pool/python
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing

Browse Source 
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=292
This commit is contained in:
Matej Cepl 2021-01-31 18:01:03 +00:00 committed by Git OBS Bridge
parent a349f4646b
commit c021ec3bc1
7 changed files with 206 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch Normal file
View File

@ -0,0 +1,172 @@
From 34df10a9a16b38d54421eeeaf73ec89828563be7 Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 18 Jan 2021 15:11:46 -0600
Subject: [PATCH] [3.6] closes bpo-42938: Replace snprintf with Python unicode
formatting in ctypes param reprs. (GH-24250)
(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
Co-authored-by: Benjamin Peterson <benjamin@python.org>
---
Lib/ctypes/test/test_parameters.py | 43 +++++++++++++++
.../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 +
Modules/_ctypes/callproc.c | 55 +++++++------------
3 files changed, 66 insertions(+), 34 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
--- a/Lib/ctypes/test/test_parameters.py
+++ b/Lib/ctypes/test/test_parameters.py
@@ -1,4 +1,6 @@
-import unittest, sys
+import platform
+import sys
+import unittest
from ctypes.test import need_symbol
import test.support
@@ -206,6 +208,50 @@ class SimpleTypesTestCase(unittest.TestC
with self.assertRaises(ZeroDivisionError):
WorseStruct().__setstate__({}, b'foo')
+ def test_parameter_repr(self):
+ from ctypes import (
+ c_bool,
+ c_char,
+ c_wchar,
+ c_byte,
+ c_ubyte,
+ c_short,
+ c_ushort,
+ c_int,
+ c_uint,
+ c_long,
+ c_ulong,
+ c_longlong,
+ c_ulonglong,
+ c_float,
+ c_double,
+ c_longdouble,
+ c_char_p,
+ c_wchar_p,
+ c_void_p,
+ )
+ self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
+ self.assertEqual(repr(c_char.from_param('a')), "<cparam 'c' ('a')>")
+ self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
+ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
+ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
+ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
+ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
+ self.assertRegexpMatches(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
+ if platform.architecture()[0].startswith("64"):
+ self.assertRegexpMatches(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
+ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
+ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
+ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
+ self.assertRegexpMatches(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
+ self.assertRegexpMatches(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
+ self.assertRegexpMatches(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
+ self.assertRegexpMatches(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
+
################################################################
if __name__ == '__main__':
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
@@ -0,0 +1,2 @@
+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and
+:class:`ctypes.c_longdouble` values.
--- a/Modules/_ctypes/callproc.c
+++ b/Modules/_ctypes/callproc.c
@@ -460,50 +460,44 @@ PyCArg_dealloc(PyCArgObject *self)
static PyObject *
PyCArg_repr(PyCArgObject *self)
{
- char buffer[256];
switch(self->tag) {
case 'b':
case 'B':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.b);
- break;
case 'h':
case 'H':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.h);
- break;
case 'i':
case 'I':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.i);
- break;
case 'l':
case 'L':
- sprintf(buffer, "<cparam '%c' (%ld)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
self->tag, self->value.l);
- break;
-#ifdef HAVE_LONG_LONG
+#if defined(HAVE_LONG_LONG) && defined(LLONG_MAX)
case 'q':
case 'Q':
- sprintf(buffer,
- "<cparam '%c' (%" PY_FORMAT_LONG_LONG "d)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
self->tag, self->value.q);
- break;
#endif
case 'd':
- sprintf(buffer, "<cparam '%c' (%f)>",
- self->tag, self->value.d);
- break;
- case 'f':
- sprintf(buffer, "<cparam '%c' (%f)>",
- self->tag, self->value.f);
- break;
+ case 'f': {
+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
+ if (f == NULL) {
+ return NULL;
+ }
+ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f);
+ Py_DECREF(f);
+ return result;
+ }
case 'c':
- sprintf(buffer, "<cparam '%c' (%c)>",
- self->tag, self->value.c);
- break;
+ return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
+ self->tag, self->value.c);
/* Hm, are these 'z' and 'Z' codes useful at all?
Shouldn't they be replaced by the functionality of c_string
@@ -512,16 +506,13 @@ PyCArg_repr(PyCArgObject *self)
case 'z':
case 'Z':
case 'P':
- sprintf(buffer, "<cparam '%c' (%p)>",
+ return PyUnicode_FromFormat("<cparam '%c' (%p)>",
self->tag, self->value.p);
- break;
default:
- sprintf(buffer, "<cparam '%c' at %p>",
- self->tag, self);
- break;
+ return PyUnicode_FromFormat("<cparam '%c' at %p>",
+ (unsigned char)self->tag, (void *)self);
}
- return PyString_FromString(buffer);
}
static PyMemberDef PyCArgType_members[] = {

7
python-base.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jan 25 23:35:49 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
-------------------------------------------------------------------
Tue Jan 5 09:15:36 UTC 2021 - Matej Cepl <mcepl@suse.com>

4
python-base.spec
View File

@ -97,6 +97,9 @@ Patch59: CVE-2019-9674-zip-bomb.patch
# PATCH-FIX-UPSTREAM configure_PYTHON_FOR_REGEN.patch bsc#1078326 mcepl@suse.com
# PYTHON_FOR_REGEN value is set very weird upstream
Patch60: configure_PYTHON_FOR_REGEN.patch
# PATCH-FIX-SLE CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch bsc#1181126 mcepl@suse.com
# buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution
Patch61: CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@ -222,6 +225,7 @@ other applications.
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac

7
python-doc.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jan 25 23:35:49 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
-------------------------------------------------------------------
Tue Jan 5 09:15:36 UTC 2021 - Matej Cepl <mcepl@suse.com>

6
python-doc.spec
View File

@ -99,6 +99,9 @@ Patch59: CVE-2019-9674-zip-bomb.patch
# PATCH-FIX-UPSTREAM configure_PYTHON_FOR_REGEN.patch bsc#1078326 mcepl@suse.com
# PYTHON_FOR_REGEN value is set very weird upstream
Patch60: configure_PYTHON_FOR_REGEN.patch
# PATCH-FIX-SLE CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch bsc#1181126 mcepl@suse.com
# buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution
Patch61: CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
# COMMON-PATCH-END
Provides: pyth_doc
Provides: pyth_ps
@ -166,6 +169,7 @@ Python, and Macintosh Module Reference in PDF format.
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
@ -194,7 +198,7 @@ mv $PDOCS/docs-pdf $PDOCS/paper-a4
tar xfj %{SOURCE3} -C $PDOCS
mv $PDOCS/docs-pdf $PDOCS/paper-letter
# this is part of main package
#install -c -m 644 README $PDOCS/README
#install -c -m 644 README $PDOCS/README
for i in Misc/* ; do
[ -f $i ] && install -c -m 644 $i $PDOCS/Misc/
done

7
python.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jan 25 23:35:49 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
-------------------------------------------------------------------
Tue Jan 5 09:15:36 UTC 2021 - Matej Cepl <mcepl@suse.com>

4
python.spec
View File

@ -99,6 +99,9 @@ Patch59: CVE-2019-9674-zip-bomb.patch
# PATCH-FIX-UPSTREAM configure_PYTHON_FOR_REGEN.patch bsc#1078326 mcepl@suse.com
# PYTHON_FOR_REGEN value is set very weird upstream
Patch60: configure_PYTHON_FOR_REGEN.patch
# PATCH-FIX-SLE CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch bsc#1181126 mcepl@suse.com
# buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution
Patch61: CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@ -280,6 +283,7 @@ that rely on earlier non-verification behavior.
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac