* [PATCH] python3: fix CVE-2021-3177
@ 2021-02-26 13:58 Minjae Kim
2021-03-01 14:21 ` [OE-core][dunfell] " Martin Jansa
0 siblings, 1 reply; 2+ messages in thread
From: Minjae Kim @ 2021-02-26 13:58 UTC (permalink / raw)
To: openembedded-core; +Cc: Minjae Kim
Replace snprintf with Python unicode formatting in ctypes param reprs
Upstream-Status: Backport [https://github.com/python/cpython/commit/916610ef90a0d0761f08747f7b0905541f0977c7]
CVE: CVE-2021-3177
Signed-off-by: Minjae Kim <flowergom@gmail.com>
---
.../python/python3/CVE-2021-3177.patch | 183 ++++++++++++++++++
meta/recipes-devtools/python/python3_3.8.2.bb | 1 +
2 files changed, 184 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
new file mode 100644
index 0000000000..b2d22a074d
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
@@ -0,0 +1,183 @@
+From 916610ef90a0d0761f08747f7b0905541f0977c7 Mon Sep 17 00:00:00 2001
+From: Benjamin Peterson <benjamin@python.org>
+Date: Mon, 18 Jan 2021 14:47:05 -0600
+Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode
+ formatting in ctypes param reprs. (24239)
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/916610ef90a0d0761f08747f7b0905541f0977c7]
+CVE: CVE-2021-3177
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++
+ .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 +
+ Modules/_ctypes/callproc.c | 51 +++++++------------
+ 3 files changed, 64 insertions(+), 32 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+
+diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py
+index e4c25fd880cef..531894fdec838 100644
+--- a/Lib/ctypes/test/test_parameters.py
++++ b/Lib/ctypes/test/test_parameters.py
+@@ -201,6 +201,49 @@ def __dict__(self):
+ with self.assertRaises(ZeroDivisionError):
+ WorseStruct().__setstate__({}, b'foo')
+
++ def test_parameter_repr(self):
++ from ctypes import (
++ c_bool,
++ c_char,
++ c_wchar,
++ c_byte,
++ c_ubyte,
++ c_short,
++ c_ushort,
++ c_int,
++ c_uint,
++ c_long,
++ c_ulong,
++ c_longlong,
++ c_ulonglong,
++ c_float,
++ c_double,
++ c_longdouble,
++ c_char_p,
++ c_wchar_p,
++ c_void_p,
++ )
++ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
++ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>")
++ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
++ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
++ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
++ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
++
+ ################################################################
+
+ if __name__ == '__main__':
+diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+new file mode 100644
+index 0000000000000..7df65a156feab
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+@@ -0,0 +1,2 @@
++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and
++:class:`ctypes.c_longdouble` values.
+diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
+index 40a05a44edd4c..56ccc2f1e0b5d 100644
+--- a/Modules/_ctypes/callproc.c
++++ b/Modules/_ctypes/callproc.c
+@@ -487,58 +487,47 @@ is_literal_char(unsigned char c)
+ static PyObject *
+ PyCArg_repr(PyCArgObject *self)
+ {
+- char buffer[256];
+ switch(self->tag) {
+ case 'b':
+ case 'B':
+- sprintf(buffer, "<cparam '%c' (%d)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+ self->tag, self->value.b);
+- break;
+ case 'h':
+ case 'H':
+- sprintf(buffer, "<cparam '%c' (%d)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+ self->tag, self->value.h);
+- break;
+ case 'i':
+ case 'I':
+- sprintf(buffer, "<cparam '%c' (%d)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+ self->tag, self->value.i);
+- break;
+ case 'l':
+ case 'L':
+- sprintf(buffer, "<cparam '%c' (%ld)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
+ self->tag, self->value.l);
+- break;
+
+ case 'q':
+ case 'Q':
+- sprintf(buffer,
+-#ifdef MS_WIN32
+- "<cparam '%c' (%I64d)>",
+-#else
+- "<cparam '%c' (%lld)>",
+-#endif
++ return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
+ self->tag, self->value.q);
+- break;
+ case 'd':
+- sprintf(buffer, "<cparam '%c' (%f)>",
+- self->tag, self->value.d);
+- break;
+- case 'f':
+- sprintf(buffer, "<cparam '%c' (%f)>",
+- self->tag, self->value.f);
+- break;
+-
++ case 'f': {
++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
++ if (f == NULL) {
++ return NULL;
++ }
++ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f);
++ Py_DECREF(f);
++ return result;
++ }
+ case 'c':
+ if (is_literal_char((unsigned char)self->value.c)) {
+- sprintf(buffer, "<cparam '%c' ('%c')>",
++ return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
+ self->tag, self->value.c);
+ }
+ else {
+- sprintf(buffer, "<cparam '%c' ('\\x%02x')>",
++ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>",
+ self->tag, (unsigned char)self->value.c);
+ }
+- break;
+
+ /* Hm, are these 'z' and 'Z' codes useful at all?
