pinkbyte 14/07/29 07:53:03 Added: python-3.2-CVE-2014-1912.patch Log: Revision bump: backport patch for CVE-2014-1912, bug #500518. Drop old revision. Acked by Python team (Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key 0x1F357D42)
Revision Changes Path 1.1 dev-lang/python/files/python-3.2-CVE-2014-1912.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-lang/python/files/python-3.2-CVE-2014-1912.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-lang/python/files/python-3.2-CVE-2014-1912.patch?rev=1.1&content-type=text/plain Index: python-3.2-CVE-2014-1912.patch =================================================================== # HG changeset patch # User Benjamin Peterson <benja...@python.org> # Date 1389671978 18000 # Node ID 9c56217e5c793685eeaf0ee224848c402bdf1e4c # Parent 2b5cd6d4d149dea6c6941b7e07ada248b29fc9f6 complain when nbytes > buflen to fix possible buffer overflow (closes #20246) diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py --- a/Lib/test/test_socket.py +++ b/Lib/test/test_socket.py @@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest): _testRecvFromIntoMemoryview = _testRecvFromIntoArray + def testRecvFromIntoSmallBuffer(self): + # See issue #20246. + buf = bytearray(8) + self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) + + def _testRecvFromIntoSmallBuffer(self): + self.serv_conn.send(MSG*2048) + TIPC_STYPE = 2000 TIPC_LOWER = 200 diff --git a/Misc/ACKS b/Misc/ACKS --- a/Misc/ACKS +++ b/Misc/ACKS @@ -1020,6 +1020,7 @@ Eric V. Smith Christopher Smith Gregory P. Smith Roy Smith +Ryan Smith-Roberts Rafal Smotrzyk Dirk Soede Paul Sokolovsky diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c --- a/Modules/socketmodule.c +++ b/Modules/socketmodule.c @@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s if (recvlen == 0) { /* If nbytes was not specified, use the buffer's length */ recvlen = buflen; + } else if (recvlen > buflen) { + PyBuffer_Release(&pbuf); + PyErr_SetString(PyExc_ValueError, + "nbytes is greater than the length of the buffer"); + return NULL; } readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);