[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
rpms/python/FC-6 python-2.5.CVE-2007-4965-int-overflow.patch, NONE, 1.1 python.spec, 1.92, 1.93

From: fedora-cvs-commits redhat com
To: fedora-cvs-commits redhat com
Subject: rpms/python/FC-6 python-2.5.CVE-2007-4965-int-overflow.patch, NONE, 1.1 python.spec, 1.92, 1.93
Date: Fri, 9 Nov 2007 13:39:41 -0500
Author: jantill

Update of /cvs/dist/rpms/python/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv10896

Modified Files:
	python.spec 
Added Files:
	python-2.5.CVE-2007-4965-int-overflow.patch 
Log Message:
* Fri Nov  9 2007 James Antill <james antill redhat com> - 2.4.4-2
- Import fix for CVE 2007-4965
- Resolves: 373281


python-2.5.CVE-2007-4965-int-overflow.patch:
 _tkinter.c.tkinter          |only
 imageop.c                   |   70 ++++++++++++++++++++++++++++++++++++--------
 imageop.c.cve2007-4965      |only
 imageop.c~                  |only
 rgbimgmodule.c              |    5 +++
 rgbimgmodule.c.cve2007-4965 |only
 6 files changed, 63 insertions(+), 12 deletions(-)

--- NEW FILE python-2.5.CVE-2007-4965-int-overflow.patch ---
diff -ru Python-2.5-orig/Modules/imageop.c Python-2.5/Modules/imageop.c
--- Python-2.5-orig/Modules/imageop.c	2006-01-19 01:09:39.000000000 -0500
+++ Python-2.5/Modules/imageop.c	2007-10-19 01:11:33.000000000 -0400
@@ -78,7 +78,7 @@
 	char *cp, *ncp;
 	short *nsp;
 	Py_Int32 *nlp;
-	int len, size, x, y, newx1, newx2, newy1, newy2;
+	int len, size, x, y, newx1, newx2, newy1, newy2, nlen;
 	int ix, iy, xstep, ystep;
 	PyObject *rv;
 
@@ -90,13 +90,19 @@
 		PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
 		return 0;
 	}
-	if ( len != size*x*y ) {
+	if (( len != size*x*y ) ||
+            ( size != ((len / x) / y) )) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
 	}
 	xstep = (newx1 < newx2)? 1 : -1;
 	ystep = (newy1 < newy2)? 1 : -1;
     
+        nlen = (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size;
+        if ( size != ((nlen / (abs(newx2-newx1)+1)) / (abs(newy2-newy1)+1)) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
 	rv = PyString_FromStringAndSize(NULL,
 			     (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size);
 	if ( rv == 0 )
@@ -132,7 +138,7 @@
 	char *cp, *ncp;
 	short *nsp;
 	Py_Int32 *nlp;
-	int len, size, x, y, newx, newy;
+	int len, size, x, y, newx, newy, nlen;
 	int ix, iy;
 	int oix, oiy;
 	PyObject *rv;
@@ -145,12 +151,18 @@
 		PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
 		return 0;
 	}
-	if ( len != size*x*y ) {
+	if ( ( len != size*x*y ) ||
+             ( size != ((len / x) / y) ) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
+        nlen = newx*newy*size;
+	if ( size != ((nlen / newx) / newy) ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
 	}
     
-	rv = PyString_FromStringAndSize(NULL, newx*newy*size);
+	rv = PyString_FromStringAndSize(NULL, nlen);
 	if ( rv == 0 )
 		return 0;
 	ncp = (char *)PyString_AsString(rv);
@@ -190,7 +202,8 @@
 		PyErr_SetString(ImageopError, "Size should be 1 or 4");
 		return 0;
 	}
-	if ( maxx*maxy*width != len ) {
+	if ( ( maxx*maxy*width != len ) ||
+             ( maxx != ((len / maxy) / width) ) ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
 	}
@@ -240,7 +253,8 @@
 	if ( !PyArg_ParseTuple(args, "s#iii", &cp, &len, &x, &y, &tres) )
 		return 0;
 
-	if ( x*y != len ) {
+	if ( ( x*y != len ) ||
+             ( x != len / y ) ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
 	}
@@ -281,7 +295,8 @@
 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
 		return 0;
 
-	if ( x*y != len ) {
+	if ( ( x*y != len ) ||
+             ( x != len / y ) ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
 	}
@@ -320,7 +335,8 @@
 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
 		return 0;
 
-	if ( x*y != len ) {
+	if ( ( x*y != len ) ||
+             ( x != len / y ) ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
 	}
@@ -358,7 +374,8 @@
 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
 		return 0;
 
