Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-06 Thread Toni Mueller 

Hi,

On Wed, 06.08.2008 at 13:27:31 +1000, Damien Miller [EMAIL PROTECTED] wrote:
 On Tue, 5 Aug 2008, Damien Miller wrote:
  Applied (though only exploitable on amd64) - new diff attached.
 
 Ok, this has been committed - thanks to everyone who tested and
 especially Toni Mueller and Valery Masiutsin for their great help in
 extracting the patches from Python's inscrutable release branch.

thanks, but I have to pass all honours to Matthias Klose because he, or
at least not me, successfully toured upstream's repository. I only
culled from his work.


Kind regards,
--Toni++

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-06 Thread Damien Miller 
On Tue, 5 Aug 2008, Damien Miller wrote:

 Applied (though only exploitable on amd64) - new diff attached.

Ok, this has been committed - thanks to everyone who tested and
especially Toni Mueller and Valery Masiutsin for their great help in
extracting the patches from Python's inscrutable release branch.

-d

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-05 Thread Damien Miller 
Ok, here is a patch for lang/python/2.5.

It tests OK (passes regress) on i386, and I'm yet to do sparc64 and zaurus.
Tests on other platforms and testing with your favourite apps is welcome.

-d

Index: Makefile
===
RCS file: /cvs/ports/lang/python/2.5/Makefile,v
retrieving revision 1.23
diff -u -p -r1.23 Makefile
--- Makefile25 Jul 2008 19:32:21 -  1.23
+++ Makefile5 Aug 2008 08:34:09 -
@@ -2,7 +2,7 @@
 
 VERSION=   2.5
 PATCHLEVEL=.2
-PKG_PATCHLEVEL=p3
+PKG_PATCHLEVEL=p4
 SHARED_LIBS=   python2.5 1.0
 
 # PSUBDIR= python/${VERSION}
Index: patches/patch-Include_pymem_h
===
RCS file: patches/patch-Include_pymem_h
diff -N patches/patch-Include_pymem_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-Include_pymem_h   5 Aug 2008 08:34:09 -
@@ -0,0 +1,59 @@
+$OpenBSD$
+--- Include/pymem.h.orig   Thu Feb 14 22:26:18 2008
 Include/pymem.hTue Aug  5 18:18:52 2008
+@@ -67,8 +67,12 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+for malloc(0), which would be treated as an error. Some platforms
+would return a pointer with no memory behind it, which would break
+pymalloc. To solve these problems, allocate an extra byte. */
+-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1)
+-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1)
++/* Returns NULL to indicate error if a negative size or size larger than
++   Py_ssize_t can represent is supplied.  Helps prevents security holes. */
++#define PyMem_MALLOC(n)   (((n)  0 || (n)  PY_SSIZE_T_MAX) ? 
NULL \
++  : malloc((n) ? (n) : 1))
++#define PyMem_REALLOC(p, n)   (((n)  0 || (n)  PY_SSIZE_T_MAX) ? NULL \
++  : realloc((p), (n) ? (n) : 1))
+ #define PyMem_FREEfree
+ 
+ #endif/* PYMALLOC_DEBUG */
+@@ -77,24 +81,31 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+  * Type-oriented memory interface
+  * ==
+  *
+- * These are carried along for historical reasons.  There's rarely a good
+- * reason to use them anymore (you can just as easily do the multiply and
+- * cast yourself).
++ * Allocate memory for n objects of the given type.  Returns a new pointer
++ * or NULL if the request was too large or memory allocation failed.  Use
++ * these macros rather than doing the multiplication yourself so that proper
++ * overflow checking is always done.
+  */
+ 
+ #define PyMem_New(type, n) \
+-  ( assert((n) = PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n)  PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+   ( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
+ #define PyMem_NEW(type, n) \
+-  ( assert((n) = PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n)  PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+   ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+ 
++/*
++ * The value of (p) is always clobbered by this macro regardless of success.
++ * The caller MUST check if (p) is NULL afterwards and deal with the memory
++ * error if so.  This means the original value of (p) MUST be saved for the
++ * caller's memory error handler to not lose track of it.
++ */
+ #define PyMem_Resize(p, type, n) \
+-  ( assert((n) = PY_SIZE_MAX / sizeof(type)) , \
+-  ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n)  PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
++  (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+ #define PyMem_RESIZE(p, type, n) \
+-  ( assert((n) = PY_SIZE_MAX / sizeof(type)) , \
+-  ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n)  PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
++  (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+ 
+ /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used
+  * anymore.  They're just confusing aliases for PyMem_{Free,FREE} now.
Index: patches/patch-Lib_test_seq_tests_py
===
RCS file: patches/patch-Lib_test_seq_tests_py
diff -N patches/patch-Lib_test_seq_tests_py
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-Lib_test_seq_tests_py 5 Aug 2008 08:34:09 -
@@ -0,0 +1,22 @@
+$OpenBSD$
+--- Lib/test/seq_tests.py.orig Tue Nov 13 07:04:41 2007
 Lib/test/seq_tests.py  Tue Aug  5 18:18:52 2008
+@@ -307,11 +307,13 @@ class CommonTest(unittest.TestCase):
+ self.assertEqual(id(s), id(s*1))
+ 
+ def test_bigrepeat(self):
+-x = self.type2test([0])
+-x *= 2**16
+-self.assertRaises(MemoryError, x.__mul__, 2**16)
+-if hasattr(x, '__imul__'):
+-self.assertRaises(MemoryError, x.__imul__, 2**16)
++import sys
++if sys.maxint = 2147483647:
++x = self.type2test([0])
++x *= 2**16
++self.assertRaises(MemoryError, x.__mul__, 2**16)
++

