pool/python
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add CVE-2022-48560-after-free-heappushpop.patch fixing

Browse Source 
use-after-free in Python via heappushpop in heapq (bsc#1214675,
  CVE-2022-48560).
- switch from %patchN style to the %patch -P N one.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=391
This commit is contained in:
Matej Cepl 2023-11-27 16:32:40 +00:00 committed by Git OBS Bridge
parent 051c784297
commit 30e970e5f7
3 changed files with 194 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
CVE-2022-48560-after-free-heappushpop.patch Normal file
View File

@ -0,0 +1,132 @@
From 5179d30710e6185dc7e6a6098ab23fe068b0d85b Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Thu, 23 Nov 2023 13:25:44 +0100
Subject: [PATCH] 00408-cve-2022-48560.patch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Security fix for CVE-2022-48560: python3: use after free in heappushpop()
of heapq module
Resolved upstream: https://github.com/python/cpython/issues/83602
Backported from Python 3.6.11.
Co-authored-by: Pablo Galindo <Pablogsal@gmail.com>
Co-authored-by: Lumír Balhar <lbalhar@redhat.com>
---
Lib/test/test_heapq.py | 32 ++++++++++++++++++++++++++++++++
Modules/_heapqmodule.c | 31 ++++++++++++++++++++++++-------
2 files changed, 56 insertions(+), 7 deletions(-)
--- a/Lib/test/test_heapq.py
+++ b/Lib/test/test_heapq.py
@@ -396,6 +396,38 @@ class TestErrorHandling(TestCase):
with self.assertRaises((IndexError, RuntimeError)):
self.module.heappop(heap)
+ def test_comparison_operator_modifiying_heap(self):
+ # See bpo-39421: Strong references need to be taken
+ # when comparing objects as they can alter the heap
+ class EvilClass(int):
+ def __lt__(self, o):
+ heap[:] = []
+ return NotImplemented
+
+ heap = []
+ self.module.heappush(heap, EvilClass(0))
+ self.assertRaises(IndexError, self.module.heappushpop, heap, 1)
+
+ def test_comparison_operator_modifiying_heap_two_heaps(self):
+
+ class h(int):
+ def __lt__(self, o):
+ list2[:] = []
+ return NotImplemented
+
+ class g(int):
+ def __lt__(self, o):
+ list1[:] = []
+ return NotImplemented
+
+ list1, list2 = [], []
+
+ self.module.heappush(list1, h(0))
+ self.module.heappush(list2, g(0))
+
+ self.assertRaises((IndexError, RuntimeError), self.module.heappush, list1, g(1))
+ self.assertRaises((IndexError, RuntimeError), self.module.heappush, list2, h(1))
+
class TestErrorHandlingPython(TestErrorHandling):
module = py_heapq
--- a/Modules/_heapqmodule.c
+++ b/Modules/_heapqmodule.c
@@ -52,7 +52,11 @@ _siftdown(PyListObject *heap, Py_ssize_t
while (pos > startpos) {
parentpos = (pos - 1) >> 1;
parent = PyList_GET_ITEM(heap, parentpos);
+ Py_INCREF(newitem);
+ Py_INCREF(parent);
cmp = cmp_lt(newitem, parent);
+ Py_DECREF(parent);
+ Py_DECREF(newitem);
if (cmp == -1)
return -1;
if (size != PyList_GET_SIZE(heap)) {
@@ -93,9 +97,13 @@ _siftup(PyListObject *heap, Py_ssize_t p
childpos = 2*pos + 1; /* leftmost child position */
rightpos = childpos + 1;
if (rightpos < endpos) {
- cmp = cmp_lt(
- PyList_GET_ITEM(heap, childpos),
- PyList_GET_ITEM(heap, rightpos));
+ PyObject* a = PyList_GET_ITEM(heap, childpos);
+ PyObject* b = PyList_GET_ITEM(heap, rightpos);
+ Py_INCREF(a);
+ Py_INCREF(b);
+ cmp = cmp_lt(a, b);
+ Py_DECREF(a);
+ Py_DECREF(b);
if (cmp == -1)
return -1;
if (cmp == 0)
@@ -236,7 +244,10 @@ heappushpop(PyObject *self, PyObject *ar
return item;
}
- cmp = cmp_lt(PyList_GET_ITEM(heap, 0), item);
+ PyObject* top = PyList_GET_ITEM(heap, 0);
+ Py_INCREF(top);
+ cmp = cmp_lt(top, item);
+ Py_DECREF(top);
if (cmp == -1)
return NULL;
if (cmp == 0) {
@@ -395,7 +406,9 @@ _siftdownmax(PyListObject *heap, Py_ssiz
while (pos > startpos){
parentpos = (pos - 1) >> 1;
parent = PyList_GET_ITEM(heap, parentpos);
+ Py_INCREF(parent);
cmp = cmp_lt(parent, newitem);
+ Py_DECREF(parent);
if (cmp == -1) {
Py_DECREF(newitem);
return -1;
@@ -436,9 +449,13 @@ _siftupmax(PyListObject *heap, Py_ssize_
childpos = 2*pos + 1; /* leftmost child position */
rightpos = childpos + 1;
if (rightpos < endpos) {
- cmp = cmp_lt(
- PyList_GET_ITEM(heap, rightpos),
- PyList_GET_ITEM(heap, childpos));
+ PyObject* a = PyList_GET_ITEM(heap, rightpos);
+ PyObject* b = PyList_GET_ITEM(heap, childpos);
+ Py_INCREF(a);
+ Py_INCREF(b);
+ cmp = cmp_lt(a, b);
+ Py_DECREF(a);
+ Py_DECREF(b);
if (cmp == -1) {
Py_DECREF(newitem);
return -1;

