[Python-modules-commits] r13819 - in packages/python-cjson/trunk/debian (3 files)

chrisk-guest at users.alioth.debian.org chrisk-guest at users.alioth.debian.org
Tue Jul 6 21:40:08 UTC 2010 

    Date: Tuesday, July 6, 2010 @ 21:40:06
  Author: chrisk-guest
Revision: 13819

Add fix for CVE-2010-1666

Added:
  packages/python-cjson/trunk/debian/patches/0001-fix-for-CVE-2010-1666
Modified:
  packages/python-cjson/trunk/debian/changelog
  packages/python-cjson/trunk/debian/patches/series

Modified: packages/python-cjson/trunk/debian/changelog
===================================================================
--- packages/python-cjson/trunk/debian/changelog	2010-07-06 21:38:09 UTC (rev 13818)
+++ packages/python-cjson/trunk/debian/changelog	2010-07-06 21:40:06 UTC (rev 13819)
@@ -1,8 +1,10 @@
-python-cjson (1.0.5-3) unstable; urgency=low
+python-cjson (1.0.5-3) unstable; urgency=high
 
   [ Christian Kastner ]
   * debian/source/format
     - Convert to format 3.0 (quilt)
+  * debian/patches:
+    - New patch 0001-fix-for-CVE-2010-1666
 
  -- Debian Python Modules Team <python-modules-team at lists.alioth.debian.org>  Tue, 06 Jul 2010 23:22:56 +0200
 

Added: packages/python-cjson/trunk/debian/patches/0001-fix-for-CVE-2010-1666
===================================================================
--- packages/python-cjson/trunk/debian/patches/0001-fix-for-CVE-2010-1666	                        (rev 0)
+++ packages/python-cjson/trunk/debian/patches/0001-fix-for-CVE-2010-1666	2010-07-06 21:40:06 UTC (rev 13819)
@@ -0,0 +1,90 @@
+Author: Matt Giuca
+Date: Tue, 06 Jul 2010 23:31:15 +0200
+Subject: [PATCH] Fix for CVE-2010-1666
+
+Matt Giuca discovered a potential buffer overflow in python-cjson. It has been
+assigned CVE-2010-1666. This patch is taken from the patch submitted and
+applied to Ubuntu's version of python-cjson.
+
+Origin: other, https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274
+Bug-Debian: http://bugs.debian.org/587700
+Forwarded: yes
+Last-Update: 2010-10-07
+Index: python-cjson-1.0.5-new/cjson.c
+===================================================================
+--- python-cjson-1.0.5-new.orig/cjson.c	2010-07-06 23:29:27.898903297 +0200
++++ python-cjson-1.0.5-new/cjson.c	2010-07-06 23:29:41.901838748 +0200
+@@ -613,6 +613,25 @@
+     char *p;
+ 
+     static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++    const Py_ssize_t expandsize = 10;
++#else
++    const Py_ssize_t expandsize = 6;
++#endif
++
++    /* Initial allocation is based on the longest-possible unichr
++       escape.
++
++       In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
++       unichr, so in this case it's the longest unichr escape. In
++       narrow (UTF-16) builds this is five chars per source unichr
++       since there are two unichrs in the surrogate pair, so in narrow
++       (UTF-16) builds it's not the longest unichr escape.
++
++       In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
++       so in the narrow (UTF-16) build case it's the longest unichr
++       escape.
++    */
+ 
+     s = PyUnicode_AS_UNICODE(unicode);
+     size = PyUnicode_GET_SIZE(unicode);
+@@ -623,7 +642,7 @@
+         return NULL;
+     }
+ 
+-    repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
++    repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1);
+     if (repr == NULL)
+         return NULL;
+ 
+@@ -644,15 +663,6 @@
+ #ifdef Py_UNICODE_WIDE
+         /* Map 21-bit characters to '\U00xxxxxx' */
+         else if (ch >= 0x10000) {
+-            int offset = p - PyString_AS_STRING(repr);
+-
+-            /* Resize the string if necessary */
+-            if (offset + 12 > PyString_GET_SIZE(repr)) {
+-                if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
+-                    return NULL;
+-                p = PyString_AS_STRING(repr) + offset;
+-            }
+-
+             *p++ = '\\';
+             *p++ = 'U';
+             *p++ = hexdigit[(ch >> 28) & 0x0000000F];
+Index: python-cjson-1.0.5-new/jsontest.py
+===================================================================
+--- python-cjson-1.0.5-new.orig/jsontest.py	2010-07-06 23:29:27.965871886 +0200
++++ python-cjson-1.0.5-new/jsontest.py	2010-07-06 23:29:41.901838748 +0200
+@@ -316,6 +316,18 @@
+ 
+     def testWriteLong(self):
+         self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890))
++
++    def testWriteLongUnicode(self):
++        # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds.
++        # The string length is only resized for wide unicode characters if
++        # there is less than 12 bytes of space left. Padding with
++        # narrow-but-escaped characters prevents string resizing.
++        # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes
++        # undetected.
++        s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E'
++                         u'\u1234\u1234\u1234\u1234\u1234\u1234')
++        self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e'
++                         r'\u1234\u1234\u1234\u1234\u1234\u1234"', s)
+         
+ def main():
+     unittest.main()

Modified: packages/python-cjson/trunk/debian/patches/series
===================================================================
--- packages/python-cjson/trunk/debian/patches/series	2010-07-06 21:38:09 UTC (rev 13818)
+++ packages/python-cjson/trunk/debian/patches/series	2010-07-06 21:40:06 UTC (rev 13819)
@@ -0,0 +1 @@
+0001-fix-for-CVE-2010-1666

More information about the Python-modules-commits mailing list