Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 7 Sep 2008 06:13:00 GMT
From:      bf <bf2006a@yahoo.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/127172: [PATCH]lang/python25: security fixes for 2.5.2
Message-ID:  <200809070613.m876D0ZI010003@www.freebsd.org>
Resent-Message-ID: <200809070620.m876K1XN047402@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         127172
>Category:       ports
>Synopsis:       [PATCH]lang/python25: security fixes for 2.5.2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 07 06:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     bf
>Release:        7-STABLE i386
>Organization:
-
>Environment:
>Description:
While we're waiting for the new version of python, be on the safe side and add patches for CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, and CVE-2008-3144.  These should be documented in vuxml.  lang/python24 should also be patched for these, and also for CVE-2008-3143.

(See, for example, 

http://www.gentoo.org/security/en/glsa/glsa-200807-16.xml  ,

and the links in that page.)
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -ruN python25.orig/Makefile python25/Makefile
--- python25.orig/Makefile	2008-08-21 02:17:31.000000000 -0400
+++ python25/Makefile	2008-09-07 01:54:52.726296290 -0400
@@ -6,7 +6,7 @@
 
 PORTNAME=	python25
 PORTVERSION=	2.5.2
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	lang python ipv6
 MASTER_SITES=	${PYTHON_MASTER_SITES}
 MASTER_SITE_SUBDIR=	${PYTHON_MASTER_SITE_SUBDIR}
diff -ruN python25.orig/files/patch-at python25/files/patch-at
--- python25.orig/files/patch-at	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-at	2008-09-07 01:54:52.566294111 -0400
@@ -0,0 +1,15 @@
+
+
+Part of the fix for CVE-2008-2315 taken from Gentoo.
+
+--- Modules/mmapmodule.c.orig	2006-08-22 14:57:07.000000000 +0100
++++ Modules/mmapmodule.c	2008-08-30 10:16:13.000000000 +0100
+@@ -223,7 +223,7 @@
+ 		return(NULL);
+ 
+ 	/* silently 'adjust' out-of-range requests */
+-	if ((self->pos + num_bytes) > self->size) {
++	if (num_bytes > self->size - self->pos) {
+ 		num_bytes -= (self->pos+num_bytes) - self->size;
+ 	}
+ 	result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
diff -ruN python25.orig/files/patch-ba python25/files/patch-ba
--- python25.orig/files/patch-ba	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-ba	2008-09-07 01:54:52.576295382 -0400
@@ -0,0 +1,119 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Objects/unicodeobject.c.orig	2007-11-02 22:46:38.000000000 +0000
++++ Objects/unicodeobject.c	2008-08-30 10:16:13.000000000 +0100
+@@ -239,6 +239,11 @@
+         return unicode_empty;
+     }
+ 
++    /* Ensure we won't overflow the size. */
++    if (length > ((PY_SSIZE_T_MAX / sizeof(Py_UNICODE)) - 1)) {
++        return (PyUnicodeObject *)PyErr_NoMemory();
++    }
++
+     /* Unicode freelist & memory allocation */
+     if (unicode_freelist) {
+         unicode = unicode_freelist;
+@@ -1091,6 +1096,9 @@
+     char * out;
+     char * start;
+ 
++    if (cbAllocated / 5 != size)
++        return PyErr_NoMemory();
++
+     if (size == 0)
+ 		return PyString_FromStringAndSize(NULL, 0);
+ 
+@@ -1689,8 +1697,9 @@
+ {
+     PyObject *v;
+     unsigned char *p;
++    Py_ssize_t nsize, bytesize;
+ #ifdef Py_UNICODE_WIDE
+-    int i, pairs;
++    Py_ssize_t i, pairs;
+ #else
+     const int pairs = 0;
+ #endif
+@@ -1713,8 +1722,15 @@
+ 	if (s[i] >= 0x10000)
+ 	    pairs++;
+ #endif
+-    v = PyString_FromStringAndSize(NULL,
+-		  2 * (size + pairs + (byteorder == 0)));
++    /* 2 * (size + pairs + (byteorder == 0)) */
++    if (size > PY_SSIZE_T_MAX ||
++	size > PY_SSIZE_T_MAX - pairs - (byteorder == 0))
++	return PyErr_NoMemory();
++    nsize = (size + pairs + (byteorder == 0));
++    bytesize = nsize * 2;
++    if (bytesize / 2 != nsize)
++	return PyErr_NoMemory();
++    v = PyString_FromStringAndSize(NULL, bytesize);
+     if (v == NULL)
+         return NULL;
+ 
+@@ -2042,6 +2058,11 @@
+     char *p;
+ 
+     static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++    const Py_ssize_t expandsize = 10;
++#else
++    const Py_ssize_t expandsize = 6;
++#endif
+ 
+     /* Initial allocation is based on the longest-possible unichr
+        escape.
+@@ -2057,13 +2078,12 @@
+        escape.