+ Shouldn't they be replaced by the functionality of c_string
+@@ -547,22 +536,20 @@ PyCArg_repr(PyCArgObject *self)
+ case 'z':
+ case 'Z':
+ case 'P':
+- sprintf(buffer, "<cparam '%c' (%p)>",
++ return PyUnicode_FromFormat("<cparam '%c' (%p)>",
+ self->tag, self->value.p);
+ break;
+
+ default:
+ if (is_literal_char((unsigned char)self->tag)) {
+- sprintf(buffer, "<cparam '%c' at %p>",
++ return PyUnicode_FromFormat("<cparam '%c' at %p>",
+ (unsigned char)self->tag, (void *)self);
+ }
+ else {
+- sprintf(buffer, "<cparam 0x%02x at %p>",
++ return PyUnicode_FromFormat("<cparam 0x%02x at %p>",
+ (unsigned char)self->tag, (void *)self);
+ }
+- break;
+ }
+- return PyUnicode_FromString(buffer);
+ }
+
+ static PyMemberDef PyCArgType_members[] = {
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
index a448b3ed97..646e271014 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.2.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://CVE-2020-14422.patch \
file://CVE-2020-26116.patch \
file://CVE-2020-27619.patch \
+ file://CVE-2021-3177.patch \
"
SRC_URI_append_class-native = " \
--
2.24.3 (Apple Git-128)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core][dunfell] [PATCH] python3: fix CVE-2021-3177
2021-02-26 13:58 [PATCH] python3: fix CVE-2021-3177 Minjae Kim
@ 2021-03-01 14:21 ` Martin Jansa
0 siblings, 0 replies; 2+ messages in thread
From: Martin Jansa @ 2021-03-01 14:21 UTC (permalink / raw)
To: Minjae Kim, Steve Sakoman; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 10315 bytes --]
This fix is already applied in gatesgarth as:
https://git.openembedded.org/openembedded-core/commit/?id=25d1cae49e56797c4c9e91c01697c4de02dee046
and master python 3.9.2 doesn't need it, it was added as:
https://git.openembedded.org/openembedded-core/commit/?id=2ed4f61e9d694fef8ff72b8eeb2163634e96c3bb
then dropped with upgrade to 3.9.2
https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/python?id=fafb8a88cd0365ff4327a1d6062d9f48b2927910
Steve: please cherry-pick 25d1cae49e56797c4c9e91c01697c4de02dee046 instead.
Added [dunfell] to subject to make it a bit more clear where this belongs.
