[Python-modules-commits] r13819 - in packages/python-cjson/trunk/debian (3 files)
chrisk-guest at users.alioth.debian.org
chrisk-guest at users.alioth.debian.org
Tue Jul 6 21:40:08 UTC 2010
Date: Tuesday, July 6, 2010 @ 21:40:06
Author: chrisk-guest
Revision: 13819
Add fix for CVE-2010-1666
Added:
packages/python-cjson/trunk/debian/patches/0001-fix-for-CVE-2010-1666
Modified:
packages/python-cjson/trunk/debian/changelog
packages/python-cjson/trunk/debian/patches/series
Modified: packages/python-cjson/trunk/debian/changelog
===================================================================
--- packages/python-cjson/trunk/debian/changelog 2010-07-06 21:38:09 UTC (rev 13818)
+++ packages/python-cjson/trunk/debian/changelog 2010-07-06 21:40:06 UTC (rev 13819)
@@ -1,8 +1,10 @@
-python-cjson (1.0.5-3) unstable; urgency=low
+python-cjson (1.0.5-3) unstable; urgency=high
[ Christian Kastner ]
* debian/source/format
- Convert to format 3.0 (quilt)
+ * debian/patches:
+ - New patch 0001-fix-for-CVE-2010-1666
-- Debian Python Modules Team <python-modules-team at lists.alioth.debian.org> Tue, 06 Jul 2010 23:22:56 +0200
Added: packages/python-cjson/trunk/debian/patches/0001-fix-for-CVE-2010-1666
===================================================================
--- packages/python-cjson/trunk/debian/patches/0001-fix-for-CVE-2010-1666 (rev 0)
+++ packages/python-cjson/trunk/debian/patches/0001-fix-for-CVE-2010-1666 2010-07-06 21:40:06 UTC (rev 13819)
@@ -0,0 +1,90 @@
+Author: Matt Giuca
+Date: Tue, 06 Jul 2010 23:31:15 +0200
+Subject: [PATCH] Fix for CVE-2010-1666
+
+Matt Giuca discovered a potential buffer overflow in python-cjson. It has been
+assigned CVE-2010-1666. This patch is taken from the patch submitted and
+applied to Ubuntu's version of python-cjson.
+
+Origin: other, https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274
+Bug-Debian: http://bugs.debian.org/587700
+Forwarded: yes
+Last-Update: 2010-10-07
+Index: python-cjson-1.0.5-new/cjson.c
+===================================================================
+--- python-cjson-1.0.5-new.orig/cjson.c 2010-07-06 23:29:27.898903297 +0200
++++ python-cjson-1.0.5-new/cjson.c 2010-07-06 23:29:41.901838748 +0200
+@@ -613,6 +613,25 @@
+ char *p;
+
+ static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++ const Py_ssize_t expandsize = 10;
++#else
++ const Py_ssize_t expandsize = 6;
++#endif
++
++ /* Initial allocation is based on the longest-possible unichr
++ escape.
++
++ In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
++ unichr, so in this case it's the longest unichr escape. In
++ narrow (UTF-16) builds this is five chars per source unichr
++ since there are two unichrs in the surrogate pair, so in narrow
++ (UTF-16) builds it's not the longest unichr escape.
++
++ In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
++ so in the narrow (UTF-16) build case it's the longest unichr
++ escape.
++ */
+
+ s = PyUnicode_AS_UNICODE(unicode);
+ size = PyUnicode_GET_SIZE(unicode);
+@@ -623,7 +642,7 @@
+ return NULL;
+ }
+
+- repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
++ repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1);
+ if (repr == NULL)
+ return NULL;
+
+@@ -644,15 +663,6 @@
+ #ifdef Py_UNICODE_WIDE
+ /* Map 21-bit characters to '\U00xxxxxx' */
+ else if (ch >= 0x10000) {
+- int offset = p - PyString_AS_STRING(repr);
+-
+- /* Resize the string if necessary */
+- if (offset + 12 > PyString_GET_SIZE(repr)) {
+- if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
+- return NULL;
+- p = PyString_AS_STRING(repr) + offset;
+- }
+-
+ *p++ = '\\';
+ *p++ = 'U';
+ *p++ = hexdigit[(ch >> 28) & 0x0000000F];
+Index: python-cjson-1.0.5-new/jsontest.py
+===================================================================
+--- python-cjson-1.0.5-new.orig/jsontest.py 2010-07-06 23:29:27.965871886 +0200
++++ python-cjson-1.0.5-new/jsontest.py 2010-07-06 23:29:41.901838748 +0200
+@@ -316,6 +316,18 @@
+
+ def testWriteLong(self):
+ self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890))
++
++ def testWriteLongUnicode(self):
++ # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds.
++ # The string length is only resized for wide unicode characters if
++ # there is less than 12 bytes of space left. Padding with
++ # narrow-but-escaped characters prevents string resizing.
++ # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes
++ # undetected.
++ s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E'
++ u'\u1234\u1234\u1234\u1234\u1234\u1234')
++ self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e'
++ r'\u1234\u1234\u1234\u1234\u1234\u1234"', s)
+
+ def main():
+ unittest.main()
Modified: packages/python-cjson/trunk/debian/patches/series
===================================================================
--- packages/python-cjson/trunk/debian/patches/series 2010-07-06 21:38:09 UTC (rev 13818)
+++ packages/python-cjson/trunk/debian/patches/series 2010-07-06 21:40:06 UTC (rev 13819)
@@ -0,0 +1 @@
+0001-fix-for-CVE-2010-1666
More information about the Python-modules-commits
mailing list