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-05 Thread Toni Mueller 

Hi,

On Tue, 05.08.2008 at 18:36:34 +1000, Damien Miller [EMAIL PROTECTED] wrote:
 Ok, here is a patch for lang/python/2.5.

thank you very much for the effort. Unfortunately, there's some more
stuff which should probably make it (code execution problems included).
I found these just today, assuming that everything up to CVE-2008-2315
is already covered:

CVE-2008-3144 CVE-2008-3143 CVE-2008-3142 CVE-2008-2316 

I don't know which of these are already covered, but the first is
labelled medium, the other high in the CVE database.


Kind regards,
--Toni++

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-05 Thread Marc Balmer 
* [EMAIL PROTECTED] wrote:

 I am no Python user myself but because some people here realy care for it
 and because I read about this today I wanted to mention that there are
 more issues to fix propably.
 
 Gentoo reports about multiple integer/buffer overflows.
 
 http://bugs.gentoo.org/show_bug.cgi?id=230640
 http://bugs.gentoo.org/show_bug.cgi?id=232137
 
 And some where patched by Apple
 
 http://svn.python.org/view?rev=65335view=rev
 
 
 As I said I don 't use Python (not actively) but I hope those infos may
 still help to improve the port.

If you really want to help, please provide patches.

 
 
 Kind regards,
 Sebastian

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-04 Thread Damien Miller 
On Mon, 4 Aug 2008, Toni Mueller wrote:

 
 Hi,

 On Tue, 29.07.2008 at 21:32:18 -0600, Theo de Raadt
[EMAIL PROTECTED] wrote:
  Perhaps whoever the maintainer is will merge this in time.
 
 I hope so. Unfortunately, I feel unable to do this myself, but I also
 wanted to avoid this getting lost, as I had not seen anything in the
 CVS. Damien was kind enough to send the desired message.

I'm not going to be able to work on it for a few more days and this
will increase the chance that the patches will miss the 4.4 cutoff.
If anyone want to help out, I'll repeat:

 Want to help? Then you can cherrypick the patches from the python 2.5
 branch that close the vulnerabilities and post them to the list (as links
 to the svn changesets in the python webcvs/viewvc) matched against CVE
 numbers.

-d

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-04 Thread Stuart Henderson 
On 2008/08/04 21:50, Damien Miller wrote:
  Want to help? Then you can cherrypick the patches from the python 2.5
  branch that close the vulnerabilities and post them to the list (as links
  to the svn changesets in the python webcvs/viewvc) matched against CVE
  numbers.

stringobject and zlib are easy enough, imageop less so.


CVE-2008-1721
http://bugs.python.org/issue2586

Python zlib module is prone to a remote buffer-overflow vulnerability
because the library fails to properly sanitize user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the
privileges of the user running an application that relies on the
affected library. Failed exploit attempts will result in a
denial-of-service condition.

