[libvoikko/f14] Security update: fixes handling of embedded null characters in input strings entered through the Pyt
Ville-Pekka Vainio
vpv at fedoraproject.org
Sun Jun 12 17:10:13 UTC 2011
commit b480e075e4be22a2557c0b32a01c654185d71e8f
Author: Ville-Pekka Vainio <vpivaini at cs.helsinki.fi>
Date: Sun Jun 12 20:09:51 2011 +0300
Security update: fixes handling of embedded null characters in input strings
entered through the Python interface.
libvoikko-handle-embedded-null-input.patch | 102 ++++++++++++++++++++++++++++
libvoikko.spec | 9 ++-
2 files changed, 110 insertions(+), 1 deletions(-)
---
diff --git a/libvoikko-handle-embedded-null-input.patch b/libvoikko-handle-embedded-null-input.patch
new file mode 100644
index 0000000..52a5eef
--- /dev/null
+++ b/libvoikko-handle-embedded-null-input.patch
@@ -0,0 +1,102 @@
+Index: libvoikko/python/libvoikko.py
+===================================================================
+--- libvoikko/python/libvoikko.py (revision 3900)
++++ libvoikko/python/libvoikko.py (revision 3903)
+@@ -20,7 +20,7 @@
+
+ """
+
+-# Copyright 2009 - 2010 Harri Pitkänen (hatapitk at iki.fi)
++# Copyright 2009 - 2011 Harri Pitkänen (hatapitk at iki.fi)
+ # This library requires Python version 2.5 or newer.
+
+ # This program is free software; you can redistribute it and/or modify
+@@ -259,6 +259,9 @@
+ if result == 0:
+ raise VoikkoException(u"Could not set boolean option " + str(option) + u" to value " + str(value) + u".")
+
++ def __isValidInput(self, text):
++ return u"\0" not in text
++
+ def terminate(self):
+ """Releases the resources allocated by libvoikko for this instance. The instance cannot be used anymore
+ after this method has been called. The resources are released automatically when the Python object is
+@@ -342,6 +345,9 @@
+ """Check the spelling of given word. Return true if the word is correct,
+ false if it is incorrect.
+ """
++ if not self.__isValidInput(word):
++ return False
++
+ result = self.__lib.voikkoSpellUcs4(self.__handle, word)
+ if result == 0:
+ return False
+@@ -354,6 +360,8 @@
+ """Generate a list of suggested spellings for given (misspelled) word.
+ If the given word is correct, the list contains only the word itself.
+ """
++ if not self.__isValidInput(word):
++ return []
+
+ cSuggestions = self.__lib.voikkoSuggestUcs4(self.__handle, word)
+ pSuggestions = []
+@@ -404,6 +412,9 @@
+ Unlike the C based API this method accepts multiple paragraphs
+ separated by newline characters.
+ """
++ if not self.__isValidInput(text):
++ return []
++
+ textUnicode = unicode(text)
+ errorList = []
+ offset = 0
+@@ -424,6 +435,9 @@
+ analysis results. The results are represented as maps having property
+ names as keys and property values as values.
+ """
++ if not self.__isValidInput(word):
++ return []
++
+ cAnalysisList = self.__lib.voikkoAnalyzeWordUcs4(self.__handle, word)
+ pAnalysisList = []
+
+@@ -449,6 +463,19 @@
+
+ def tokens(self, text):
+ """Split the given natural language text into a list of Token objects."""
++ startIndex = 0
++ tokens = []
++ while True:
++ i = text.find(u"\0", startIndex)
++ if i == -1:
++ break
++ tokens = tokens + self.__splitTokens(text[startIndex:i])
++ tokens.append(Token(u"\0", Token.UNKNOWN))
++ startIndex = i + 1
++ tokens = tokens + self.__splitTokens(text[startIndex:])
++ return tokens
++
++ def __splitTokens(self, text):
+ uniText = unicode(text)
+ result = []
+ textLen = len(uniText)
+@@ -467,6 +494,9 @@
+
+ def sentences(self, text):
+ """Split the given natural language text into a list of Sentence objects."""
++ if not self.__isValidInput(text):
++ return [Sentence(text, Sentence.NONE)]
++
+ uniText = unicode(text)
+ result = []
+ textLen = len(uniText)
+@@ -491,6 +521,9 @@
+ '=' = hyphentation point (character at this position
+ is replaced by the hyphen.)
+ """
++ if not self.__isValidInput(word):
++ return "".ljust(len(word))
++
+ cHyphenationPattern = self.__lib.voikkoHyphenateUcs4(self.__handle, word)
+ hyphenationPattern = string_at(cHyphenationPattern)
+ self.__lib.voikkoFreeCstr(cHyphenationPattern)
diff --git a/libvoikko.spec b/libvoikko.spec
index 299483a..21fb45c 100644
--- a/libvoikko.spec
+++ b/libvoikko.spec
@@ -1,7 +1,8 @@
%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
+%define _default_patch_fuzz 2
Name: libvoikko
Version: 3.0
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Voikko is a library for spellcheckers and hyphenators
Group: System Environment/Libraries
@@ -11,6 +12,7 @@ URL: http://voikko.sourceforge.net/
Source0: http://downloads.sourceforge.net/voikko/%{name}-%{version}.tar.gz
# The usual format of test release URLs
#Source0: http://www.puimula.org/htp/testing/%{name}-%{version}rc1.tar.gz
+Patch0: %{name}-handle-embedded-null-input.patch
BuildRequires: python-devel
# Libvoikko >= 2.2 needs this, earlier versions won't work
@@ -62,6 +64,7 @@ tasks on Finnish text.
%prep
%setup -q
+%patch0 -p1
%build
@@ -120,6 +123,10 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitelib}/%{name}.py*
%changelog
+* Sun Jun 12 2011 Ville-Pekka Vainio <vpivaini AT cs.helsinki.fi> - 3.0-3
+- Security update: fixes handling of embedded null characters in input strings
+ entered through the Python interface.
+
* Wed Jul 21 2010 David Malcolm <dmalcolm at redhat.com> - 3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
More information about the scm-commits
mailing list