+     */
+ 
++    if (size > (PY_SSIZE_T_MAX - 2 - 1) / expandsize)
++	return PyErr_NoMemory();
++
+     repr = PyString_FromStringAndSize(NULL,
+         2
+-#ifdef Py_UNICODE_WIDE
+-        + 10*size
+-#else
+-        + 6*size
+-#endif
++        + expandsize*size
+         + 1);
+     if (repr == NULL)
+         return NULL;
+@@ -2304,12 +2324,16 @@
+     char *q;
+ 
+     static const char *hexdigit = "0123456789abcdef";
+-
+ #ifdef Py_UNICODE_WIDE
+-    repr = PyString_FromStringAndSize(NULL, 10 * size);
++    const Py_ssize_t expandsize = 10;
+ #else
+-    repr = PyString_FromStringAndSize(NULL, 6 * size);
++    const Py_ssize_t expandsize = 6;
+ #endif
++
++    if (size > PY_SSIZE_T_MAX / expandsize)
++	return PyErr_NoMemory();
++
++    repr = PyString_FromStringAndSize(NULL, expandsize * size);
+     if (repr == NULL)
+         return NULL;
+     if (size == 0)
+@@ -4719,6 +4743,11 @@
+         return self;
+     }
+ 
++    if (left > PY_SSIZE_T_MAX - self->length ||
++	right > PY_SSIZE_T_MAX - (left + self->length)) {
++        PyErr_SetString(PyExc_OverflowError, "padded string is too long");
++        return NULL;
++    }
+     u = _PyUnicode_New(left + self->length + right);
+     if (u) {
+         if (left)
diff -ruN python25.orig/files/patch-bb python25/files/patch-bb
--- python25.orig/files/patch-bb	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bb	2008-09-07 01:54:52.586294418 -0400
@@ -0,0 +1,21 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Objects/tupleobject.c.orig	2006-08-12 18:03:09.000000000 +0100
++++ Objects/tupleobject.c	2008-08-30 10:16:13.000000000 +0100
+@@ -60,11 +60,12 @@
+ 		Py_ssize_t nbytes = size * sizeof(PyObject *);
+ 		/* Check for overflow */
+ 		if (nbytes / sizeof(PyObject *) != (size_t)size ||
+-		    (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
+-		    <= 0)
++		    (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
+ 		{
+ 			return PyErr_NoMemory();
+ 		}
++		nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
++
+ 		op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
+ 		if (op == NULL)
+ 			return NULL;
diff -ruN python25.orig/files/patch-bc python25/files/patch-bc
--- python25.orig/files/patch-bc	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bc	2008-09-07 01:54:52.586294418 -0400
@@ -0,0 +1,17 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Objects/bufferobject.c.orig	2008-02-14 11:26:18.000000000 +0000
++++ Objects/bufferobject.c	2008-08-30 10:16:13.000000000 +0100
+@@ -427,6 +427,10 @@
+ 		count = 0;
+ 	if (!get_buf(self, &ptr, &size, ANY_BUFFER))
+ 		return NULL;
++	if (count > PY_SSIZE_T_MAX / size) {
++		PyErr_SetString(PyExc_MemoryError, "result too large");
++		return NULL;
++	}
+ 	ob = PyString_FromStringAndSize(NULL, size * count);
+ 	if ( ob == NULL )
+ 		return NULL;
diff -ruN python25.orig/files/patch-bd python25/files/patch-bd
--- python25.orig/files/patch-bd	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bd	2008-09-07 01:54:52.596295410 -0400
@@ -0,0 +1,15 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Objects/longobject.c.orig	2007-05-07 19:30:48.000000000 +0100
++++ Objects/longobject.c	2008-08-30 10:16:13.000000000 +0100
+@@ -70,6 +70,8 @@
+ 		PyErr_NoMemory();
+ 		return NULL;
+ 	}
++	/* XXX(nnorwitz): This can overflow --
++	   PyObject_NEW_VAR /  _PyObject_VAR_SIZE need to detect overflow */
+ 	return PyObject_NEW_VAR(PyLongObject, &PyLong_Type, size);
+ }
+ 
diff -ruN python25.orig/files/patch-be python25/files/patch-be
--- python25.orig/files/patch-be	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-be	2008-09-07 01:54:52.596295410 -0400
@@ -0,0 +1,53 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Objects/stringobject.c.orig	2007-11-07 01:19:49.000000000 +0000
++++ Objects/stringobject.c	2008-08-30 10:16:13.000000000 +0100
+@@ -71,6 +71,11 @@
+ 		return (PyObject *)op;
+ 	}
+ 
++	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
++		PyErr_SetString(PyExc_OverflowError, "string is too large");
++		return NULL;
++	}
++
+ 	/* Inline PyObject_NewVar */
+ 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+ 	if (op == NULL)
+@@ -106,7 +111,7 @@
+ 
+ 	assert(str != NULL);
+ 	size = strlen(str);
+-	if (size > PY_SSIZE_T_MAX) {
++	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
+ 		PyErr_SetString(PyExc_OverflowError,
+ 			"string is too long for a Python string");
+ 		return NULL;
+@@ -967,14 +972,24 @@
+ 		Py_INCREF(a);
+ 		return (PyObject *)a;
+ 	}
++	/* Check that string sizes are not negative, to prevent an
++	   overflow in cases where we are passed incorrectly-created
++	   strings with negative lengths (due to a bug in other code).
