Patchwork python: fix for Security Advisory - python - CVE-2012-2135

login
register
mail settings
Submitter yanjun.zhu
Date Nov. 16, 2012, 8:53 a.m.
Message ID <1353056022-29560-1-git-send-email-yanjun.zhu@windriver.com>
Download mbox | patch
Permalink /patch/39145/
State Not Applicable
Headers show

Comments

yanjun.zhu - Nov. 16, 2012, 8:53 a.m.
The utf-16 decoder in Python 3.1 through 3.3 does not update the
aligned_end variable after calling the unicode_decode_call_errorhandler
function, which allows remote attackers to obtain sensitive information
(process memory) or cause a denial of service (memory corruption and crash)
via unspecified vectors.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135

Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
---
 .../python/python/python-2.7.2-CVE-2012-2135.patch |   12 ++++++++++++
 recipes-devtools/python/python_2.7.2.bbappend      |    1 +
 2 files changed, 13 insertions(+), 0 deletions(-)
 create mode 100644 recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
Otavio Salvador - Nov. 16, 2012, 12:21 p.m.
On Fri, Nov 16, 2012 at 6:53 AM, yanjun.zhu <yanjun.zhu@windriver.com>wrote:

> The utf-16 decoder in Python 3.1 through 3.3 does not update the
> aligned_end variable after calling the unicode_decode_call_errorhandler
> function, which allows remote attackers to obtain sensitive information
> (process memory) or cause a denial of service (memory corruption and crash)
> via unspecified vectors.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
>
> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
>

I think this needs to be backported to previous releases, right?
yanjun.zhu - Nov. 19, 2012, 2:26 a.m.
On 11/16/2012 08:21 PM, Otavio Salvador wrote:
> On Fri, Nov 16, 2012 at 6:53 AM, yanjun.zhu <yanjun.zhu@windriver.com>wrote:
>
>> The utf-16 decoder in Python 3.1 through 3.3 does not update the
>> aligned_end variable after calling the unicode_decode_call_errorhandler
>> function, which allows remote attackers to obtain sensitive information
>> (process memory) or cause a denial of service (memory corruption and crash)
>> via unspecified vectors.
>>
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
>>
>> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
>>
> I think this needs to be backported to previous releases, right?
Hi, Otavio

OK. I will do it.

Thanks a lot.
Zhu Yanjun
yanjun.zhu - Nov. 19, 2012, 2:36 a.m.
On 11/19/2012 10:26 AM, yzhu1 wrote:
> On 11/16/2012 08:21 PM, Otavio Salvador wrote:
>> On Fri, Nov 16, 2012 at 6:53 AM, yanjun.zhu 
>> <yanjun.zhu@windriver.com>wrote:
>>
>>> The utf-16 decoder in Python 3.1 through 3.3 does not update the
>>> aligned_end variable after calling the unicode_decode_call_errorhandler
>>> function, which allows remote attackers to obtain sensitive information
>>> (process memory) or cause a denial of service (memory corruption and 
>>> crash)
>>> via unspecified vectors.
>>>
>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
>>>
>>> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
>>>
>> I think this needs to be backported to previous releases, right?
> Hi, Otavio
>
> OK. I will do it.
>
> Thanks a lot.
> Zhu Yanjun
>
>
Hi, Otavio

Sorry. I do not know what is the previous releases. Do you mean denzil 
branch or others?
Would you like to make it clear?

Thanks a lot.
Zhu Yanjun
>
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
Otavio Salvador - Nov. 19, 2012, 10:21 a.m.
On Mon, Nov 19, 2012 at 12:36 AM, yzhu1 <Yanjun.Zhu@windriver.com> wrote:

