[python/f20] Fix JSON reading arbitrary process memory (rhbz#1112293)
Matej Stuchlik
mstuchli at fedoraproject.org
Wed Jun 25 08:09:40 UTC 2014
commit dddce598a3dc2794bd656c1fce8093bcc220d6d5
Author: Matej Stuchlik <mstuchli at redhat.com>
Date: Wed Jun 25 09:19:56 2014 +0200
Fix JSON reading arbitrary process memory (rhbz#1112293)
00196-json-add-boundary-check.patch | 52 +++++++++++++++++++++++++++++++++++
python.spec | 12 +++++++-
2 files changed, 63 insertions(+), 1 deletions(-)
---
diff --git a/00196-json-add-boundary-check.patch b/00196-json-add-boundary-check.patch
new file mode 100644
index 0000000..c60831e
--- /dev/null
+++ b/00196-json-add-boundary-check.patch
@@ -0,0 +1,52 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1397441438 14400
+# Node ID 50c07ed1743da9cd4540d83de0c30bd17aeb41b0
+# Parent 218e28a935ab4494d05215c243e2129625a71893
+in scan_once, prevent the reading of arbitrary memory when passed a negative index
+
+Bug reported by Guido Vranken.
+
+diff --git a/Lib/json/tests/test_decode.py b/Lib/json/tests/test_decode.py
+--- a/Lib/json/tests/test_decode.py
++++ b/Lib/json/tests/test_decode.py
+@@ -60,5 +60,10 @@ class TestDecode(object):
+ msg = 'escape'
+ self.assertRaisesRegexp(ValueError, msg, self.loads, s)
+
++ def test_negative_index(self):
++ d = self.json.JSONDecoder()
++ self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000)
++ self.assertRaises(ValueError, d.raw_decode, u'a'*42, -50000)
++
+ class TestPyDecode(TestDecode, PyTest): pass
+ class TestCDecode(TestDecode, CTest): pass
+diff --git a/Modules/_json.c b/Modules/_json.c
+--- a/Modules/_json.c
++++ b/Modules/_json.c
+@@ -1468,7 +1468,10 @@ scan_once_str(PyScannerObject *s, PyObje
+ PyObject *res;
+ char *str = PyString_AS_STRING(pystr);
+ Py_ssize_t length = PyString_GET_SIZE(pystr);
+- if (idx >= length) {
++ if (idx < 0)
++ /* Compatibility with the Python version. */
++ idx += length;
++ if (idx < 0 || idx >= length) {
+ PyErr_SetNone(PyExc_StopIteration);
+ return NULL;
+ }
+@@ -1555,7 +1558,10 @@ scan_once_unicode(PyScannerObject *s, Py
+ PyObject *res;
+ Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
+ Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
+- if (idx >= length) {
++ if (idx < 0)
++ /* Compatibility with Python version. */
++ idx += length;
++ if (idx < 0 || idx >= length) {
+ PyErr_SetNone(PyExc_StopIteration);
+ return NULL;
+ }
+
diff --git a/python.spec b/python.spec
index f3539b4..0a44d0b 100644
--- a/python.spec
+++ b/python.spec
@@ -106,7 +106,7 @@ Summary: An interpreted, interactive, object-oriented programming language
Name: %{python}
# Remember to also rebase python-docs when changing this:
Version: 2.7.5
-Release: 12%{?dist}
+Release: 13%{?dist}
License: Python
Group: Development/Languages
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@@ -886,6 +886,11 @@ Patch194: 00194-fix-tests-with-sqlite-3.8.4.patch
# http://bugs.python.org/issue18851
Patch195: 00195-avoid-double-close-of-pipes-on-child-process-fail.patch
+# 00196 #
+#
+# JSON module could read arbitrary process memory
+# rhbz#1112293
+Patch196: 00196-json-add-boundary-check.patch
# (New patches go here ^^^)
#
@@ -1242,6 +1247,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
%patch193 -p1
%patch194 -p1
%patch195 -p1
+%patch196 -p1
# This shouldn't be necesarry, but is right now (2.2a3)
@@ -2071,6 +2077,10 @@ rm -fr %{buildroot}
# ======================================================
%changelog
+* Wed Jun 25 2014 Matej Stuchlik <mstuchli at redhat.com> - 2.7.5-13
+- JSON module could read arbitrary process memory
+Resolves: rhbz#1112293
+
* Thu Jun 19 2014 Bohuslav Kabrda <bkabrda at redhat.com> - 2.7.5-12
- Fix test failures with SQLite 3.8.4
- Fix double close of subprocess pipes when child process fails
More information about the scm-commits
mailing list