[Python-modules-commits] r13873 - in packages/python-cjson/branches/lenny/debian (4 files)
chrisk-guest at users.alioth.debian.org
chrisk-guest at users.alioth.debian.org
Sat Jul 10 19:44:35 UTC 2010
Date: Saturday, July 10, 2010 @ 19:44:33
Author: chrisk-guest
Revision: 13873
Add fix for CVE-2010-1666 from upstream; include it in build process using
simple-patchsys from cdbs
Added:
packages/python-cjson/branches/lenny/debian/patches/
packages/python-cjson/branches/lenny/debian/patches/0001-fix-for-CVE-2010-1666
packages/python-cjson/branches/lenny/debian/patches/0001-fix-for-CVE-2010-1666.patch
Modified:
packages/python-cjson/branches/lenny/debian/rules
Added: packages/python-cjson/branches/lenny/debian/patches/0001-fix-for-CVE-2010-1666
===================================================================
--- packages/python-cjson/branches/lenny/debian/patches/0001-fix-for-CVE-2010-1666 (rev 0)
+++ packages/python-cjson/branches/lenny/debian/patches/0001-fix-for-CVE-2010-1666 2010-07-10 19:44:33 UTC (rev 13873)
@@ -0,0 +1,90 @@
+Author: Matt Giuca
+Date: Tue, 06 Jul 2010 23:31:15 +0200
+Subject: [PATCH] Fix for CVE-2010-1666
+
+Matt Giuca discovered a potential buffer overflow in python-cjson. It has been
+assigned CVE-2010-1666. This patch is taken from the patch submitted and
+applied to Ubuntu's version of python-cjson.
+
+Origin: other, https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274
+Bug-Debian: http://bugs.debian.org/587700
+Forwarded: yes
+Last-Update: 2010-10-07
+Index: python-cjson-1.0.5-new/cjson.c
+===================================================================
+--- python-cjson-1.0.5-new.orig/cjson.c 2010-07-06 23:29:27.898903297 +0200
++++ python-cjson-1.0.5-new/cjson.c 2010-07-06 23:29:41.901838748 +0200
+@@ -613,6 +613,25 @@
+ char *p;
+
+ static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++ const Py_ssize_t expandsize = 10;
++#else
++ const Py_ssize_t expandsize = 6;
++#endif
++
++ /* Initial allocation is based on the longest-possible unichr
++ escape.
++
++ In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
++ unichr, so in this case it's the longest unichr escape. In
++ narrow (UTF-16) builds this is five chars per source unichr
++ since there are two unichrs in the surrogate pair, so in narrow
++ (UTF-16) builds it's not the longest unichr escape.
++
++ In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
++ so in the narrow (UTF-16) build case it's the longest unichr
++ escape.
++ */
+
+ s = PyUnicode_AS_UNICODE(unicode);
+ size = PyUnicode_GET_SIZE(unicode);
+@@ -623,7 +642,7 @@
+ return NULL;
+ }
+
+- repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
++ repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1);
+ if (repr == NULL)
+ return NULL;
+
+@@ -644,15 +663,6 @@
+ #ifdef Py_UNICODE_WIDE
+ /* Map 21-bit characters to '\U00xxxxxx' */
+ else if (ch >= 0x10000) {
+- int offset = p - PyString_AS_STRING(repr);
+-
+- /* Resize the string if necessary */
+- if (offset + 12 > PyString_GET_SIZE(repr)) {
+- if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
+- return NULL;
+- p = PyString_AS_STRING(repr) + offset;
+- }
+-
+ *p++ = '\\';
+ *p++ = 'U';
+ *p++ = hexdigit[(ch >> 28) & 0x0000000F];
+Index: python-cjson-1.0.5-new/jsontest.py
+===================================================================
+--- python-cjson-1.0.5-new.orig/jsontest.py 2010-07-06 23:29:27.965871886 +0200
++++ python-cjson-1.0.5-new/jsontest.py 2010-07-06 23:29:41.901838748 +0200
+@@ -316,6 +316,18 @@
+
+ def testWriteLong(self):
+ self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890))
++
++ def testWriteLongUnicode(self):
++ # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds.
++ # The string length is only resized for wide unicode characters if
++ # there is less than 12 bytes of space left. Padding with
++ # narrow-but-escaped characters prevents string resizing.
++ # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes
++ # undetected.
++ s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E'
++ u'\u1234\u1234\u1234\u1234\u1234\u1234')
++ self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e'
++ r'\u1234\u1234\u1234\u1234\u1234\u1234"', s)
+
+ def main():
+ unittest.main()
Added: packages/python-cjson/branches/lenny/debian/patches/0001-fix-for-CVE-2010-1666.patch
===================================================================
--- packages/python-cjson/branches/lenny/debian/patches/0001-fix-for-CVE-2010-1666.patch (rev 0)
+++ packages/python-cjson/branches/lenny/debian/patches/0001-fix-for-CVE-2010-1666.patch 2010-07-10 19:44:33 UTC (rev 13873)
@@ -0,0 +1,91 @@
+Author: Matt Giuca
+Date: Tue, 06 Jul 2010 23:31:15 +0200
+Subject: [PATCH] Fix for CVE-2010-1666
+
+Matt Giuca discovered a potential buffer overflow in python-cjson. It has been
+assigned CVE-2010-1666. This patch is taken from the patch submitted and
+applied to Ubuntu's version of python-cjson.
+
+Origin: other, https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274
+Bug-Debian: http://bugs.debian.org/587700
+Forwarded: yes
+Last-Update: 2010-10-07
+Index: python-cjson-1.0.5-new/cjson.c
+===================================================================
+--- python-cjson-1.0.5-new.orig/cjson.c 2010-07-06 23:29:27.898903297 +0200
++++ python-cjson-1.0.5-new/cjson.c 2010-07-06 23:29:41.901838748 +0200
+@@ -613,6 +613,25 @@
+ char *p;
+
+ static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++ const Py_ssize_t expandsize = 10;
++#else
++ const Py_ssize_t expandsize = 6;
++#endif
++
++ /* Initial allocation is based on the longest-possible unichr
++ escape.
++
++ In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
++ unichr, so in this case it's the longest unichr escape. In
++ narrow (UTF-16) builds this is five chars per source unichr
++ since there are two unichrs in the surrogate pair, so in narrow
++ (UTF-16) builds it's not the longest unichr escape.
++
++ In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
++ so in the narrow (UTF-16) build case it's the longest unichr
++ escape.
++ */
+
+ s = PyUnicode_AS_UNICODE(unicode);
+ size = PyUnicode_GET_SIZE(unicode);
+@@ -623,7 +642,7 @@
+ return NULL;
+ }
+
+- repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
++ repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1);
+ if (repr == NULL)
+ return NULL;
+
+@@ -644,15 +663,6 @@
+ #ifdef Py_UNICODE_WIDE
+ /* Map 21-bit characters to '\U00xxxxxx' */
+ else if (ch >= 0x10000) {
+- int offset = p - PyString_AS_STRING(repr);
+-
+- /* Resize the string if necessary */
+- if (offset + 12 > PyString_GET_SIZE(repr)) {
+- if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
+- return NULL;
+- p = PyString_AS_STRING(repr) + offset;
+- }
+-
+ *p++ = '\\';
+ *p++ = 'U';
+ *p++ = hexdigit[(ch >> 28) & 0x0000000F];
+Index: python-cjson-1.0.5-new/jsontest.py
+===================================================================
+--- python-cjson-1.0.5-new.orig/jsontest.py 2010-07-06 23:29:27.965871886 +0200
++++ python-cjson-1.0.5-new/jsontest.py 2010-07-06 23:29:41.901838748 +0200
+@@ -316,6 +316,18 @@
+
+ def testWriteLong(self):
+ self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890))
++
++ def testWriteLongUnicode(self):
++ # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds.
++ # The string length is only resized for wide unicode characters if
++ # there is less than 12 bytes of space left. Padding with
++ # narrow-but-escaped characters prevents string resizing.
++ # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes
++ # undetected.
++ s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E'
++ u'\u1234\u1234\u1234\u1234\u1234\u1234')
++ self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e'
++ r'\u1234\u1234\u1234\u1234\u1234\u1234"', s)
+
+ def main():
+ unittest.main()
+
Modified: packages/python-cjson/branches/lenny/debian/rules
===================================================================
--- packages/python-cjson/branches/lenny/debian/rules 2010-07-10 19:23:57 UTC (rev 13872)
+++ packages/python-cjson/branches/lenny/debian/rules 2010-07-10 19:44:33 UTC (rev 13873)
@@ -5,6 +5,7 @@
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/class/python-distutils.mk
+include /usr/share/cdbs/1/rules/simple-patchsys.mk
build/python-cjson-dbg::
More information about the Python-modules-commits
mailing list