Fix zlib crash from zlib.decompressobj().flush(val) when val was not
positive.  It tried to allocate negative or zero memory.  That fails.

http://svn.python.org/view/python/trunk/Lib/test/test_zlib.py?p2=%2Fpython%2Ftrunk%2FLib%2Ftest%2Ftest_zlib.pyp1=python%2Ftrunk%2FLib%2Ftest%2Ftest_zlib.pyr1=62235r2=62234rev=62235view=diffmakepatch=1diff_format=h
http://svn.python.org/view/python/trunk/Modules/zlibmodule.c?p2=%2Fpython%2Ftrunk%2FModules%2Fzlibmodule.cp1=python%2Ftrunk%2FModules%2Fzlibmodule.cr1=62235r2=62234rev=62235view=diffmakepatch=1diff_format=h


CVE-2008-1887
http://bugs.python.org/issue2587

Issue #2587: In the C API, PyString_FromStringAndSize() takes a
signed size parameter but was not verifying that it was greater
than zero.  Values less than zero will now raise a SystemError and
return NULL to indicate a bug in the calling C code.

Python 2.5.2 and earlier allows context-dependent attackers to execute
arbitrary code via multiple vectors that cause a negative size value to
be provided to the PyString_FromStringAndSize function, which allocates
less memory than expected when assert() is disabled and triggers a
buffer overflow.

http://svn.python.org/view/python/branches/release25-maint/Objects/stringobject.c?p2=%2Fpython%2Fbranches%2Frelease25-maint%2FObjects%2Fstringobject.cp1=python%2Fbranches%2Frelease25-maint%2FObjects%2Fstringobject.cr1=62262r2=62261rev=62262view=diffmakepatch=1diff_format=h


CVE-2007-4965
CVE-2008-1679
http://bugs.python.org/issue1179

Multiple integer overflows in imageop.c in Python before 2.5.3 allow
context-dependent attackers to cause a denial of service (crash) and
possibly execute arbitrary code via crafted images that trigger
heap-based buffer overflows.

Looks like it's only partially fixed in their tree.

http://bugs.python.org/file8592/python-2.5.CVE-2007-4965-int-overflow.patch
http://bugs.python.org/file9975/python-2.5-int-overflow-2.patch

http://svn.python.org/view/python/branches/release25-maint/Modules/imageop.c
http://svn.python.org/view/python/branches/release25-maint/Modules/rgbimgmodule.c

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-04 Thread Valery Masiutsin 
Hello.

What about issues in #2588, #2599, #2620 ?
As far as i  see from reading svn log of release25-maint, there are
also so called
apple security fixes and  commit related to openbsd fcntl handling.
I've cherrypicked those patches, built python, it passes make regress,
and works fine for me,
is there any point to send the diff, at this point of time ?

Regards Valery.

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-04 Thread Valery Masiutsin 
 On 2008/08/04 16:32, Valery Masiutsin wrote:
  Hello.
  
  What about issues in #2588, #2599, #2620 ?
 
 Oh... Are python users supposed to tramp through the tickets just
 to identify the security problems?
 
 It would be nice if there was somewhere official to find these.
 Like http://www.python.org/news/security/, but actually maintained.
 
  As far as i  see from reading svn log of release25-maint, there are
  also so called
  apple security fixes and  commit related to openbsd fcntl
  handling. I've cherrypicked those patches, built python, it passes
  make regress, and works fine for me,
  is there any point to send the diff, at this point of time ?
 
 It might not go into the release, it's pretty late for that now,
 but you may as well send it along rather than just hold onto it.
 
Ok, here it is. I think it could suite as a starting point for
post-release activity.

#2588, #2589 - PyOS_vsnprintf() issues, i think they are unrelated to
us, false alarm, so i skipped them.
URL= http://svn.python.org/projects/python/branches/release25-maint

1. #2620 - Multiple buffer overflows in unicode processing.
svn diff -r65234:65261 $URL
2. apple security patches
svn diff  -r65261:65334 $URL
3. OpenBSD fcntl.ioctl handling on 64-bit OpenBSD.
svn diff -r65461:65466 $URL

I removed the bits applied to Misc/News file, i did not apply fixes
mentioned earlier, i am ready to do this, if it needs so.
Tested on amd64.

Regards Valery.