++	*/
+ 	size = a->ob_size + b->ob_size;
+-	if (size < 0) {
++	if (a->ob_size < 0 || b->ob_size < 0 ||
++	    a->ob_size > PY_SSIZE_T_MAX - b->ob_size) {
+ 		PyErr_SetString(PyExc_OverflowError,
+ 				"strings are too large to concat");
+ 		return NULL;
+ 	}
+ 	  
+ 	/* Inline PyObject_NewVar */
++	if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) {
++		PyErr_SetString(PyExc_OverflowError,
++				"strings are too large to concat");
++		return NULL;
++	}
+ 	op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+ 	if (op == NULL)
+ 		return PyErr_NoMemory();
diff -ruN python25.orig/files/patch-bf python25/files/patch-bf
--- python25.orig/files/patch-bf	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bf	2008-09-07 01:54:52.616293482 -0400
@@ -0,0 +1,25 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Lib/test/seq_tests.py.orig	2007-11-12 20:04:41.000000000 +0000
++++ Lib/test/seq_tests.py	2008-08-30 10:16:13.000000000 +0100
+@@ -307,11 +307,13 @@
+             self.assertEqual(id(s), id(s*1))
+ 
+     def test_bigrepeat(self):
+-        x = self.type2test([0])
+-        x *= 2**16
+-        self.assertRaises(MemoryError, x.__mul__, 2**16)
+-        if hasattr(x, '__imul__'):
+-            self.assertRaises(MemoryError, x.__imul__, 2**16)
++        import sys
++        if sys.maxint <= 2147483647:
++            x = self.type2test([0])
++            x *= 2**16
++            self.assertRaises(MemoryError, x.__mul__, 2**16)
++            if hasattr(x, '__imul__'):
++                self.assertRaises(MemoryError, x.__imul__, 2**16)
+ 
+     def test_subscript(self):
+         a = self.type2test([10, 11])
diff -ruN python25.orig/files/patch-bg python25/files/patch-bg
--- python25.orig/files/patch-bg	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bg	2008-09-07 01:54:52.616293482 -0400
@@ -0,0 +1,32 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Lib/test/test_strop.py.orig	2002-07-31 00:27:12.000000000 +0100
++++ Lib/test/test_strop.py	2008-08-30 10:16:13.000000000 +0100
+@@ -115,6 +115,25 @@
+         strop.uppercase
+         strop.whitespace
+ 
++    @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=5)
++    def test_stropjoin_huge_list(self, size):
++        a = "A" * size
++        try:
++            r = strop.join([a, a], a)
++        except OverflowError:
++            pass
++        else:
++            self.assertEquals(len(r), len(a) * 3)
++
++    @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=1)
++    def test_stropjoin_huge_tup(self, size):
++        a = "A" * size
++        try:
++            r = strop.join((a, a), a)
++        except OverflowError:
++            pass # acceptable on 32-bit
++        else:
++            self.assertEquals(len(r), len(a) * 3)
+ 
+ transtable = '\000\001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`xyzdefghijklmnopqrstuvwxyz{|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377'
+ 
diff -ruN python25.orig/files/patch-bh python25/files/patch-bh
--- python25.orig/files/patch-bh	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bh	2008-09-07 01:54:52.656294376 -0400
@@ -0,0 +1,167 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Lib/test/test_bigmem.py.orig	2007-11-30 21:53:17.000000000 +0000
++++ Lib/test/test_bigmem.py	2008-08-30 10:16:13.000000000 +0100
+@@ -1,5 +1,5 @@
+ from test import test_support
+-from test.test_support import bigmemtest, _1G, _2G
++from test.test_support import bigmemtest, _1G, _2G, _4G, precisionbigmemtest
+ 
+ import unittest
+ import operator
+@@ -54,6 +54,22 @@
+         self.assertEquals(s[lpadsize:-rpadsize], SUBSTR)
+         self.assertEquals(s.strip(), SUBSTR.strip())
+ 
++    @precisionbigmemtest(size=_2G - 1, memuse=1)
++    def test_center_unicode(self, size):
++        SUBSTR = u' abc def ghi'
++        try:
++            s = SUBSTR.center(size)
++        except OverflowError:
++            pass # acceptable on 32-bit
++        else:
++            self.assertEquals(len(s), size)
++            lpadsize = rpadsize = (len(s) - len(SUBSTR)) // 2
++            if len(s) % 2:
++                lpadsize += 1
++            self.assertEquals(s[lpadsize:-rpadsize], SUBSTR)
++            self.assertEquals(s.strip(), SUBSTR.strip())
++            del s
++
+     @bigmemtest(minsize=_2G, memuse=2)
+     def test_count(self, size):
+         SUBSTR = ' abc def ghi'
+@@ -70,10 +86,44 @@
+         s = '.' * size
+         self.assertEquals(len(s.decode('utf-8')), size)
+ 
++    def basic_encode_test(self, size, enc, c=u'.', expectedsize=None):
++        if expectedsize is None:
++            expectedsize = size
++
++        s = c * size