On Fri, Feb 26, 2021 at 2:58 PM Minjae Kim <flowergom@gmail.com> wrote:
> Replace snprintf with Python unicode formatting in ctypes param reprs
>
> Upstream-Status: Backport [
> https://github.com/python/cpython/commit/916610ef90a0d0761f08747f7b0905541f0977c7
> ]
> CVE: CVE-2021-3177
> Signed-off-by: Minjae Kim <flowergom@gmail.com>
> ---
> .../python/python3/CVE-2021-3177.patch | 183 ++++++++++++++++++
> meta/recipes-devtools/python/python3_3.8.2.bb | 1 +
> 2 files changed, 184 insertions(+)
> create mode 100644
> meta/recipes-devtools/python/python3/CVE-2021-3177.patch
>
> diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
> b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
> new file mode 100644
> index 0000000000..b2d22a074d
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch
> @@ -0,0 +1,183 @@
> +From 916610ef90a0d0761f08747f7b0905541f0977c7 Mon Sep 17 00:00:00 2001
> +From: Benjamin Peterson <benjamin@python.org>
> +Date: Mon, 18 Jan 2021 14:47:05 -0600
> +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode
> + formatting in ctypes param reprs. (24239)
> +
> +Upstream-Status: Backport [
> https://github.com/python/cpython/commit/916610ef90a0d0761f08747f7b0905541f0977c7
> ]
> +CVE: CVE-2021-3177
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> +---
> + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++
> + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 +
> + Modules/_ctypes/callproc.c | 51 +++++++------------
> + 3 files changed, 64 insertions(+), 32 deletions(-)
> + create mode 100644
> Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
> +
> +diff --git a/Lib/ctypes/test/test_parameters.py
> b/Lib/ctypes/test/test_parameters.py
> +index e4c25fd880cef..531894fdec838 100644
> +--- a/Lib/ctypes/test/test_parameters.py
> ++++ b/Lib/ctypes/test/test_parameters.py
> +@@ -201,6 +201,49 @@ def __dict__(self):
> + with self.assertRaises(ZeroDivisionError):
> + WorseStruct().__setstate__({}, b'foo')
> +
> ++ def test_parameter_repr(self):
> ++ from ctypes import (
> ++ c_bool,
> ++ c_char,
> ++ c_wchar,
> ++ c_byte,
> ++ c_ubyte,
> ++ c_short,
> ++ c_ushort,
> ++ c_int,
> ++ c_uint,
> ++ c_long,
> ++ c_ulong,
> ++ c_longlong,
> ++ c_ulonglong,
> ++ c_float,
> ++ c_double,
> ++ c_longdouble,
> ++ c_char_p,
> ++ c_wchar_p,
> ++ c_void_p,
> ++ )
> ++ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?'
> at 0x[A-Fa-f0-9]+>$")
> ++ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c'
> ('a')>")
> ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u'
> at 0x[A-Fa-f0-9]+>$")
> ++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b'
> (98)>")
> ++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B'
> (98)>")
> ++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h'
> (511)>")
> ++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H'
> (511)>")
> ++ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam
> '[li]' \(20000\)>$")
> ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam
> '[LI]' \(20000\)>$")
> ++ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam
> '[li]' \(20000\)>$")
> ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam
> '[LI]' \(20000\)>$")
> ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam
> '[liq]' \(20000\)>$")
> ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam
> '[LIQ]' \(20000\)>$")
> ++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f'
> (1.5)>")
> ++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd'
> (1.5)>")
> ++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd'
> (1e+300)>")
> ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam
> ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
> ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam
> 'z' \(0x[A-Fa-f0-9]+\)>$")
> ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam
> 'Z' \(0x[A-Fa-f0-9]+\)>$")
> ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P'
> \(0x0*12\)>$")
> ++
> + ################################################################
> +
> + if __name__ == '__main__':
> +diff --git
> a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
> b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
> +new file mode 100644
> +index 0000000000000..7df65a156feab
> +--- /dev/null
> ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
> +@@ -0,0 +1,2 @@
> ++Avoid static buffers when computing the repr of :class:`ctypes.c_double`
> and
> ++:class:`ctypes.c_longdouble` values.
