Patchwork [1/1] Python: Fix for CVE-2012-2135

login
register
mail settings
Submitter yanjun.zhu
Date Nov. 30, 2012, 11:29 a.m.
Message ID <1354274968-7181-1-git-send-email-yanjun.zhu@windriver.com>
Download mbox | patch
Permalink /patch/39961/
State New
Headers show

Comments

yanjun.zhu - Nov. 30, 2012, 11:29 a.m.
From: "yanjun.zhu" <yanjun.zhu@windriver.com>

Reference:http://bugs.python.org/issue14579

The utf-16 decoder in Python 3.1 through 3.3 does not update the
aligned_end variable after calling the unicode_decode_call_errorhandler
function, which allows remote attackers to obtain sensitive information
(process memory) or cause a denial of service (memory corruption and crash)
via unspecified vectors.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135

[YOCTO #3450]

Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
---
 .../python/python/python-2.7.2-CVE-2012-2135.patch | 24 ++++++++++++++++++++++
 meta/recipes-devtools/python/python_2.7.2.bb       |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
Saul Wold - Nov. 30, 2012, 6:54 p.m.
On 11/30/2012 03:29 AM, yanjun.zhu wrote:
> From: "yanjun.zhu" <yanjun.zhu@windriver.com>
>
> Reference:http://bugs.python.org/issue14579
>
> The utf-16 decoder in Python 3.1 through 3.3 does not update the
> aligned_end variable after calling the unicode_decode_call_errorhandler
> function, which allows remote attackers to obtain sensitive information
> (process memory) or cause a denial of service (memory corruption and crash)
> via unspecified vectors.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
>
> [YOCTO #3450]
>
Is this for Denzil or is there a 2.7.3 patch for this CVE?  Both Danny 
(1.3) and master are using Python 2.7.3, which does not seem to have 
this CVE fixed yet.

Please rebase this for master.

Sau!

> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
> ---
>   .../python/python/python-2.7.2-CVE-2012-2135.patch | 24 ++++++++++++++++++++++
>   meta/recipes-devtools/python/python_2.7.2.bb       |  1 +
>   2 files changed, 25 insertions(+)
>   create mode 100644 meta/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
>
> diff --git a/meta/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch b/meta/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
> new file mode 100644
> index 0000000..ad118b0
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
> @@ -0,0 +1,24 @@
> +Upstream-Status: Backport
> +
> +Reference:http://bugs.python.org/issue14579
> +
> +The utf-16 decoder in Python 3.1 through 3.3 does not update the
> +aligned_end variable after calling the unicode_decode_call_errorhandler
> +function, which allows remote attackers to obtain sensitive information
> +(process memory) or cause a denial of service (memory corruption and crash)
> +via unspecified vectors.
> +
> +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
> +Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
> +diff -urpN a/Objects/unicodeobject.c b/Objects/unicodeobject.c
> +--- a/Objects/unicodeobject.c	2012-11-12 16:25:33.000000000 +0800
> ++++ b/Objects/unicodeobject.c	2012-11-12 16:26:22.000000000 +0800
> +@@ -2568,7 +2568,7 @@ PyUnicode_DecodeUTF16Stateful(const char
> +         }
> +
> +         /* UTF-16 code pair: */
> +-        if (q >= e) {
> ++        if (e - q < 2) {
> +             errmsg = "unexpected end of data";
> +             startinpos = (((const char *)q)-2)-starts;
> +             endinpos = ((const char *)e)-starts;
> diff --git a/meta/recipes-devtools/python/python_2.7.2.bb b/meta/recipes-devtools/python/python_2.7.2.bb
> index 2adb4e4..9dabfb7 100644
> --- a/meta/recipes-devtools/python/python_2.7.2.bb
> +++ b/meta/recipes-devtools/python/python_2.7.2.bb
> @@ -24,6 +24,7 @@ SRC_URI += "\
>     file://setuptweaks.patch \
>     file://check-if-target-is-64b-not-host.patch \
>     file://search_db_h_in_inc_dirs_and_avoid_warning.patch \
> +  file://python-2.7.2-CVE-2012-2135.patch \
>   "
>
>   S = "${WORKDIR}/Python-${PV}"
>
Scott Garman - Nov. 30, 2012, 11:21 p.m.
On 11/30/2012 10:54 AM, Saul Wold wrote:
> On 11/30/2012 03:29 AM, yanjun.zhu wrote:
>> From: "yanjun.zhu" <yanjun.zhu@windriver.com>
>>
>> Reference:http://bugs.python.org/issue14579
>>
>> The utf-16 decoder in Python 3.1 through 3.3 does not update the
>> aligned_end variable after calling the unicode_decode_call_errorhandler
>> function, which allows remote attackers to obtain sensitive information
>> (process memory) or cause a denial of service (memory corruption and
>> crash)
>> via unspecified vectors.
>>
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
>>
>> [YOCTO #3450]
>>
> Is this for Denzil or is there a 2.7.3 patch for this CVE?  Both Danny
> (1.3) and master are using Python 2.7.3, which does not seem to have
> this CVE fixed yet.

The CVE link above states that the vulnerability exists only in python 
v3.1 - 3.3. That would suggest it would not apply to denzil at all.

I'm thrilled to see more security fixes rolling in, but I'm not sure 
what's going on if they do not apply to the versions of upstream 
software we're shipping.

Scott

Patch

diff --git a/meta/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch b/meta/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
new file mode 100644
index 0000000..ad118b0
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.2-CVE-2012-2135.patch
@@ -0,0 +1,24 @@ 
+Upstream-Status: Backport
+
+Reference:http://bugs.python.org/issue14579
+
+The utf-16 decoder in Python 3.1 through 3.3 does not update the
+aligned_end variable after calling the unicode_decode_call_errorhandler
+function, which allows remote attackers to obtain sensitive information
+(process memory) or cause a denial of service (memory corruption and crash)
+via unspecified vectors.
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2135
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+diff -urpN a/Objects/unicodeobject.c b/Objects/unicodeobject.c
+--- a/Objects/unicodeobject.c	2012-11-12 16:25:33.000000000 +0800
++++ b/Objects/unicodeobject.c	2012-11-12 16:26:22.000000000 +0800
+@@ -2568,7 +2568,7 @@ PyUnicode_DecodeUTF16Stateful(const char
+         }
+ 
+         /* UTF-16 code pair: */
+-        if (q >= e) {
++        if (e - q < 2) {
+             errmsg = "unexpected end of data";
+             startinpos = (((const char *)q)-2)-starts;
+             endinpos = ((const char *)e)-starts;
diff --git a/meta/recipes-devtools/python/python_2.7.2.bb b/meta/recipes-devtools/python/python_2.7.2.bb
index 2adb4e4..9dabfb7 100644
--- a/meta/recipes-devtools/python/python_2.7.2.bb
+++ b/meta/recipes-devtools/python/python_2.7.2.bb
@@ -24,6 +24,7 @@  SRC_URI += "\
   file://setuptweaks.patch \
   file://check-if-target-is-64b-not-host.patch \
   file://search_db_h_in_inc_dirs_and_avoid_warning.patch \
+  file://python-2.7.2-CVE-2012-2135.patch \
 "
 
 S = "${WORKDIR}/Python-${PV}"