++        self.assertEquals(len(s.encode(enc)), expectedsize)
++
+     @bigmemtest(minsize=_2G + 2, memuse=3)
+     def test_encode(self, size):
+-        s = u'.' * size
+-        self.assertEquals(len(s.encode('utf-8')), size)
++        return self.basic_encode_test(size, 'utf-8')
++
++    @precisionbigmemtest(size=_4G / 6 + 2, memuse=2)
++    def test_encode_raw_unicode_escape(self, size):
++        try:
++            return self.basic_encode_test(size, 'raw_unicode_escape')
++        except MemoryError:
++            pass # acceptable on 32-bit
++
++    @precisionbigmemtest(size=_4G / 5 + 70, memuse=3)
++    def test_encode_utf7(self, size):
++        try:
++            return self.basic_encode_test(size, 'utf7')
++        except MemoryError:
++            pass # acceptable on 32-bit
++
++    @precisionbigmemtest(size=_2G-1, memuse=2)
++    def test_decodeascii(self, size):
++        return self.basic_encode_test(size, 'ascii', c='A')
++
++    @precisionbigmemtest(size=_4G / 5, memuse=6+2)
++    def test_unicode_repr_oflw(self, size):
++        try:
++            s = u"\uAAAA"*size
++            r = repr(s)
++        except MemoryError:
++            pass # acceptable on 32-bit
++        else:
++            self.failUnless(s == eval(r))
+ 
+     @bigmemtest(minsize=_2G, memuse=2)
+     def test_endswith(self, size):
+@@ -459,6 +509,11 @@
+         self.assertEquals(s.count('\\'), size)
+         self.assertEquals(s.count('0'), size * 2)
+ 
++    @bigmemtest(minsize=2**32 / 5, memuse=6+2)
++    def test_unicode_repr(self, size):
++        s = u"\uAAAA" * size
++        self.failUnless(len(repr(s)) > size)
++
+     # This test is meaningful even with size < 2G, as long as the
+     # doubled string is > 2G (but it tests more if both are > 2G :)
+     @bigmemtest(minsize=_1G + 2, memuse=3)
+@@ -642,6 +697,35 @@
+     def test_repeat_large(self, size):
+         return self.basic_test_repeat(size)
+ 
++    @bigmemtest(minsize=_1G - 1, memuse=12)
++    def test_repeat_large_2(self, size):
++        return self.basic_test_repeat(size)
++
++    @precisionbigmemtest(size=_1G - 1, memuse=9)
++    def test_from_2G_generator(self, size):
++        try:
++            t = tuple(xrange(size))
++        except MemoryError:
++            pass # acceptable on 32-bit
++        else:
++            count = 0
++            for item in t:
++                self.assertEquals(item, count)
++                count += 1
++            self.assertEquals(count, size)
++
++    @precisionbigmemtest(size=_1G - 25, memuse=9)
++    def test_from_almost_2G_generator(self, size):
++        try:
++            t = tuple(xrange(size))
++            count = 0
++            for item in t:
++                self.assertEquals(item, count)
++                count += 1
++            self.assertEquals(count, size)
++        except MemoryError:
++            pass # acceptable, expected on 32-bit
++
+     # Like test_concat, split in two.
+     def basic_test_repr(self, size):
+         t = (0,) * size
+@@ -957,8 +1041,34 @@
+         self.assertEquals(l[:10], [1] * 10)
+         self.assertEquals(l[-10:], [5] * 10)
+ 
++class BufferTest(unittest.TestCase):
++
++    @precisionbigmemtest(size=_1G, memuse=4)
++    def test_repeat(self, size):
++        try:
++            b = buffer("AAAA")*size
++        except MemoryError:
++            pass # acceptable on 32-bit
++        else:
++            count = 0
++            for c in b:
++                self.assertEquals(c, 'A')
++                count += 1
++            self.assertEquals(count, size*4)
++
+ def test_main():
+-    test_support.run_unittest(StrTest, TupleTest, ListTest)
++    test_support.run_unittest(StrTest, TupleTest, ListTest, BufferTest)
++
++# Expected failures (crashers)
++# del StrTest.test_center_unicode
++del StrTest.test_decodeascii
++# del StrTest.test_encode_utf32
++# del StrTest.test_encode_utf7
++# del StrTest.test_encode_raw_unicode_escape
++#
++# del TupleTest.test_from_2G_generator
++#
++# del BufferTest.test_repeat
+ 
+ if __name__ == '__main__':
+     if len(sys.argv) > 1:
diff -ruN python25.orig/files/patch-bi python25/files/patch-bi
--- python25.orig/files/patch-bi	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bi	2008-09-07 01:54:52.666295927 -0400
@@ -0,0 +1,66 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Lib/test/test_support.py.orig	2008-01-27 01:24:44.000000000 +0000
++++ Lib/test/test_support.py	2008-08-30 10:16:13.000000000 +0100
+@@ -33,6 +33,7 @@
+ use_resources = None     # Flag set to [] by regrtest.py
+ max_memuse = 0           # Disable bigmem tests (they will still be run with
+                          # small sizes, to make sure they work.)
