* [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
@ 2015-07-03 2:25 Tudor Florea
2015-11-11 0:57 ` Tudor Florea
0 siblings, 1 reply; 3+ messages in thread
From: Tudor Florea @ 2015-07-03 2:25 UTC (permalink / raw)
To: openembedded-core
This back ported patch fixes CVE-2013-1752 for httplib
References:
http://bugs.python.org/issue16037
https://access.redhat.com/security/cve/CVE-2013-1752
The httplib module / package can read arbitrary amounts of data
from its socket when it's parsing the HTTP header. This may lead
to issues when a user connects to a broken HTTP server or
something that isn't a HTTP at all
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
.../python-2.7.3-CVE-2013-1752-httplib-fix.patch | 45 ++++++++++++++++++++++
meta/recipes-devtools/python/python_2.7.3.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
new file mode 100644
index 0000000..e68f53f
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
@@ -0,0 +1,45 @@
+Upstream-Status: Backport
+
+CVE-2013-1752: httplib: HTTPMessage.readheaders() raises an HTTPException
+when more than 100 headers are read.
+Patch by Jyrki Pulliainen and Daniel Eriksson.
+
+Signed-off-by: Tudor Florea <tudor.florea@enea.com>
+---
+diff -r 133ee2b48e52 Lib/httplib.py
+--- a/Lib/httplib.py Fri Aug 01 23:51:51 2014 -0700
++++ b/Lib/httplib.py Sat Aug 02 13:59:25 2014 +0000
+@@ -214,6 +214,7 @@
+
+ # maximal line length when calling readline().
+ _MAXLINE = 65536
++_MAXHEADERS = 100
+
+ class HTTPMessage(mimetools.Message):
+
+@@ -271,6 +272,8 @@
+ elif self.seekable:
+ tell = self.fp.tell
+ while True:
++ if len(hlist) > _MAXHEADERS:
++ raise HTTPException("got more than %d headers" % _MAXHEADERS)
+ if tell:
+ try:
+ startofline = tell()
+diff -r 133ee2b48e52 Lib/test/test_httplib.py
+--- a/Lib/test/test_httplib.py Fri Aug 01 23:51:51 2014 -0700
++++ b/Lib/test/test_httplib.py Sat Aug 02 13:59:25 2014 +0000
+@@ -262,6 +262,13 @@
+ if resp.read() != "":
+ self.fail("Did not expect response from HEAD request")
+
++ def test_too_many_headers(self):
++ headers = '\r\n'.join('Header%d: foo' % i for i in xrange(200)) + '\r\n'
++ text = ('HTTP/1.1 200 OK\r\n' + headers)
++ s = FakeSocket(text)
++ r = httplib.HTTPResponse(s)
++ self.assertRaises(httplib.HTTPException, r.begin)
++
+ def test_send_file(self):
+ expected = 'GET /foo HTTP/1.1\r\nHost: example.com\r\n' \
+ 'Accept-Encoding: identity\r\nContent-Length:'
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index cbe8d7f..d603587 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -40,6 +40,7 @@ SRC_URI += "\
file://posix_close.patch \
file://python-2.7.3-CVE-2014-7185.patch \
file://python2.7.3-nossl3.patch \
+ file://python-2.7.3-CVE-2013-1752-httplib-fix.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
2015-07-03 2:25 [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream Tudor Florea
@ 2015-11-11 0:57 ` Tudor Florea
2015-11-11 1:32 ` akuster808
0 siblings, 1 reply; 3+ messages in thread
From: Tudor Florea @ 2015-11-11 0:57 UTC (permalink / raw)
To: Tudor Florea, openembedded-core@lists.openembedded.org
There was not feedback on this.
Under the same CVE there lay actually many python vulnerabilities that are still applicable for dizzy branch.
Among those only poplib module is covered (python-2.7.3-CVE-2013-1752-poplib-fix.patch)
This patch covers httplib modules and I have also a patch for the remaining modules.
Should I (re)send the patch?
Regards
Tudor.
-----Original Message-----
From: Tudor Florea [mailto:tudor.florea@enea.com]
Sent: Friday, July 03, 2015 5:25 AM
To: openembedded-core@lists.openembedded.org
Cc: Tudor Florea <Tudor.Florea@enea.com>
Subject: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
This back ported patch fixes CVE-2013-1752 for httplib
References:
http://bugs.python.org/issue16037
https://access.redhat.com/security/cve/CVE-2013-1752
The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
.../python-2.7.3-CVE-2013-1752-httplib-fix.patch | 45 ++++++++++++++++++++++
meta/recipes-devtools/python/python_2.7.3.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
new file mode 100644
index 0000000..e68f53f
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-htt
+++ plib-fix.patch
@@ -0,0 +1,45 @@
+Upstream-Status: Backport
+
+CVE-2013-1752: httplib: HTTPMessage.readheaders() raises an
+HTTPException when more than 100 headers are read.
