From 563f31523d7f2dd817e4fc7b0121d9385bb402f0 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Sun, 9 Feb 2014 10:58:56 +0100 Subject: [PATCH] python: Fix vulnerability reported in SA56624 (via pkgsrc). --- .../patches/patch-Modules_socketmodule.c | 19 ++++++++++++ srcpkgs/python/template | 29 +++++++++---------- 2 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 srcpkgs/python/patches/patch-Modules_socketmodule.c diff --git a/srcpkgs/python/patches/patch-Modules_socketmodule.c b/srcpkgs/python/patches/patch-Modules_socketmodule.c new file mode 100644 index 0000000000..1d88fd921c --- /dev/null +++ b/srcpkgs/python/patches/patch-Modules_socketmodule.c @@ -0,0 +1,19 @@ +$NetBSD$ + +Fix vulnerability reported in SA56624. Patch taken from here: + +http://hg.python.org/cpython/rev/87673659d8f7 + +--- Modules/socketmodule.c.orig 2013-11-10 07:36:41.000000000 +0000 ++++ Modules/socketmodule.c 2014-02-09 08:41:25.000000000 +0000 +@@ -2742,6 +2742,10 @@ + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ goto error; + } + + readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr); diff --git a/srcpkgs/python/template b/srcpkgs/python/template index 818413f64e..4045abf131 100644 --- a/srcpkgs/python/template +++ b/srcpkgs/python/template @@ -1,8 +1,11 @@ # Template build file for 'python'. pkgname=python version=2.7.6 -revision=4 +revision=5 wrksrc="Python-${version}" +hostmakedepends="pkg-config" +makedepends="libffi-devel readline-devel gdbm-devel openssl-devel expat-devel sqlite-devel bzip2-devel zlib-devel" +pycompile_dirs="usr/lib/python2.7" short_desc="Interpreted, interactive, object-oriented programming language" maintainer="Juan RP " homepage="http://www.python.org" @@ -10,17 +13,6 @@ license="PSF" distfiles="http://www.python.org/ftp/python/$version/Python-$version.tar.xz" checksum=1fd68e81f8bf7386ff239b7faee9ba387129d2cf34eab13350bd8503a0bff6a1 -hostmakedepends="pkg-config" -makedepends="libffi-devel readline-devel gdbm-devel openssl-devel - expat-devel sqlite-devel bzip2-devel zlib-devel" -pycompile_dirs="usr/lib/python2.7" - -configure_args=" - --with-threads --enable-ipv6 --with-signal-module --enable-shared - --with-system-ffi --enable-unicode=ucs4 --with-system-expat - --with-wctype-functions ac_cv_file__dev_ptc=no ac_cv_file__dev_ptmx=yes - ac_cv_have_long_long_format=yes" - pre_configure() { # Ensure that internal copies of expat, libffi and zlib are not used. rm -r Modules/expat @@ -29,16 +21,21 @@ pre_configure() { } do_configure() { - unset CC LD AR AS RANLIB + unset CC CXX LD AR AS RANLIB if [ "$CROSS_BUILD" ]; then - CFLAGS=-Os LDFLAGS= ./configure - make python + CFLAGS=-Os CXXFLAGS= LDFLAGS= ./configure + make ${makejobs} python mkdir hostpython mv python hostpython make distclean patch -Np0 -i ${FILESDIR}/Python-${version}-xcompile.patch fi - ./configure --build=${XBPS_MACHINE}-unknown-linux-gnu ${configure_args} + ./configure ${configure_args} --build=${XBPS_MACHINE}-unknown-linux-gnu \ + --with-threads --enable-ipv6 --with-signal-module \ + --with-system-ffi --enable-unicode=ucs4 --with-system-expat \ + --with-wctype-functions --enable-shared \ + ac_cv_file__dev_ptc=no ac_cv_file__dev_ptmx=yes \ + ac_cv_have_long_long_format=yes } do_build() {