-	if ( x*y != len ) {
+	if ( ( x*y != len ) ||
+             ( x != len / y ) ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
 	}
@@ -404,7 +421,8 @@
 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
 		return 0;
 
-	if ( x*y != len ) {
+	if ( ( x*y != len ) ||
+             ( x != len / y ) ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
 	}
@@ -443,7 +461,11 @@
 	if ( !PyArg_ParseTuple(args, "s#iiii", &cp, &len, &x, &y, &v0, &v1) )
 		return 0;
 
-	nlen = x*y;
+        nlen = x*y;
+	if ( x != (nlen / y) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
 	if ( (nlen+7)/8 != len ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
@@ -481,6 +503,10 @@
 		return 0;
 
 	nlen = x*y;
+	if ( x != (nlen / y) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
 	if ( (nlen+3)/4 != len ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
@@ -517,6 +543,10 @@
 		return 0;
 
 	nlen = x*y;
+	if ( x != (nlen / y) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
 	if ( (nlen+1)/2 != len ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
@@ -554,6 +584,10 @@
 		return 0;
 
 	nlen = x*y;
+	if ( x != (nlen / y) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
 	if ( nlen*4 != len ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
@@ -598,6 +632,10 @@
 		return 0;
 
 	nlen = x*y;
+	if ( x != (nlen / y) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
 	if ( nlen != len ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
@@ -648,6 +686,10 @@
 		return 0;
 
 	nlen = x*y;
+	if ( x != (nlen / y) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
 	if ( nlen*4 != len ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
@@ -693,6 +735,10 @@
 		return 0;
 
 	nlen = x*y;
+	if ( x != (nlen / y) ) {
+		PyErr_SetString(ImageopError, "String has incorrect length");
+		return 0;
+	}
 	if ( nlen != len ) {
 		PyErr_SetString(ImageopError, "String has incorrect length");
 		return 0;
Only in Python-2.5/Modules: imageop.c~
Only in Python-2.5/Modules: imageop.c.cve2007-4965
diff -ru Python-2.5-orig/Modules/rgbimgmodule.c Python-2.5/Modules/rgbimgmodule.c
--- Python-2.5-orig/Modules/rgbimgmodule.c	2006-08-11 23:18:50.000000000 -0400
+++ Python-2.5/Modules/rgbimgmodule.c	2007-10-19 01:05:44.000000000 -0400
@@ -299,6 +299,11 @@
 	xsize = image.xsize;
 	ysize = image.ysize;
 	zsize = image.zsize;
+	tablen = xsize * ysize * zsize * sizeof(Py_Int32);
+        if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
+		PyErr_NoMemory();
+		goto finally;
+        }
 	if (rle) {
 		tablen = ysize * zsize * sizeof(Py_Int32);
 		starttab = (Py_Int32 *)malloc(tablen);
Only in Python-2.5/Modules: rgbimgmodule.c.cve2007-4965
Only in Python-2.5/Modules: _tkinter.c.tkinter


Index: python.spec
===================================================================
RCS file: /cvs/dist/rpms/python/FC-6/python.spec,v
retrieving revision 1.92
retrieving revision 1.93
diff -u -r1.92 -r1.93
--- python.spec	30 Apr 2007 20:51:22 -0000	1.92
+++ python.spec	9 Nov 2007 18:39:39 -0000	1.93
@@ -20,7 +20,7 @@
 Summary: An interpreted, interactive, object-oriented programming language.
 Name: %{python}
 Version: %{pybasever}.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: PSF - see LICENSE
 Group: Development/Languages
 Provides: python-abi = %{pybasever}
@@ -46,6 +46,7 @@
 Patch18: python-2.4.3-cflags.patch
 Patch19: python-2.4.3-locale.patch
 Patch20: python-syslog-fail-noatexittb.patch
+Patch21: python-2.5.CVE-2007-4965-int-overflow.patch
 
 %if %{main_python}
 Obsoletes: Distutils
@@ -156,6 +157,7 @@
 %patch18 -p1 -b .cflags
 %patch19 -p2 -b .locale
 %patch20 -p1 -b .logatexit
+%patch21 -p1 -b .CVE-2007-4965-int-overflow
 
 # This shouldn't be necesarry, but is right now (2.2a3)
 find -name "*~" |xargs rm -f
@@ -401,6 +403,10 @@
 %{_libdir}/python%{pybasever}/lib-dynload/_tkinter.so
 
 %changelog
+* Fri Nov  9 2007 James Antill <james antill redhat com> - 2.4.4-2
+- Import fix for CVE 2007-4965
+- Resolves: 373281
+
 * Mon Apr 30 2007 Jeremy Katz <katzj redhat com>
 - fix atexit handler with syslog logging (#237886)
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]