++real_max_memuse = 0
+ 
+ # _original_stdout is meant to hold stdout at the time regrtest began.
+ # This may be "the real" stdout, or IDLE's emulation of stdout, or whatever.
+@@ -323,6 +324,7 @@
+ _1M = 1024*1024
+ _1G = 1024 * _1M
+ _2G = 2 * _1G
++_4G = 4 * _1G
+ 
+ # Hack to get at the maximum value an internal index can take.
+ class _Dummy:
+@@ -333,6 +335,7 @@
+ def set_memlimit(limit):
+     import re
+     global max_memuse
++    global real_max_memuse
+     sizes = {
+         'k': 1024,
+         'm': _1M,
+@@ -344,6 +347,7 @@
+     if m is None:
+         raise ValueError('Invalid memory limit %r' % (limit,))
+     memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()])
++    real_max_memuse = memlimit
+     if memlimit > MAX_Py_ssize_t:
+         memlimit = MAX_Py_ssize_t
+     if memlimit < _2G - 1:
+@@ -389,6 +393,27 @@
+         return wrapper
+     return decorator
+ 
++def precisionbigmemtest(size, memuse, overhead=5*_1M):
++    def decorator(f):
++        def wrapper(self):
++            if not real_max_memuse:
++                maxsize = 5147
++            else:
++                maxsize = size
++
++                if real_max_memuse and real_max_memuse < maxsize * memuse:
++                    if verbose:
++                        sys.stderr.write("Skipping %s because of memory "
++                                         "constraint\n" % (f.__name__,))
++                    return
++
++            return f(self, maxsize)
++        wrapper.size = size
++        wrapper.memuse = memuse
++        wrapper.overhead = overhead
++        return wrapper
++    return decorator
++
+ def bigaddrspacetest(f):
+     """Decorator for tests that fill the address space."""
+     def wrapper(self):
diff -ruN python25.orig/files/patch-bj python25/files/patch-bj
--- python25.orig/files/patch-bj	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bj	2008-09-07 01:54:52.676296639 -0400
@@ -0,0 +1,35 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Modules/stropmodule.c.orig	2008-02-14 11:26:18.000000000 +0000
++++ Modules/stropmodule.c	2008-08-30 10:16:13.000000000 +0100
+@@ -216,6 +216,13 @@
+ 				return NULL;
+ 			}
+ 			slen = PyString_GET_SIZE(item);
++			if (slen > PY_SSIZE_T_MAX - reslen ||
++			    seplen > PY_SSIZE_T_MAX - reslen - seplen) {
++				PyErr_SetString(PyExc_OverflowError,
++						"input too long");
++				Py_DECREF(res);
++				return NULL;
++			}
+ 			while (reslen + slen + seplen >= sz) {
+ 				if (_PyString_Resize(&res, sz * 2) < 0)
+ 					return NULL;
+@@ -253,6 +260,14 @@
+ 			return NULL;
+ 		}
+ 		slen = PyString_GET_SIZE(item);
++		if (slen > PY_SSIZE_T_MAX - reslen ||
++		    seplen > PY_SSIZE_T_MAX - reslen - seplen) {
++			PyErr_SetString(PyExc_OverflowError,
++					"input too long");
++			Py_DECREF(res);
++			Py_XDECREF(item);
++			return NULL;
++		}
+ 		while (reslen + slen + seplen >= sz) {
+ 			if (_PyString_Resize(&res, sz * 2) < 0) {
+ 				Py_DECREF(item);
diff -ruN python25.orig/files/patch-bk python25/files/patch-bk
--- python25.orig/files/patch-bk	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-bk	2008-09-07 01:54:52.676296639 -0400
@@ -0,0 +1,27 @@
+
+
+Patch for CVE-2008-2315 taken from Gentoo.
+
+--- Modules/gcmodule.c.orig	2006-10-09 20:42:33.000000000 +0100
++++ Modules/gcmodule.c	2008-08-30 10:16:13.000000000 +0100
+@@ -1318,7 +1318,10 @@
+ _PyObject_GC_Malloc(size_t basicsize)
+ {
+ 	PyObject *op;
+-	PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC(
++	PyGC_Head *g;
++	if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
++		return PyErr_NoMemory();
++	g = (PyGC_Head *)PyObject_MALLOC(
+                 sizeof(PyGC_Head) + basicsize);
+ 	if (g == NULL)
+ 		return PyErr_NoMemory();
+@@ -1361,6 +1364,8 @@
+ {
+ 	const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
+ 	PyGC_Head *g = AS_GC(op);
++	if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head))
++		return (PyVarObject *)PyErr_NoMemory();
+ 	g = (PyGC_Head *)PyObject_REALLOC(g,  sizeof(PyGC_Head) + basicsize);
+ 	if (g == NULL)
+ 		return (PyVarObject *)PyErr_NoMemory();
diff -ruN python25.orig/files/patch-ca python25/files/patch-ca
--- python25.orig/files/patch-ca	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-ca	2008-09-07 01:54:52.686297072 -0400
@@ -0,0 +1,62 @@
+
+
+Patch for CVE-2008-3142 taken from Gentoo.
