Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Feb 2012 15:26:17 GMT
From:      Spil <spil.oss@gmail.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/165239: lang/python27 2.x/3.x DoS vulnerable
Message-ID:  <201202171526.q1HFQHUH053984@red.freebsd.org>
Resent-Message-ID: <201202171530.q1HFUFwK051790@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         165239
>Category:       ports
>Synopsis:       lang/python27 2.x/3.x DoS vulnerable
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 17 15:30:15 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Spil
>Release:        FreeBSD-9.0
>Organization:
n.a.
>Environment:
FreeBSD gw.example.org 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Mon Jan  9 09:24:45 CET 2012     root@gw.example.org:/usr/obj/usr/src/sys/FREEBSD90  i386
>Description:
DoS vuln Python

http://www.vuxml.org/freebsd/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html
http://bugs.python.org/issue14001

python bug report has a patch for the latest version but not for earlier versions
>How-To-Repeat:
n.a.
>Fix:
As per the patch on http://bugs.python.org/issue14001

--- Lib/SimpleXMLRPCServer.py.orig      2011-06-11 17:46:23.000000000 +0200
+++ Lib/SimpleXMLRPCServer.py   2012-02-17 16:17:11.000000000 +0100
@@ -486,7 +486,10 @@
             L = []
             while size_remaining:
                 chunk_size = min(size_remaining, max_chunk_size)
-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
                 size_remaining -= len(L[-1])
             data = ''.join(L)

>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202171526.q1HFQHUH053984>