> On 11/19/2012 10:26 AM, yzhu1 wrote:
>
>> On 11/16/2012 08:21 PM, Otavio Salvador wrote:
>>
>>> On Fri, Nov 16, 2012 at 6:53 AM, yanjun.zhu <yanjun.zhu@windriver.com>**
>>> wrote:
>>>
>>>  The utf-16 decoder in Python 3.1 through 3.3 does not update the
>>>> aligned_end variable after calling the unicode_decode_call_**
>>>> errorhandler
>>>> function, which allows remote attackers to obtain sensitive information
>>>> (process memory) or cause a denial of service (memory corruption and
>>>> crash)
>>>> via unspecified vectors.
>>>>
>>>> http://web.nvd.nist.gov/view/**vuln/detail?vulnId=CVE-2012-**2135<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135>
>>>>
>>>> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
>>>>
>>>>  I think this needs to be backported to previous releases, right?
>>>
>> Hi, Otavio
>>
>> OK. I will do it.
>>
>> Thanks a lot.
>> Zhu Yanjun
>>
>>
>>  Hi, Otavio
>
> Sorry. I do not know what is the previous releases. Do you mean denzil
> branch or others?
> Would you like to make it clear?


Yes, I meant denzil and danny (both released and maintained for now).
Paul Eggleton - Nov. 29, 2012, 2:07 p.m.
On Friday 16 November 2012 16:53:42 yanjun.zhu wrote:
> The utf-16 decoder in Python 3.1 through 3.3 does not update the
> aligned_end variable after calling the unicode_decode_call_errorhandler
> function, which allows remote attackers to obtain sensitive information
> (process memory) or cause a denial of service (memory corruption and crash)
> via unspecified vectors.
> 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
> 
> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
> ---
>  .../python/python/python-2.7.2-CVE-2012-2135.patch |   12 ++++++++++++
>  recipes-devtools/python/python_2.7.2.bbappend      |    1 +
>  2 files changed, 13 insertions(+), 0 deletions(-)
>  create mode 100644
> recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch

This patch is also against OE-Core, could you send this to the OE-Core list as 
well?

Thanks,
Paul
yanjun.zhu - Nov. 30, 2012, 2:49 a.m.
On 11/29/2012 10:07 PM, Paul Eggleton wrote:
> On Friday 16 November 2012 16:53:42 yanjun.zhu wrote:
>> The utf-16 decoder in Python 3.1 through 3.3 does not update the
>> aligned_end variable after calling the unicode_decode_call_errorhandler
>> function, which allows remote attackers to obtain sensitive information
>> (process memory) or cause a denial of service (memory corruption and crash)
>> via unspecified vectors.
>>
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
>>
>> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
>> ---
>>   .../python/python/python-2.7.2-CVE-2012-2135.patch |   12 ++++++++++++
>>   recipes-devtools/python/python_2.7.2.bbappend      |    1 +
>>   2 files changed, 13 insertions(+), 0 deletions(-)
>>   create mode 100644
>> recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
> This patch is also against OE-Core, could you send this to the OE-Core list as
> well?
OK. I will follow your advice.

Thanks a lot.
Zhu Yanjun
> Thanks,
> Paul
>

Patch

diff --git a/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch b/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
new file mode 100644
index 0000000..b913097
--- /dev/null
+++ b/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
@@ -0,0 +1,12 @@ 
+diff -urpN a/Objects/unicodeobject.c b/Objects/unicodeobject.c
+--- a/Objects/unicodeobject.c	2012-11-12 16:25:33.000000000 +0800
++++ b/Objects/unicodeobject.c	2012-11-12 16:26:22.000000000 +0800
+@@ -2568,7 +2568,7 @@ PyUnicode_DecodeUTF16Stateful(const char
+         }
+ 
+         /* UTF-16 code pair: */
+-        if (q >= e) {
++        if (e - q < 2) {
+             errmsg = "unexpected end of data";
+             startinpos = (((const char *)q)-2)-starts;
+             endinpos = ((const char *)e)-starts;
diff --git a/recipes-devtools/python/python_2.7.2.bbappend b/recipes-devtools/python/python_2.7.2.bbappend
index 87be410..64ada6c 100644
--- a/recipes-devtools/python/python_2.7.2.bbappend
+++ b/recipes-devtools/python/python_2.7.2.bbappend
@@ -5,5 +5,6 @@  SRC_URI += "\
     file://python-CVE-2010-3492.patch \
     file://python-2.7.2-CVE-2012-0845.patch \
     file://python-2.7.2-CVE-2012-1150.patch \
+    file://python-2.7.2-CVE-2012-2135.patch \
 "
 PRINC = "2"