+
+--- Include/pymem.h.orig	2008-02-14 11:26:18.000000000 +0000
++++ Include/pymem.h	2008-08-30 10:39:43.000000000 +0100
+@@ -67,8 +67,12 @@
+    for malloc(0), which would be treated as an error. Some platforms
+    would return a pointer with no memory behind it, which would break
+    pymalloc. To solve these problems, allocate an extra byte. */
+-#define PyMem_MALLOC(n)         malloc((n) ? (n) : 1)
+-#define PyMem_REALLOC(p, n)     realloc((p), (n) ? (n) : 1)
++/* Returns NULL to indicate error if a negative size or size larger than
++   Py_ssize_t can represent is supplied.  Helps prevents security holes. */
++#define PyMem_MALLOC(n)		(((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \
++				: malloc((n) ? (n) : 1))
++#define PyMem_REALLOC(p, n)	(((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \
++				: realloc((p), (n) ? (n) : 1))
+ #define PyMem_FREE		free
+ 
+ #endif	/* PYMALLOC_DEBUG */
+@@ -77,24 +81,31 @@
+  * Type-oriented memory interface
+  * ==============================
+  *
+- * These are carried along for historical reasons.  There's rarely a good
+- * reason to use them anymore (you can just as easily do the multiply and
+- * cast yourself).
++ * Allocate memory for n objects of the given type.  Returns a new pointer
++ * or NULL if the request was too large or memory allocation failed.  Use
++ * these macros rather than doing the multiplication yourself so that proper
++ * overflow checking is always done.
+  */
+ 
+ #define PyMem_New(type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+ 	( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
+ #define PyMem_NEW(type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
+ 	( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+ 
++/*
++ * The value of (p) is always clobbered by this macro regardless of success.
++ * The caller MUST check if (p) is NULL afterwards and deal with the memory
++ * error if so.  This means the original value of (p) MUST be saved for the
++ * caller's memory error handler to not lose track of it.
++ */
+ #define PyMem_Resize(p, type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+-	( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
++	(type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+ #define PyMem_RESIZE(p, type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+-	( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \
++	(type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+ 
+ /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used
+  * anymore.  They're just confusing aliases for PyMem_{Free,FREE} now.
diff -ruN python25.orig/files/patch-cb python25/files/patch-cb
--- python25.orig/files/patch-cb	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-cb	2008-09-07 01:54:52.696296108 -0400
@@ -0,0 +1,38 @@
+
+
+Patch for CVE-2008-3142 taken from Gentoo.
+
+--- Objects/obmalloc.c.orig	2008-02-14 11:26:18.000000000 +0000
++++ Objects/obmalloc.c	2008-08-30 10:39:43.000000000 +0100
+@@ -727,6 +727,15 @@
+ 	uint size;
+ 
+ 	/*
++	 * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
++	 * Most python internals blindly use a signed Py_ssize_t to track
++	 * things without checking for overflows or negatives.
++	 * As size_t is unsigned, checking for nbytes < 0 is not required.
++	 */
++	if (nbytes > PY_SSIZE_T_MAX)
++		return NULL;
++
++	/*
+ 	 * This implicitly redirects malloc(0).
+ 	 */
+ 	if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
+@@ -1130,6 +1139,15 @@
+ 	if (p == NULL)
+ 		return PyObject_Malloc(nbytes);
+ 
++	/*
++	 * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
++	 * Most python internals blindly use a signed Py_ssize_t to track
++	 * things without checking for overflows or negatives.
++	 * As size_t is unsigned, checking for nbytes < 0 is not required.
++	 */
++	if (nbytes > PY_SSIZE_T_MAX)
++		return NULL;
++
+ 	pool = POOL_ADDR(p);
+ 	if (Py_ADDRESS_IN_RANGE(p, pool)) {
+ 		/* We're in charge of this block */
diff -ruN python25.orig/files/patch-cc python25/files/patch-cc
--- python25.orig/files/patch-cc	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-cc	2008-09-07 01:54:52.696296108 -0400
@@ -0,0 +1,18 @@
+
+
+Patch for CVE-2008-3142 taken from Gentoo.
+
+--- Modules/almodule.c.orig	2006-09-25 07:53:42.000000000 +0100
++++ Modules/almodule.c	2008-08-30 10:39:43.000000000 +0100
+@@ -1633,9 +1633,11 @@
+ 	if (nvals < 0)
+ 		goto cleanup;
+ 	if (nvals > setsize) {
++		ALvalue *old_return_set = return_set;
+ 		setsize = nvals;
+ 		PyMem_RESIZE(return_set, ALvalue, setsize);
+ 		if (return_set == NULL) {
++			return_set = old_return_set;
+ 			PyErr_NoMemory();
+ 			goto cleanup;
+ 		}
diff -ruN python25.orig/files/patch-cd python25/files/patch-cd
--- python25.orig/files/patch-cd	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-cd	2008-09-07 01:54:52.706297100 -0400
@@ -0,0 +1,37 @@
+
+
+Patch for CVE-2008-3142 taken from Gentoo.
