diff --git a/CVE-2025-4516-DecodeError-handler.patch b/CVE-2025-4516-DecodeError-handler.patch index 23bc56c..c263eac 100644 --- a/CVE-2025-4516-DecodeError-handler.patch +++ b/CVE-2025-4516-DecodeError-handler.patch @@ -1,7 +1,7 @@ -From a75953b347716fff694aa59a7c7c2489fa50d1f5 Mon Sep 17 00:00:00 2001 +From 0c33e5baedf18ebcb04bc41dff7cfc614d5ea5fe Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Tue, 20 May 2025 15:46:57 +0300 -Subject: [PATCH] [3.12] gh-133767: Fix use-after-free in the unicode-escape +Subject: [PATCH] [3.11] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) (GH-133944) If the error handler is used, a new bytes object is created to set as @@ -15,6 +15,7 @@ use the error handlers registry, but it should be changed for compatibility with _PyUnicode_DecodeUnicodeEscapeInternal(). (cherry picked from commit 9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e) (cherry picked from commit 6279eb8c076d89d3739a6edb393e43c7929b429d) +(cherry picked from commit a75953b347716fff694aa59a7c7c2489fa50d1f5) Co-authored-by: Serhiy Storchaka --- @@ -23,16 +24,16 @@ Co-authored-by: Serhiy Storchaka Lib/test/test_codeccallbacks.py | 39 ++++++ Lib/test/test_codecs.py | 52 ++++++-- Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst | 2 - Objects/bytesobject.c | 54 +++++--- - Objects/unicodeobject.c | 61 +++++++--- - Parser/string_parser.c | 26 ++-- - 8 files changed, 194 insertions(+), 57 deletions(-) + Objects/bytesobject.c | 56 ++++++-- + Objects/unicodeobject.c | 63 +++++++--- + Parser/string_parser.c | 24 ++- + 8 files changed, 197 insertions(+), 56 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst Index: Python-3.11.12/Include/cpython/bytesobject.h =================================================================== ---- Python-3.11.12.orig/Include/cpython/bytesobject.h 2025-04-08 14:15:29.000000000 +0000 -+++ Python-3.11.12/Include/cpython/bytesobject.h 2025-05-22 12:57:58.382969999 +0000 +--- Python-3.11.12.orig/Include/cpython/bytesobject.h 2025-05-27 16:12:54.739976905 +0200 ++++ Python-3.11.12/Include/cpython/bytesobject.h 2025-05-27 16:13:11.519989563 +0200 @@ -25,6 +25,10 @@ int use_bytearray); @@ -46,8 +47,8 @@ Index: Python-3.11.12/Include/cpython/bytesobject.h Index: Python-3.11.12/Include/cpython/unicodeobject.h =================================================================== ---- Python-3.11.12.orig/Include/cpython/unicodeobject.h 2025-04-08 14:15:29.000000000 +0000 -+++ Python-3.11.12/Include/cpython/unicodeobject.h 2025-05-22 12:57:58.383963607 +0000 +--- Python-3.11.12.orig/Include/cpython/unicodeobject.h 2025-05-27 16:12:54.739976905 +0200 ++++ Python-3.11.12/Include/cpython/unicodeobject.h 2025-05-27 16:13:11.520156067 +0200 @@ -914,6 +914,19 @@ ); /* Helper for PyUnicode_DecodeUnicodeEscape that detects invalid escape @@ -70,8 +71,8 @@ Index: Python-3.11.12/Include/cpython/unicodeobject.h Py_ssize_t length, /* size of string */ Index: Python-3.11.12/Lib/test/test_codeccallbacks.py =================================================================== ---- Python-3.11.12.orig/Lib/test/test_codeccallbacks.py 2025-05-22 12:57:49.587342695 +0000 -+++ Python-3.11.12/Lib/test/test_codeccallbacks.py 2025-05-22 12:57:58.384369150 +0000 +--- Python-3.11.12.orig/Lib/test/test_codeccallbacks.py 2025-05-27 16:12:54.739976905 +0200 ++++ Python-3.11.12/Lib/test/test_codeccallbacks.py 2025-05-27 16:13:11.520378996 +0200 @@ -1,6 +1,7 @@ import codecs import html.entities @@ -134,8 +135,8 @@ Index: Python-3.11.12/Lib/test/test_codeccallbacks.py # better generating one more character to fill the extra space slot Index: Python-3.11.12/Lib/test/test_codecs.py =================================================================== ---- Python-3.11.12.orig/Lib/test/test_codecs.py 2025-05-22 12:57:49.608177948 +0000 -+++ Python-3.11.12/Lib/test/test_codecs.py 2025-05-22 12:57:58.385050493 +0000 +--- Python-3.11.12.orig/Lib/test/test_codecs.py 2025-05-27 16:12:54.739976905 +0200 ++++ Python-3.11.12/Lib/test/test_codecs.py 2025-05-27 16:13:11.520814977 +0200 @@ -1198,23 +1198,39 @@ check(br"[\1010]", b"[A0]") check(br"[\x41]", b"[A]") @@ -230,14 +231,14 @@ Index: Python-3.11.12/Lib/test/test_codecs.py Index: Python-3.11.12/Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ Python-3.11.12/Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst 2025-05-22 12:57:58.385668586 +0000 ++++ Python-3.11.12/Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst 2025-05-27 16:13:11.521185394 +0200 @@ -0,0 +1,2 @@ +Fix use-after-free in the "unicode-escape" decoder with a non-"strict" error +handler. Index: Python-3.11.12/Objects/bytesobject.c =================================================================== ---- Python-3.11.12.orig/Objects/bytesobject.c 2025-04-08 14:15:29.000000000 +0000 -+++ Python-3.11.12/Objects/bytesobject.c 2025-05-22 12:57:58.386149592 +0000 +--- Python-3.11.12.orig/Objects/bytesobject.c 2025-05-27 16:12:54.739976905 +0200 ++++ Python-3.11.12/Objects/bytesobject.c 2025-05-27 16:13:11.521614202 +0200 @@ -1057,10 +1057,11 @@ } @@ -290,7 +291,7 @@ Index: Python-3.11.12/Objects/bytesobject.c } *p++ = '\\'; s--; -@@ -1171,23 +1175,37 @@ +@@ -1171,23 +1175,39 @@ return NULL; } @@ -328,15 +329,17 @@ Index: Python-3.11.12/Objects/bytesobject.c - if ('4' <= c && c <= '7') { + if (first_invalid_escape_char != -1) { + if (first_invalid_escape_char > 0xff) { ++ char buf[12] = ""; ++ snprintf(buf, sizeof buf, "%o", first_invalid_escape_char); if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, - "invalid octal escape sequence '\\%.3s'", - first_invalid_escape) < 0) -+ "invalid octal escape sequence '\\%o'", -+ first_invalid_escape_char) < 0) ++ "invalid octal escape sequence '\\%s'", ++ buf) < 0) { Py_DECREF(result); return NULL; -@@ -1196,7 +1214,7 @@ +@@ -1196,7 +1216,7 @@ else { if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, "invalid escape sequence '\\%c'", @@ -347,8 +350,8 @@ Index: Python-3.11.12/Objects/bytesobject.c return NULL; Index: Python-3.11.12/Objects/unicodeobject.c =================================================================== ---- Python-3.11.12.orig/Objects/unicodeobject.c 2025-04-08 14:15:29.000000000 +0000 -+++ Python-3.11.12/Objects/unicodeobject.c 2025-05-22 12:57:58.387970080 +0000 +--- Python-3.11.12.orig/Objects/unicodeobject.c 2025-05-27 16:12:54.739976905 +0200 ++++ Python-3.11.12/Objects/unicodeobject.c 2025-05-27 16:13:11.523098541 +0200 @@ -6301,20 +6301,23 @@ static _PyUnicode_Name_CAPI *ucnhash_capi = NULL; @@ -408,7 +411,7 @@ Index: Python-3.11.12/Objects/unicodeobject.c } WRITE_ASCII_CHAR('\\'); WRITE_CHAR(c); -@@ -6544,24 +6553,40 @@ +@@ -6544,24 +6553,42 @@ return NULL; } @@ -449,15 +452,17 @@ Index: Python-3.11.12/Objects/unicodeobject.c - if ('4' <= c && c <= '7') { + if (first_invalid_escape_char != -1) { + if (first_invalid_escape_char > 0xff) { ++ char buf[12] = ""; ++ snprintf(buf, sizeof buf, "%o", first_invalid_escape_char); if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, - "invalid octal escape sequence '\\%.3s'", - first_invalid_escape) < 0) -+ "invalid octal escape sequence '\\%o'", -+ first_invalid_escape_char) < 0) ++ "invalid octal escape sequence '\\%s'", ++ buf) < 0) { Py_DECREF(result); return NULL; -@@ -6570,7 +6595,7 @@ +@@ -6570,7 +6597,7 @@ else { if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, "invalid escape sequence '\\%c'", @@ -468,9 +473,9 @@ Index: Python-3.11.12/Objects/unicodeobject.c return NULL; Index: Python-3.11.12/Parser/string_parser.c =================================================================== ---- Python-3.11.12.orig/Parser/string_parser.c 2025-04-08 14:15:29.000000000 +0000 -+++ Python-3.11.12/Parser/string_parser.c 2025-05-22 14:13:25.035587017 +0000 -@@ -130,13 +130,16 @@ +--- Python-3.11.12.orig/Parser/string_parser.c 2025-05-27 16:12:54.739976905 +0200 ++++ Python-3.11.12/Parser/string_parser.c 2025-05-27 16:13:11.524051710 +0200 +@@ -130,12 +130,15 @@ len = p - buf; s = buf; @@ -485,14 +490,12 @@ Index: Python-3.11.12/Parser/string_parser.c - if (v != NULL && first_invalid_escape != NULL) { - if (warn_invalid_escape_sequence(parser, first_invalid_escape, t) < 0) { - /* We have not decref u before because first_invalid_escape points -- inside u. */ -+ if (v != NULL && first_invalid_escape_ptr != NULL && t != NULL) { ++ if (v != NULL && first_invalid_escape_ptr != NULL) { + if (warn_invalid_escape_sequence(parser, first_invalid_escape_ptr, t) < 0) { -+ /* We have not decref u before because first_invalid_escape_ptr -+ points inside u. */ ++ /* We have not decref u before because first_invalid_escape_ptr points + inside u. */ Py_XDECREF(u); Py_DECREF(v); - return NULL; @@ -149,14 +152,17 @@ static PyObject * decode_bytes_with_escapes(Parser *p, const char *s, Py_ssize_t len, Token *t)