diff options
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/python-3.9-CVE-2021-3177.patch | 194 | ||||
-rw-r--r-- | gnu/packages/python.scm | 6 |
3 files changed, 3 insertions, 198 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 8d46cda639..8d1465158a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1526,7 +1526,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-3.8-fix-tests.patch \ %D%/packages/patches/python-3.8-CVE-2021-3177.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ - %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ %D%/packages/patches/python-CVE-2020-26116.patch \ %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch \ diff --git a/gnu/packages/patches/python-3.9-CVE-2021-3177.patch b/gnu/packages/patches/python-3.9-CVE-2021-3177.patch deleted file mode 100644 index 155f17deca..0000000000 --- a/gnu/packages/patches/python-3.9-CVE-2021-3177.patch +++ /dev/null @@ -1,194 +0,0 @@ -Fix CVE-2021-3177 for Python 3.9: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 - -Patch copied from upstream source repository: - -https://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932 - -From c347cbe694743cee120457aa6626712f7799a932 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 18 Jan 2021 13:29:31 -0800 -Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode - formatting in ctypes param reprs. (GH-24247) - -(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) - -Co-authored-by: Benjamin Peterson <benjamin@python.org> - -Co-authored-by: Benjamin Peterson <benjamin@python.org> ---- - Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ - .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + - Modules/_ctypes/callproc.c | 51 +++++++------------ - 3 files changed, 64 insertions(+), 32 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst - -diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py -index e4c25fd880cef..531894fdec838 100644 ---- a/Lib/ctypes/test/test_parameters.py -+++ b/Lib/ctypes/test/test_parameters.py -@@ -201,6 +201,49 @@ def __dict__(self): - with self.assertRaises(ZeroDivisionError): - WorseStruct().__setstate__({}, b'foo') - -+ def test_parameter_repr(self): -+ from ctypes import ( -+ c_bool, -+ c_char, -+ c_wchar, -+ c_byte, -+ c_ubyte, -+ c_short, -+ c_ushort, -+ c_int, -+ c_uint, -+ c_long, -+ c_ulong, -+ c_longlong, -+ c_ulonglong, -+ c_float, -+ c_double, -+ c_longdouble, -+ c_char_p, -+ c_wchar_p, -+ c_void_p, -+ ) -+ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") -+ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") -+ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") -+ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") -+ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") -+ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") -+ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") -+ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") -+ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") -+ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") -+ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") -+ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") -+ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") -+ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") -+ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") -+ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") -+ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") -+ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") -+ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") -+ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") -+ - ################################################################ - - if __name__ == '__main__': -diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -new file mode 100644 -index 0000000000000..7df65a156feab ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst -@@ -0,0 +1,2 @@ -+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and -+:class:`ctypes.c_longdouble` values. -diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c -index b0a36a30248f7..f2506de54498e 100644 ---- a/Modules/_ctypes/callproc.c -+++ b/Modules/_ctypes/callproc.c -@@ -489,58 +489,47 @@ is_literal_char(unsigned char c) - static PyObject * - PyCArg_repr(PyCArgObject *self) - { -- char buffer[256]; - switch(self->tag) { - case 'b': - case 'B': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.b); -- break; - case 'h': - case 'H': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.h); -- break; - case 'i': - case 'I': -- sprintf(buffer, "<cparam '%c' (%d)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%d)>", - self->tag, self->value.i); -- break; - case 'l': - case 'L': -- sprintf(buffer, "<cparam '%c' (%ld)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%ld)>", - self->tag, self->value.l); -- break; - - case 'q': - case 'Q': -- sprintf(buffer, --#ifdef MS_WIN32 -- "<cparam '%c' (%I64d)>", --#else -- "<cparam '%c' (%lld)>", --#endif -+ return PyUnicode_FromFormat("<cparam '%c' (%lld)>", - self->tag, self->value.q); -- break; - case 'd': -- sprintf(buffer, "<cparam '%c' (%f)>", -- self->tag, self->value.d); -- break; -- case 'f': -- sprintf(buffer, "<cparam '%c' (%f)>", -- self->tag, self->value.f); -- break; -- -+ case 'f': { -+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); -+ if (f == NULL) { -+ return NULL; -+ } -+ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); -+ Py_DECREF(f); -+ return result; -+ } - case 'c': - if (is_literal_char((unsigned char)self->value.c)) { -- sprintf(buffer, "<cparam '%c' ('%c')>", -+ return PyUnicode_FromFormat("<cparam '%c' ('%c')>", - self->tag, self->value.c); - } - else { -- sprintf(buffer, "<cparam '%c' ('\\x%02x')>", -+ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", - self->tag, (unsigned char)self->value.c); - } -- break; - - /* Hm, are these 'z' and 'Z' codes useful at all? - Shouldn't they be replaced by the functionality of c_string -@@ -549,22 +538,20 @@ PyCArg_repr(PyCArgObject *self) - case 'z': - case 'Z': - case 'P': -- sprintf(buffer, "<cparam '%c' (%p)>", -+ return PyUnicode_FromFormat("<cparam '%c' (%p)>", - self->tag, self->value.p); - break; - - default: - if (is_literal_char((unsigned char)self->tag)) { -- sprintf(buffer, "<cparam '%c' at %p>", -+ return PyUnicode_FromFormat("<cparam '%c' at %p>", - (unsigned char)self->tag, (void *)self); - } - else { -- sprintf(buffer, "<cparam 0x%02x at %p>", -+ return PyUnicode_FromFormat("<cparam 0x%02x at %p>", - (unsigned char)self->tag, (void *)self); - } -- break; - } -- return PyUnicode_FromString(buffer); - } - - static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 5c5be0d78c..9d97050c66 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -59,6 +59,7 @@ ;;; Copyright © 2018 Vagrant Cascadian <vagrant@debian.org> ;;; Copyright © 2019 Tanguy Le Carrour <tanguy@bioneland.org> ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> +;;; Copyright © 2021 Greg Hogan <code@greghogan.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -533,19 +534,18 @@ data types.") (define-public python-3.9 (package (inherit python-3.8) (name "python-next") - (version "3.9.1") + (version "3.9.2") (source (origin (method url-fetch) (uri (string-append "https://www.python.org/ftp/python/" version "/Python-" version ".tar.xz")) (patches (search-patches "python-3.9-fix-tests.patch" - "python-3.9-CVE-2021-3177.patch" "python-3-deterministic-build-info.patch" "python-3-search-paths.patch")) (sha256 (base32 - "1zq3k4ymify5ig739zyvx9s2ainvchxb1zpy139z74krr653y74r")) + "0z94vv5qhlwvcgc4sy9sdiqs0220s84wx3b62vslh5419z2k881w")) (modules '((guix build utils))) (snippet '(begin |