+
+--- Modules/arraymodule.c.orig	2008-02-15 19:11:46.000000000 +0000
++++ Modules/arraymodule.c	2008-08-30 10:39:43.000000000 +0100
+@@ -816,6 +816,7 @@
+ array_do_extend(arrayobject *self, PyObject *bb)
+ {
+ 	Py_ssize_t size;
++	char *old_item;
+ 
+ 	if (!array_Check(bb))
+ 		return array_iter_extend(self, bb);
+@@ -831,10 +832,11 @@
+ 			return -1;
+ 	}
+ 	size = self->ob_size + b->ob_size;
++	old_item = self->ob_item;
+         PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
+         if (self->ob_item == NULL) {
+-                PyObject_Del(self);
+-                PyErr_NoMemory();
++		self->ob_item = old_item;
++		PyErr_NoMemory();
+ 		return -1;
+         }
+ 	memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize,
+@@ -886,7 +888,7 @@
+ 			if (size > PY_SSIZE_T_MAX / n) {
+ 				return PyErr_NoMemory();
+ 			}
+-			PyMem_Resize(items, char, n * size);
++			PyMem_RESIZE(items, char, n * size);
+ 			if (items == NULL)
+ 				return PyErr_NoMemory();
+ 			p = items;
diff -ruN python25.orig/files/patch-ce python25/files/patch-ce
--- python25.orig/files/patch-ce	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-ce	2008-09-07 01:54:52.706297100 -0400
@@ -0,0 +1,20 @@
+
+
+Patch for CVE-2008-3142 taken from Gentoo.
+
+--- Modules/selectmodule.c.orig	2006-07-10 02:18:57.000000000 +0100
++++ Modules/selectmodule.c	2008-08-30 10:39:43.000000000 +0100
+@@ -349,10 +349,12 @@
+ {
+ 	Py_ssize_t i, pos;
+ 	PyObject *key, *value;
++        struct pollfd *old_ufds = self->ufds;
+ 
+ 	self->ufd_len = PyDict_Size(self->dict);
+-	PyMem_Resize(self->ufds, struct pollfd, self->ufd_len);
++	PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len);
+ 	if (self->ufds == NULL) {
++                self->ufds = old_ufds;
+ 		PyErr_NoMemory();
+ 		return 0;
+ 	}
diff -ruN python25.orig/files/patch-da python25/files/patch-da
--- python25.orig/files/patch-da	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-da	2008-09-07 01:54:52.706297100 -0400
@@ -0,0 +1,45 @@
+
+
+Patch for CVE-2008-2316 taken from Gentoo.
+
+--- Lib/test/test_hashlib.py.orig	2005-08-21 19:45:59.000000000 +0100
++++ Lib/test/test_hashlib.py	2008-08-30 10:43:27.000000000 +0100
+@@ -9,7 +9,7 @@
+ import hashlib
+ import unittest
+ from test import test_support
+-
++from test.test_support import _4G, precisionbigmemtest
+ 
+ def hexstr(s):
+     import string
+@@ -55,7 +55,6 @@
+             m2.update(aas + bees + cees)
+             self.assertEqual(m1.digest(), m2.digest())
+ 
+-
+     def check(self, name, data, digest):
+         # test the direct constructors
+         computed = getattr(hashlib, name)(data).hexdigest()
+@@ -75,6 +74,21 @@
+         self.check('md5', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',
+                    'd174ab98d277d9f5a5611c2c9f419d9f')
+ 
++    @precisionbigmemtest(size=_4G + 5, memuse=1)
++    def test_case_md5_huge(self, size):
++        if size == _4G + 5:
++            try:
++                self.check('md5', 'A'*size, 'c9af2dff37468ce5dfee8f2cfc0a9c6d')
++            except OverflowError:
++                pass # 32-bit arch
++
++    @precisionbigmemtest(size=_4G - 1, memuse=1)
++    def test_case_md5_uintmax(self, size):
++        if size == _4G - 1:
++            try:
++                self.check('md5', 'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
++            except OverflowError:
++                pass # 32-bit arch
+ 
+     # use the three examples from Federal Information Processing Standards
+     # Publication 180-1, Secure Hash Standard,  1995 April 17
diff -ruN python25.orig/files/patch-db python25/files/patch-db
--- python25.orig/files/patch-db	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-db	2008-09-07 01:54:52.706297100 -0400
@@ -0,0 +1,108 @@
+
+
+Patch for CVE-2008-2316 taken from Gentoo.