8
python-base.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Mon Nov 27 16:30:33 UTC 2023 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2022-48560-after-free-heappushpop.patch fixing
use-after-free in Python via heappushpop in heapq (bsc#1214675,
CVE-2022-48560).
- switch from %patchN style to the %patch -P N one.
-------------------------------------------------------------------
Sat Sep 30 11:43:49 UTC 2023 - Matej Cepl <mcepl@suse.com>

104
python-base.spec
View File

@ -162,6 +162,9 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# COMMON-PATCH-END
# PATCH-FIX-UPSTREAM CVE-2022-48560-after-free-heappushpop.patch bsc#1214675 mcepl@suse.com
# fix use after free in heapq.heappushpop()
Patch81: CVE-2022-48560-after-free-heappushpop.patch
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
BuildRequires: fdupes
@ -256,67 +259,68 @@ other applications.
%setup -q -n %{tarname}
# patching
# COMMON-PREP-BEGIN
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch7 -p1
%patch8 -p1
%patch10 -p1
%patch13 -p1
%patch17 -p1
%patch20 -p1
%patch22 -p1
%patch24 -p1
%patch33 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
%patch -P 4 -p1
%patch -P 5 -p1
%patch -P 7 -p1
%patch -P 8 -p1
%patch -P 10 -p1
%patch -P 13 -p1
%patch -P 17 -p1
%patch -P 20 -p1
%patch -P 22 -p1
%patch -P 24 -p1
%patch -P 33 -p1
%if %{suse_version} < 1500 && !0%{?is_opensuse}
%patch34 -p1
%patch -P 34 -p1
%endif
%patch35 -p1
%patch38 -p1
%patch -P 35 -p1
%patch -P 38 -p1
%ifarch ppc ppc64 ppc64le
%patch40 -p1
%patch -P 40 -p1
%endif
%patch41 -p1
%patch -P 41 -p1
%if %{suse_version} >= 1500 || (0%{?sle_version} && 0%{?sle_version} >= 120400)
%patch47 -p1
%patch48 -p1
%patch -P 47 -p1
%patch -P 48 -p1
%endif
# SLE-12 needs to skip more
%if %{suse_version} == 1315
%patch57 -p1
%patch -P 57 -p1
%endif
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch55 -p1
%patch56 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch73 -p1
%patch -P 49 -p1
%patch -P 50 -p1
%patch -P 51 -p1
%patch -P 55 -p1
%patch -P 56 -p1
%patch -P 58 -p1
%patch -P 59 -p1
%patch -P 60 -p1
%patch -P 61 -p1
%patch -P 62 -p1
%patch -P 63 -p1
%patch -P 64 -p1
%patch -P 65 -p1
%patch -P 66 -p1
%patch -P 67 -p1
%patch -P 68 -p1
%patch -P 69 -p1
%patch -P 70 -p1
%patch -P 71 -p1
%patch -P 72 -p1
%patch -P 73 -p1
%if 0%{?sle_version} && 0%{?sle_version} < 150000
%patch74 -p1
%patch -P 74 -p1
%endif
%patch75 -p1
%patch76 -p1
# %%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
%patch -P 75 -p1
%patch -P 76 -p1
# %%patch -P 77 -p1
%patch -P 78 -p1
%patch -P 79 -p1
%patch -P 80 -p1
%patch -P 81 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar