rpms/python-cjson/F-13 python-cjson-1.0.5-CVE-2010-1666.patch, NONE, 1.1 python-cjson.spec, 1.4, 1.5
Felix Schwarz
fschwarz at fedoraproject.org
Sat Jul 3 20:52:28 UTC 2010
Author: fschwarz
Update of /cvs/pkgs/rpms/python-cjson/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv1947/F-13
Modified Files:
python-cjson.spec
Added Files:
python-cjson-1.0.5-CVE-2010-1666.patch
Log Message:
CVE-2010-1666 (fixed by including a patch from Ubuntu, see Launchpad 585274)
python-cjson-1.0.5-CVE-2010-1666.patch:
cjson.c | 30 ++++++++++++++++++++----------
jsontest.py | 12 ++++++++++++
2 files changed, 32 insertions(+), 10 deletions(-)
--- NEW FILE python-cjson-1.0.5-CVE-2010-1666.patch ---
--- python-cjson-1.0.5.orig/jsontest.py
+++ python-cjson-1.0.5/jsontest.py
@@ -316,6 +316,18 @@
def testWriteLong(self):
self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890))
+
+ def testWriteLongUnicode(self):
+ # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds.
+ # The string length is only resized for wide unicode characters if
+ # there is less than 12 bytes of space left. Padding with
+ # narrow-but-escaped characters prevents string resizing.
+ # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes
+ # undetected.
+ s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E'
+ u'\u1234\u1234\u1234\u1234\u1234\u1234')
+ self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e'
+ r'\u1234\u1234\u1234\u1234\u1234\u1234"', s)
def main():
unittest.main()
--- python-cjson-1.0.5.orig/cjson.c
+++ python-cjson-1.0.5/cjson.c
@@ -613,6 +613,25 @@
char *p;
static const char *hexdigit = "0123456789abcdef";
+#ifdef Py_UNICODE_WIDE
+ const Py_ssize_t expandsize = 10;
+#else
+ const Py_ssize_t expandsize = 6;
+#endif
+
+ /* Initial allocation is based on the longest-possible unichr
+ escape.
+
+ In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
+ unichr, so in this case it's the longest unichr escape. In
+ narrow (UTF-16) builds this is five chars per source unichr
+ since there are two unichrs in the surrogate pair, so in narrow
+ (UTF-16) builds it's not the longest unichr escape.
+
+ In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
+ so in the narrow (UTF-16) build case it's the longest unichr
+ escape.
+ */
s = PyUnicode_AS_UNICODE(unicode);
size = PyUnicode_GET_SIZE(unicode);
@@ -623,7 +642,7 @@
return NULL;
}
- repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
+ repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1);
if (repr == NULL)
return NULL;
@@ -644,15 +663,6 @@
#ifdef Py_UNICODE_WIDE
/* Map 21-bit characters to '\U00xxxxxx' */
else if (ch >= 0x10000) {
- int offset = p - PyString_AS_STRING(repr);
-
- /* Resize the string if necessary */
- if (offset + 12 > PyString_GET_SIZE(repr)) {
- if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
- return NULL;
- p = PyString_AS_STRING(repr) + offset;
- }
-
*p++ = '\\';
*p++ = 'U';
*p++ = hexdigit[(ch >> 28) & 0x0000000F];
Index: python-cjson.spec
===================================================================
RCS file: /cvs/pkgs/rpms/python-cjson/F-13/python-cjson.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- python-cjson.spec 26 Jul 2009 20:13:53 -0000 1.4
+++ python-cjson.spec 3 Jul 2010 20:52:28 -0000 1.5
@@ -2,13 +2,14 @@
Name: python-cjson
Version: 1.0.5
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Fast JSON encoder/decoder for Python
Group: Development/Languages
License: LGPLv2+
URL: http://pypi.python.org/pypi/python-cjson
Source0: http://pypi.python.org/packages/source/p/%{name}/%{name}-%{version}.tar.gz
+Patch0: python-cjson-1.0.5-CVE-2010-1666.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: python-devel
@@ -29,6 +30,7 @@ is the the range of 10-200 times for enc
%prep
%setup -q
+%patch0 -p1
%build
@@ -52,6 +54,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Sat Jul 03 2010 Felix Schwarz <felix.schwarz at oss.schwarz.eu> - 1.0.5-5
+- CVE-2010-1666 (fixed by including a patch from Ubuntu, see Launchpad 585274)
+
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.0.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
More information about the scm-commits
mailing list