faster than the fastest release time. "ConcatStrings" is a big winner, at around 150% faster; since the test doesn't *do* anything with the concatenated values, it never renders the concatenation objects, so it does a lot less work. "CreateStringsWithConcat" is generally 18-19% faster, as expected. After that, the timings are all over the place, but some tests were consistently faster: "CompareInternedStrings" was 8-12% faster, "DictWithFloatKeys" was 9-11% faster, "SmallLists" was 8-15% faster, "CompareLongs" was 6-10% faster, and "PyMethodCalls" was 4-6% faster. (These are all comparing the "average run-time" results, though the "minimum run-time" results were similar.) I still couldn't tell you why my results are faster. I swear on my mother's eyes I didn't touch anything major involved in "DictWithFloatKeys", "SmallLists", or "CompareLongs". I didn't touch the compiler settings, so that shouldn't be it. I acknowledge not only that it could all be a mistake, and that I don't know enough about it to speculate.// The speedup mystery continues, *larry* ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
