rpms/python-cjson/EL-5 python-cjson-1.0.5-CVE-2010-1666.patch, NONE, 1.1 python-cjson.spec, 1.1, 1.2

Felix Schwarz fschwarz at fedoraproject.org
Sat Jul 3 21:04:59 UTC 2010


Author: fschwarz

Update of /cvs/pkgs/rpms/python-cjson/EL-5
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv3735/EL-5

Modified Files:
	python-cjson.spec 
Added Files:
	python-cjson-1.0.5-CVE-2010-1666.patch 
Log Message:
CVE-2010-1666 (fixed by including a patch from Ubuntu, see Launchpad 585274)

python-cjson-1.0.5-CVE-2010-1666.patch:
 cjson.c     |   30 ++++++++++++++++++++----------
 jsontest.py |   12 ++++++++++++
 2 files changed, 32 insertions(+), 10 deletions(-)

--- NEW FILE python-cjson-1.0.5-CVE-2010-1666.patch ---
--- python-cjson-1.0.5.orig/jsontest.py
+++ python-cjson-1.0.5/jsontest.py
@@ -316,6 +316,18 @@
 
     def testWriteLong(self):
         self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890))
+
+    def testWriteLongUnicode(self):
+        # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds.
+        # The string length is only resized for wide unicode characters if
+        # there is less than 12 bytes of space left. Padding with
+        # narrow-but-escaped characters prevents string resizing.
+        # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes
+        # undetected.
+        s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E'
+                         u'\u1234\u1234\u1234\u1234\u1234\u1234')
+        self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e'
+                         r'\u1234\u1234\u1234\u1234\u1234\u1234"', s)
         
 def main():
     unittest.main()
--- python-cjson-1.0.5.orig/cjson.c
+++ python-cjson-1.0.5/cjson.c
@@ -613,6 +613,25 @@
     char *p;
 
     static const char *hexdigit = "0123456789abcdef";
+#ifdef Py_UNICODE_WIDE
+    const Py_ssize_t expandsize = 10;
+#else
+    const Py_ssize_t expandsize = 6;
+#endif
+
+    /* Initial allocation is based on the longest-possible unichr
+       escape.
+
+       In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
+       unichr, so in this case it's the longest unichr escape. In
+       narrow (UTF-16) builds this is five chars per source unichr
+       since there are two unichrs in the surrogate pair, so in narrow
+       (UTF-16) builds it's not the longest unichr escape.
+
+       In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
+       so in the narrow (UTF-16) build case it's the longest unichr
+       escape.
+    */
 
     s = PyUnicode_AS_UNICODE(unicode);
     size = PyUnicode_GET_SIZE(unicode);
@@ -623,7 +642,7 @@
         return NULL;
     }
 
-    repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
+    repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1);
     if (repr == NULL)
         return NULL;
 
@@ -644,15 +663,6 @@
 #ifdef Py_UNICODE_WIDE
         /* Map 21-bit characters to '\U00xxxxxx' */
         else if (ch >= 0x10000) {
-            int offset = p - PyString_AS_STRING(repr);
-
-            /* Resize the string if necessary */
-            if (offset + 12 > PyString_GET_SIZE(repr)) {
-                if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
-                    return NULL;
-                p = PyString_AS_STRING(repr) + offset;
-            }
-
             *p++ = '\\';
             *p++ = 'U';
             *p++ = hexdigit[(ch >> 28) & 0x0000000F];



Index: python-cjson.spec
===================================================================
RCS file: /cvs/pkgs/rpms/python-cjson/EL-5/python-cjson.spec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- python-cjson.spec	8 Apr 2008 00:34:40 -0000	1.1
+++ python-cjson.spec	3 Jul 2010 21:04:59 -0000	1.2
@@ -2,13 +2,14 @@
 
 Name:           python-cjson
 Version:        1.0.5
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Fast JSON encoder/decoder for Python
 
 Group:          Development/Languages
 License:        LGPLv2+
 URL:            http://pypi.python.org/pypi/python-cjson
 Source0:        http://pypi.python.org/packages/source/p/%{name}/%{name}-%{version}.tar.gz
+Patch0:         python-cjson-1.0.5-CVE-2010-1666.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  python-devel
@@ -29,6 +30,7 @@ is the the range of 10-200 times for enc
 
 %prep
 %setup -q
+%patch0 -p1
 
 
 %build
@@ -52,5 +54,8 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Sat Jul 03 2010 Felix Schwarz <felix.schwarz at oss.schwarz.eu> - 1.0.5-2
+- CVE-2010-1666 (fixed by including a patch from Ubuntu, see Launchpad 585274)
+
 * Thu Mar 20 2008 Toshio Kuratomi <toshio at fedoraproject.org> - 1.0.5-1
 - Initial Fedora build.



More information about the scm-commits mailing list