Index: patches/patch-Include_pymem_h
===
RCS file: patches/patch-Include_pymem_h
diff -N patches/patch-Include_pymem_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-Include_pymem_h   4 Aug 2008 15:17:15 -
@@ -0,0 +1,59 @@
+$OpenBSD$
+--- Include/pymem.h.orig   Thu Feb 14 13:26:18 2008
 Include/pymem.hMon Aug  4 21:12:55 2008
+@@ -67,8 +67,12 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+for malloc(0), which would be treated as an error. Some platforms
+would return a pointer with no memory behind it, which would break
+pymalloc. To solve these problems, allocate an extra byte. */
+-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1)
+-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1)
++/* Returns NULL to indicate error if a negative size or size larger
than ++   Py_ssize_t can represent is supplied.  Helps prevents
security holes. */ ++#define PyMem_MALLOC(n)   (((n)  0 ||
(n)  PY_SSIZE_T_MAX) ? NULL \ ++  :
malloc((n) ? (n) : 1)) ++#define PyMem_REALLOC(p, n)   (((n)  0 || (n)
 PY_SSIZE_T_MAX) ? NULL \ ++  :
 realloc((p), (n) ? (n) : 1))
+ #define PyMem_FREEfree
+ 
+ #endif/* PYMALLOC_DEBUG */
+@@ -77,24 +81,31 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+  * Type-oriented memory interface
+  * ==
+  *
+- * These are carried along for historical reasons.  There's rarely a
good +- * reason to use them anymore (you can just as easily do the
multiply and +- * cast yourself).
++ * Allocate memory for n objects of the given type.  Returns a new
pointer ++ * or NULL if the request was too large or memory allocation
failed.  Use ++ * these macros rather than doing the multiplication
yourself so that proper ++ * overflow checking is always done.
+  */
+ 
+ #define PyMem_New(type, n) \
+-  ( assert((n) = PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n)  PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+   ( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
+ #define PyMem_NEW(type, n) \
+-  ( assert((n) = PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n)  PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+   ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+ 
++/*
++ * The value of (p) is always clobbered by this macro regardless of
success. ++ * The caller MUST check if (p) is NULL afterwards and deal
with the memory ++ * error if so.  This means the original value of (p)
MUST be saved for the ++ * caller's memory error handler to not lose
track of it. ++ */
+ #define PyMem_Resize(p, type, n) \
+-  ( assert((n) = PY_SIZE_MAX / sizeof(type)) , \
+-  ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n)  PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
++  (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+ #define PyMem_RESIZE(p, type, n) \
+-  ( assert((n) = PY_SIZE_MAX / sizeof(type)) , \
+-  ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n)  PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
++  (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+ 
+ /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be
used
+  * anymore.  They're just confusing aliases for PyMem_{Free,FREE} now.
Index: patches/patch-Lib_test_seq_tests_py
===
RCS file: patches/patch-Lib_test_seq_tests_py
diff -N patches/patch-Lib_test_seq_tests_py
--- /dev/null   1 Jan 1970 00:00:00 -
+++

Re: Python, was: Re: only days left to ports lock (4.4 release)

2008-08-04 Thread Peter Valchev 
On Mon, Aug 4, 2008 at 12:41 PM, Valery Masiutsin [EMAIL PROTECTED] wrote:
 On 2008/08/04 16:32, Valery Masiutsin wrote:
  Hello.
 
  What about issues in #2588, #2599, #2620 ?

 Oh... Are python users supposed to tramp through the tickets just
 to identify the security problems?

 It would be nice if there was somewhere official to find these.
 Like http://www.python.org/news/security/, but actually maintained.

  As far as i  see from reading svn log of release25-maint, there are
  also so called
  apple security fixes and  commit related to openbsd fcntl
  handling. I've cherrypicked those patches, built python, it passes
  make regress, and works fine for me,
  is there any point to send the diff, at this point of time ?

 It might not go into the release, it's pretty late for that now,
 but you may as well send it along rather than just hold onto it.

 Ok, here it is. I think it could suite as a starting point for
 post-release activity.
...

It appears that a lot of the work to pick the right patches has been
done in this thread. Has someone familiar with python double checked
Valery's work?

Also extensive testing should be done by those that use it.

It seems like enough people consider it important for the release, so
let's get it done.