From: akuster808 <akuster808@gmail.com>
To: Tudor Florea <Tudor.Florea@enea.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
Date: Tue, 10 Nov 2015 17:32:40 -0800 [thread overview]
Message-ID: <56429AB8.2020800@gmail.com> (raw)
In-Reply-To: <26724FB0BFCB3D4C91BDE184751AA3A428CB1D4B@SESTOEX04.enea.se>
On 11/10/2015 04:57 PM, Tudor Florea wrote:
> There was not feedback on this.
> Under the same CVE there lay actually many python vulnerabilities that are still applicable for dizzy branch.
> Among those only poplib module is covered (python-2.7.3-CVE-2013-1752-poplib-fix.patch)
> This patch covers httplib modules and I have also a patch for the remaining modules.
> Should I (re)send the patch?
yes.
regards,
Armin
> Regards
> Tudor.
>
>
> -----Original Message-----
> From: Tudor Florea [mailto:tudor.florea@enea.com]
> Sent: Friday, July 03, 2015 5:25 AM
> To: openembedded-core@lists.openembedded.org
> Cc: Tudor Florea <Tudor.Florea@enea.com>
> Subject: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
>
> This back ported patch fixes CVE-2013-1752 for httplib
> References:
> http://bugs.python.org/issue16037
> https://access.redhat.com/security/cve/CVE-2013-1752
>
> The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all
>
> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
> ---
> .../python-2.7.3-CVE-2013-1752-httplib-fix.patch | 45 ++++++++++++++++++++++
> meta/recipes-devtools/python/python_2.7.3.bb | 1 +
> 2 files changed, 46 insertions(+)
> create mode 100644 meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
>
> diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
> new file mode 100644
> index 0000000..e68f53f
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-htt
> +++ plib-fix.patch
> @@ -0,0 +1,45 @@
> +Upstream-Status: Backport
> +
> +CVE-2013-1752: httplib: HTTPMessage.readheaders() raises an
> +HTTPException when more than 100 headers are read.
> +Patch by Jyrki Pulliainen and Daniel Eriksson.
> +
> +Signed-off-by: Tudor Florea <tudor.florea@enea.com>
> +---
> +diff -r 133ee2b48e52 Lib/httplib.py
> +--- a/Lib/httplib.py Fri Aug 01 23:51:51 2014 -0700
> ++++ b/Lib/httplib.py Sat Aug 02 13:59:25 2014 +0000
> +@@ -214,6 +214,7 @@
> +
> + # maximal line length when calling readline().
> + _MAXLINE = 65536
> ++_MAXHEADERS = 100
> +
> + class HTTPMessage(mimetools.Message):
> +
> +@@ -271,6 +272,8 @@
> + elif self.seekable:
> + tell = self.fp.tell
> + while True:
> ++ if len(hlist) > _MAXHEADERS:
> ++ raise HTTPException("got more than %d headers" %
> ++ _MAXHEADERS)
> + if tell:
> + try:
> + startofline = tell() diff -r 133ee2b48e52
> +Lib/test/test_httplib.py
> +--- a/Lib/test/test_httplib.py Fri Aug 01 23:51:51 2014 -0700
> ++++ b/Lib/test/test_httplib.py Sat Aug 02 13:59:25 2014 +0000
> +@@ -262,6 +262,13 @@
> + if resp.read() != "":
> + self.fail("Did not expect response from HEAD request")
> +
> ++ def test_too_many_headers(self):
> ++ headers = '\r\n'.join('Header%d: foo' % i for i in xrange(200)) + '\r\n'
> ++ text = ('HTTP/1.1 200 OK\r\n' + headers)
> ++ s = FakeSocket(text)
> ++ r = httplib.HTTPResponse(s)
> ++ self.assertRaises(httplib.HTTPException, r.begin)
> ++
> + def test_send_file(self):
> + expected = 'GET /foo HTTP/1.1\r\nHost: example.com\r\n' \
> + 'Accept-Encoding: identity\r\nContent-Length:'
> diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
> index cbe8d7f..d603587 100644
> --- a/meta/recipes-devtools/python/python_2.7.3.bb
> +++ b/meta/recipes-devtools/python/python_2.7.3.bb
> @@ -40,6 +40,7 @@ SRC_URI += "\
> file://posix_close.patch \
> file://python-2.7.3-CVE-2014-7185.patch \
> file://python2.7.3-nossl3.patch \
> + file://python-2.7.3-CVE-2013-1752-httplib-fix.patch \
> "
>
> S = "${WORKDIR}/Python-${PV}"
> --
> 1.9.1
>
prev parent reply other threads:[~2015-11-11 1:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-03 2:25 [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream Tudor Florea
2015-11-11 0:57 ` Tudor Florea
2015-11-11 1:32 ` akuster808 [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56429AB8.2020800@gmail.com \
--to=akuster808@gmail.com \
--cc=Tudor.Florea@enea.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.