+
+--- Modules/_hashopenssl.c.orig	2006-05-29 22:04:52.000000000 +0100
++++ Modules/_hashopenssl.c	2008-08-30 10:43:27.000000000 +0100
+@@ -19,6 +19,8 @@
+ /* EVP is the preferred interface to hashing in OpenSSL */
+ #include <openssl/evp.h>
+ 
++#define MUNCH_SIZE INT_MAX
++
+ 
+ #ifndef HASH_OBJ_CONSTRUCTOR
+ #define HASH_OBJ_CONSTRUCTOR 0
+@@ -164,9 +166,18 @@
+     if (!PyArg_ParseTuple(args, "s#:update", &cp, &len))
+         return NULL;
+ 
++    if (len > 0 && len <= MUNCH_SIZE) {
+     EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
+                                                       unsigned int));
+-
++    } else {
++        Py_ssize_t offset = 0;
++        while (len) {
++            unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
++            EVP_DigestUpdate(&self->ctx, cp + offset, process);
++            len -= process;
++            offset += process;
++        }
++    }
+     Py_INCREF(Py_None);
+     return Py_None;
+ }
+@@ -255,9 +266,20 @@
+     self->name = name_obj;
+     Py_INCREF(self->name);
+ 
+-    if (cp && len)
++    if (cp && len) {
++        if (len > 0 && len <= MUNCH_SIZE) {
+         EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
+                                                           unsigned int));
++        } else {
++            Py_ssize_t offset = 0;
++            while (len) {
++                unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
++                EVP_DigestUpdate(&self->ctx, cp + offset, process);
++                len -= process;
++                offset += process;
++            }
++        }
++    }
+ 
+     return 0;
+ }
+@@ -328,7 +350,7 @@
+ static PyObject *
+ EVPnew(PyObject *name_obj,
+        const EVP_MD *digest, const EVP_MD_CTX *initial_ctx,
+-       const unsigned char *cp, unsigned int len)
++       const unsigned char *cp, Py_ssize_t len)
+ {
+     EVPobject *self;
+ 
+@@ -346,8 +368,20 @@
+         EVP_DigestInit(&self->ctx, digest);
+     }
+ 
+-    if (cp && len)
+-        EVP_DigestUpdate(&self->ctx, cp, len);
++    if (cp && len) {
++        if (len > 0 && len <= MUNCH_SIZE) {
++            EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
++                                                              unsigned int));
++        } else {
++            Py_ssize_t offset = 0;
++            while (len) {
++                unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len;
++                EVP_DigestUpdate(&self->ctx, cp + offset, process);
++                len -= process;
++                offset += process;
++            }
++        }
++    }
+ 
+     return (PyObject *)self;
+ }
+@@ -384,8 +418,7 @@
+ 
+     digest = EVP_get_digestbyname(name);
+ 
+-    return EVPnew(name_obj, digest, NULL, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t,
+-                                                               unsigned int));
++    return EVPnew(name_obj, digest, NULL, cp, len);
+ }
+ 
+ /*
+@@ -410,7 +443,7 @@
+                 CONST_ ## NAME ## _name_obj, \
+                 NULL, \
+                 CONST_new_ ## NAME ## _ctx_p, \
+-                cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int)); \
++                cp, len); \
+     }
+ 
+ /* a PyMethodDef structure for the constructor */
diff -ruN python25.orig/files/patch-ea python25/files/patch-ea
--- python25.orig/files/patch-ea	1969-12-31 19:00:00.000000000 -0500
+++ python25/files/patch-ea	2008-09-07 01:54:52.536293091 -0400
@@ -0,0 +1,59 @@
+
+
+Patch for CVE-2008-3144 taken from Gentoo.
+
+--- Python/mysnprintf.c.orig	2001-12-21 16:32:15.000000000 +0000
++++ Python/mysnprintf.c	2008-08-30 10:46:31.000000000 +0100
+@@ -54,18 +54,28 @@
+ PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
+ {
+ 	int len;  /* # bytes written, excluding \0 */
+-#ifndef HAVE_SNPRINTF
++#ifdef HAVE_SNPRINTF
++#define _PyOS_vsnprintf_EXTRA_SPACE 1
++#else
++#define _PyOS_vsnprintf_EXTRA_SPACE 512
+ 	char *buffer;
+ #endif
+ 	assert(str != NULL);
+ 	assert(size > 0);
+ 	assert(format != NULL);
++	/* We take a size_t as input but return an int.  Sanity check
++	 * our input so that it won't cause an overflow in the
++         * vsnprintf return value or the buffer malloc size.  */
++	if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) {
++		len = -666;
++		goto Done;
++	}
+ 
+ #ifdef HAVE_SNPRINTF
+ 	len = vsnprintf(str, size, format, va);
+ #else
+ 	/* Emulate it. */
+-	buffer = PyMem_MALLOC(size + 512);
++	buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE);
+ 	if (buffer == NULL) {
+ 		len = -666;
+ 		goto Done;
+@@ -75,7 +85,7 @@
+ 	if (len < 0)
+ 		/* ignore the error */;
+ 
+-	else if ((size_t)len >= size + 512)
++	else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE)
+ 		Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf");
+ 
+ 	else {
+@@ -86,8 +96,10 @@
+ 		str[to_copy] = '\0';
+ 	}
+ 	PyMem_FREE(buffer);
+-Done:
+ #endif
+-	str[size-1] = '\0';
++Done:
++	if (size > 0)
++		str[size-1] = '\0';
+ 	return len;
++#undef _PyOS_vsnprintf_EXTRA_SPACE
+ }


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809070613.m876D0ZI010003>