> +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
> +index 40a05a44edd4c..56ccc2f1e0b5d 100644
> +--- a/Modules/_ctypes/callproc.c
> ++++ b/Modules/_ctypes/callproc.c
> +@@ -487,58 +487,47 @@ is_literal_char(unsigned char c)
> + static PyObject *
> + PyCArg_repr(PyCArgObject *self)
> + {
> +- char buffer[256];
> + switch(self->tag) {
> + case 'b':
> + case 'B':
> +- sprintf(buffer, "<cparam '%c' (%d)>",
> ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
> + self->tag, self->value.b);
> +- break;
> + case 'h':
> + case 'H':
> +- sprintf(buffer, "<cparam '%c' (%d)>",
> ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
> + self->tag, self->value.h);
> +- break;
> + case 'i':
> + case 'I':
> +- sprintf(buffer, "<cparam '%c' (%d)>",
> ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>",
> + self->tag, self->value.i);
> +- break;
> + case 'l':
> + case 'L':
> +- sprintf(buffer, "<cparam '%c' (%ld)>",
> ++ return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
> + self->tag, self->value.l);
> +- break;
> +
> + case 'q':
> + case 'Q':
> +- sprintf(buffer,
> +-#ifdef MS_WIN32
> +- "<cparam '%c' (%I64d)>",
> +-#else
> +- "<cparam '%c' (%lld)>",
> +-#endif
> ++ return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
> + self->tag, self->value.q);
> +- break;
> + case 'd':
> +- sprintf(buffer, "<cparam '%c' (%f)>",
> +- self->tag, self->value.d);
> +- break;
> +- case 'f':
> +- sprintf(buffer, "<cparam '%c' (%f)>",
> +- self->tag, self->value.f);
> +- break;
> +-
> ++ case 'f': {
> ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ?
> self->value.f : self->value.d);
> ++ if (f == NULL) {
> ++ return NULL;
> ++ }
> ++ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>",
> self->tag, f);
> ++ Py_DECREF(f);
> ++ return result;
> ++ }
> + case 'c':
> + if (is_literal_char((unsigned char)self->value.c)) {
> +- sprintf(buffer, "<cparam '%c' ('%c')>",
> ++ return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
> + self->tag, self->value.c);
> + }
> + else {
> +- sprintf(buffer, "<cparam '%c' ('\\x%02x')>",
> ++ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>",
> + self->tag, (unsigned char)self->value.c);
> + }
> +- break;
> +
> + /* Hm, are these 'z' and 'Z' codes useful at all?
> + Shouldn't they be replaced by the functionality of c_string
> +@@ -547,22 +536,20 @@ PyCArg_repr(PyCArgObject *self)
> + case 'z':
> + case 'Z':
> + case 'P':
> +- sprintf(buffer, "<cparam '%c' (%p)>",
> ++ return PyUnicode_FromFormat("<cparam '%c' (%p)>",
> + self->tag, self->value.p);
> + break;
> +
> + default:
> + if (is_literal_char((unsigned char)self->tag)) {
> +- sprintf(buffer, "<cparam '%c' at %p>",
> ++ return PyUnicode_FromFormat("<cparam '%c' at %p>",
> + (unsigned char)self->tag, (void *)self);
> + }
> + else {
> +- sprintf(buffer, "<cparam 0x%02x at %p>",
> ++ return PyUnicode_FromFormat("<cparam 0x%02x at %p>",
> + (unsigned char)self->tag, (void *)self);
> + }
> +- break;
> + }
> +- return PyUnicode_FromString(buffer);
> + }
> +
> + static PyMemberDef PyCArgType_members[] = {
> diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb
> b/meta/recipes-devtools/python/python3_3.8.2.bb
> index a448b3ed97..646e271014 100644
> --- a/meta/recipes-devtools/python/python3_3.8.2.bb
> +++ b/meta/recipes-devtools/python/python3_3.8.2.bb
> @@ -37,6 +37,7 @@ SRC_URI = "
> http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> file://CVE-2020-14422.patch \
> file://CVE-2020-26116.patch \
> file://CVE-2020-27619.patch \
> + file://CVE-2021-3177.patch \
> "
>
> SRC_URI_append_class-native = " \
> --
> 2.24.3 (Apple Git-128)
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 14401 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-01 14:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-26 13:58 [PATCH] python3: fix CVE-2021-3177 Minjae Kim
2021-03-01 14:21 ` [OE-core][dunfell] " Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.