[python3/f19] Fix JSON reading arbitrary process memory (rhbz#1112293)

Matej Stuchlik mstuchli at fedoraproject.org
Mon Jun 30 12:39:18 UTC 2014 

commit 0d23a9e8e77945a8a79bc23639550e0d299d57a4
Author: Matej Stuchlik <mstuchli at redhat.com>
Date:   Mon Jun 30 14:38:07 2014 +0200

    Fix JSON reading arbitrary process memory (rhbz#1112293)

 00188-json-add-boundary-check.patch |   37 +++++++++++++++++++++++++++++++++++
 python3.spec                        |   12 ++++++++++-
 2 files changed, 48 insertions(+), 1 deletions(-)
---
diff --git a/00188-json-add-boundary-check.patch b/00188-json-add-boundary-check.patch
new file mode 100644
index 0000000..dcdf348
--- /dev/null
+++ b/00188-json-add-boundary-check.patch
@@ -0,0 +1,37 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1397442496 14400
+# Node ID 4f15bd1ab28fe25c2e381ab05b11b60ce42fe613
+# Parent  b49d990aaa9d708a8c3174f6d51b8e069040ffe4# Parent  8130b8c066062bc589d337aebd3da4b156ee7f45
+merge 3.2
+
+diff --git a/Lib/test/test_json/test_decode.py b/Lib/test/test_json/test_decode.py
+--- a/Lib/test/json_tests/test_decode.py
++++ b/Lib/test/json_tests/test_decode.py
+@@ -70,5 +70,9 @@ class TestDecode:
+         msg = 'escape'
+         self.assertRaisesRegex(ValueError, msg, self.loads, s)
+ 
++    def test_negative_index(self):
++        d = self.json.JSONDecoder()
++        self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000)
++
+ class TestPyDecode(TestDecode, PyTest): pass
+ class TestCDecode(TestDecode, CTest): pass
+diff --git a/Modules/_json.c b/Modules/_json.c
+--- a/Modules/_json.c
++++ b/Modules/_json.c
+@@ -975,7 +975,10 @@ scan_once_unicode(PyScannerObject *s, Py
+     kind = PyUnicode_KIND(pystr);
+     length = PyUnicode_GET_LENGTH(pystr);
+ 
+-    if (idx >= length) {
++    if (idx < 0)
++        /* Compatibility with Python version. */
++        idx += length;
++    if (idx < 0 || idx >= length) {
+         PyErr_SetNone(PyExc_StopIteration);
+         return NULL;
+     }
+
diff --git a/python3.spec b/python3.spec
index cd99a8a..0440220 100644
--- a/python3.spec
+++ b/python3.spec
@@ -126,7 +126,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: Python
 Group: Development/Languages
 
@@ -629,6 +629,11 @@ Patch186: 00186-dont-raise-from-py_compile.patch
 # See http://bugs.python.org/issue17997#msg194950 for more.
 Patch187: 00187-change-match_hostname-to-follow-RFC-6125.patch
 
+# 00188 #
+# JSON module could read arbitrary process memory
+# rhbz#1112293
+Patch188: 00188-json-add-boundary-check.patch
+
 
 # (New patches go here ^^^)
 #
@@ -891,6 +896,7 @@ done
 %patch185 -p1
 %patch186 -p1
 %patch187 -p1
+%patch188 -p1
 
 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@@ -1738,6 +1744,10 @@ rm -fr %{buildroot}
 # ======================================================
 
 %changelog
+* Mon Jun 30 2014 Matej Stuchlik <mstuchli at redhat.com> - 3.3.2-9
+- JSON module could read arbitrary process memory
+Resolves: rhbz#1112293
+
 * Fri Nov 08 2013 Matej Stuchlik <mstuchli at redhat.com> - 3.3.2-8
 - Changed behavior of ssl.match_hostname() to follow RFC 6125 (rhbz#1023742)

More information about the scm-commits mailing list