[libvoikko/f14] Security update: fixes handling of embedded null characters in input strings entered through the Pyt

Sun Jun 12 17:10:13 UTC 2011

commit b480e075e4be22a2557c0b32a01c654185d71e8f
Author: Ville-Pekka Vainio <vpivaini at cs.helsinki.fi>
Date:   Sun Jun 12 20:09:51 2011 +0300

    Security update: fixes handling of embedded null characters in input strings
    entered through the Python interface.

 libvoikko-handle-embedded-null-input.patch |  102 ++++++++++++++++++++++++++++
 libvoikko.spec                             |    9 ++-
 2 files changed, 110 insertions(+), 1 deletions(-)
---

diff --git a/libvoikko-handle-embedded-null-input.patch b/libvoikko-handle-embedded-null-input.patch
new file mode 100644
index 0000000..52a5eef
--- /dev/null
+++ b/libvoikko-handle-embedded-null-input.patch
@@ -0,0 +1,102 @@
+Index: libvoikko/python/libvoikko.py
+===================================================================
+--- libvoikko/python/libvoikko.py	(revision 3900)
++++ libvoikko/python/libvoikko.py	(revision 3903)
+@@ -20,7 +20,7 @@
+ 
+ """
+ 
+-# Copyright 2009 - 2010 Harri Pitkänen (hatapitk at iki.fi)
++# Copyright 2009 - 2011 Harri Pitkänen (hatapitk at iki.fi)
+ # This library requires Python version 2.5 or newer.
+ 
+ # This program is free software; you can redistribute it and/or modify
+@@ -259,6 +259,9 @@
+ 		if result == 0:
+ 			raise VoikkoException(u"Could not set boolean option " + str(option) + u" to value " + str(value) + u".")
+ 	
++	def __isValidInput(self, text):
++		return u"\0" not in text
++	
+ 	def terminate(self):
+ 		"""Releases the resources allocated by libvoikko for this instance. The instance cannot be used anymore
+ 		after this method has been called. The resources are released automatically when the Python object is
+@@ -342,6 +345,9 @@
+ 		"""Check the spelling of given word. Return true if the word is correct,
+ 		false if it is incorrect.
+ 		"""
++		if not self.__isValidInput(word):
++			return False
++		
+ 		result = self.__lib.voikkoSpellUcs4(self.__handle, word)
+ 		if result == 0:
+ 			return False
+@@ -354,6 +360,8 @@
+ 		"""Generate a list of suggested spellings for given (misspelled) word.
+ 		If the given word is correct, the list contains only the word itself.
+ 		"""
++		if not self.__isValidInput(word):
++			return []
+ 		
+ 		cSuggestions = self.__lib.voikkoSuggestUcs4(self.__handle, word)
+ 		pSuggestions = []
+@@ -404,6 +412,9 @@
+ 		Unlike the C based API this method accepts multiple paragraphs
+ 		separated by newline characters.
+ 		"""
++		if not self.__isValidInput(text):
++			return []
++		
+ 		textUnicode = unicode(text)
+ 		errorList = []
+ 		offset = 0
+@@ -424,6 +435,9 @@
+ 		analysis results. The results are represented as maps having property
+ 		names as keys and property values as values.
+ 		"""
++		if not self.__isValidInput(word):
++			return []
++		
+ 		cAnalysisList = self.__lib.voikkoAnalyzeWordUcs4(self.__handle, word)
+ 		pAnalysisList = []
+ 		
+@@ -449,6 +463,19 @@
+ 	
+ 	def tokens(self, text):
+ 		"""Split the given natural language text into a list of Token objects."""
++		startIndex = 0
++		tokens = []
++		while True:
++			i = text.find(u"\0", startIndex)
++			if i == -1:
++				break
++			tokens = tokens + self.__splitTokens(text[startIndex:i])
++			tokens.append(Token(u"\0", Token.UNKNOWN))
++			startIndex = i + 1
++		tokens = tokens + self.__splitTokens(text[startIndex:])
++		return tokens
++	
++	def __splitTokens(self, text):
+ 		uniText = unicode(text)
+ 		result = []
+ 		textLen = len(uniText)
+@@ -467,6 +494,9 @@
+ 	
+ 	def sentences(self, text):
+ 		"""Split the given natural language text into a list of Sentence objects."""
++		if not self.__isValidInput(text):
++			return [Sentence(text, Sentence.NONE)]
++		
+ 		uniText = unicode(text)
+ 		result = []
+ 		textLen = len(uniText)
+@@ -491,6 +521,9 @@
+ 		  '=' = hyphentation point (character at this position
+ 		        is replaced by the hyphen.)
+ 		"""
++		if not self.__isValidInput(word):
++			return "".ljust(len(word))
++		
+ 		cHyphenationPattern = self.__lib.voikkoHyphenateUcs4(self.__handle, word)
+ 		hyphenationPattern = string_at(cHyphenationPattern)
+ 		self.__lib.voikkoFreeCstr(cHyphenationPattern)
diff --git a/libvoikko.spec b/libvoikko.spec
index 299483a..21fb45c 100644
--- a/libvoikko.spec
+++ b/libvoikko.spec
@@ -1,7 +1,8 @@
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
+%define _default_patch_fuzz 2
 Name:           libvoikko
 Version:        3.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Voikko is a library for spellcheckers and hyphenators
 
 Group:          System Environment/Libraries
@@ -11,6 +12,7 @@ URL:            http://voikko.sourceforge.net/
 Source0:        http://downloads.sourceforge.net/voikko/%{name}-%{version}.tar.gz
 # The usual format of test release URLs
 #Source0:        http://www.puimula.org/htp/testing/%{name}-%{version}rc1.tar.gz
+Patch0:         %{name}-handle-embedded-null-input.patch
 
 BuildRequires:  python-devel
 # Libvoikko >= 2.2 needs this, earlier versions won't work
@@ -62,6 +64,7 @@ tasks on Finnish text.
 
 %prep
 %setup -q
+%patch0 -p1
 
 
 %build
@@ -120,6 +123,10 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitelib}/%{name}.py*
 
 %changelog
+* Sun Jun 12 2011 Ville-Pekka Vainio <vpivaini AT cs.helsinki.fi> - 3.0-3
+- Security update: fixes handling of embedded null characters in input strings
+  entered through the Python interface.
+
 * Wed Jul 21 2010 David Malcolm <dmalcolm at redhat.com> - 3.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
 