+Patch by Jyrki Pulliainen and Daniel Eriksson.
+
+Signed-off-by: Tudor Florea <tudor.florea@enea.com>
+---
+diff -r 133ee2b48e52 Lib/httplib.py
+--- a/Lib/httplib.py Fri Aug 01 23:51:51 2014 -0700
++++ b/Lib/httplib.py Sat Aug 02 13:59:25 2014 +0000
+@@ -214,6 +214,7 @@
+
+ # maximal line length when calling readline().
+ _MAXLINE = 65536
++_MAXHEADERS = 100
+
+ class HTTPMessage(mimetools.Message):
+
+@@ -271,6 +272,8 @@
+ elif self.seekable:
+ tell = self.fp.tell
+ while True:
++ if len(hlist) > _MAXHEADERS:
++ raise HTTPException("got more than %d headers" %
++ _MAXHEADERS)
+ if tell:
+ try:
+ startofline = tell() diff -r 133ee2b48e52
+Lib/test/test_httplib.py
+--- a/Lib/test/test_httplib.py Fri Aug 01 23:51:51 2014 -0700
++++ b/Lib/test/test_httplib.py Sat Aug 02 13:59:25 2014 +0000
+@@ -262,6 +262,13 @@
+ if resp.read() != "":
+ self.fail("Did not expect response from HEAD request")
+
++ def test_too_many_headers(self):
++ headers = '\r\n'.join('Header%d: foo' % i for i in xrange(200)) + '\r\n'
++ text = ('HTTP/1.1 200 OK\r\n' + headers)
++ s = FakeSocket(text)
++ r = httplib.HTTPResponse(s)
++ self.assertRaises(httplib.HTTPException, r.begin)
++
+ def test_send_file(self):
+ expected = 'GET /foo HTTP/1.1\r\nHost: example.com\r\n' \
+ 'Accept-Encoding: identity\r\nContent-Length:'
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index cbe8d7f..d603587 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -40,6 +40,7 @@ SRC_URI += "\
file://posix_close.patch \
file://python-2.7.3-CVE-2014-7185.patch \
file://python2.7.3-nossl3.patch \
+ file://python-2.7.3-CVE-2013-1752-httplib-fix.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
2015-11-11 0:57 ` Tudor Florea
@ 2015-11-11 1:32 ` akuster808
0 siblings, 0 replies; 3+ messages in thread
From: akuster808 @ 2015-11-11 1:32 UTC (permalink / raw)
To: Tudor Florea, openembedded-core@lists.openembedded.org
On 11/10/2015 04:57 PM, Tudor Florea wrote:
> There was not feedback on this.
> Under the same CVE there lay actually many python vulnerabilities that are still applicable for dizzy branch.
> Among those only poplib module is covered (python-2.7.3-CVE-2013-1752-poplib-fix.patch)
> This patch covers httplib modules and I have also a patch for the remaining modules.
> Should I (re)send the patch?
yes.
regards,
Armin
> Regards
> Tudor.
>
>
> -----Original Message-----
> From: Tudor Florea [mailto:tudor.florea@enea.com]
> Sent: Friday, July 03, 2015 5:25 AM
> To: openembedded-core@lists.openembedded.org
> Cc: Tudor Florea <Tudor.Florea@enea.com>
> Subject: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
>
> This back ported patch fixes CVE-2013-1752 for httplib
> References:
> http://bugs.python.org/issue16037
> https://access.redhat.com/security/cve/CVE-2013-1752
>
> The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all
>
> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
> ---
> .../python-2.7.3-CVE-2013-1752-httplib-fix.patch | 45 ++++++++++++++++++++++
> meta/recipes-devtools/python/python_2.7.3.bb | 1 +
> 2 files changed, 46 insertions(+)
> create mode 100644 meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
>
> diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
> new file mode 100644
> index 0000000..e68f53f
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-htt
> +++ plib-fix.patch
> @@ -0,0 +1,45 @@
> +Upstream-Status: Backport
> +
> +CVE-2013-1752: httplib: HTTPMessage.readheaders() raises an
> +HTTPException when more than 100 headers are read.
> +Patch by Jyrki Pulliainen and Daniel Eriksson.
> +
> +Signed-off-by: Tudor Florea <tudor.florea@enea.com>
> +---
> +diff -r 133ee2b48e52 Lib/httplib.py
> +--- a/Lib/httplib.py Fri Aug 01 23:51:51 2014 -0700
> ++++ b/Lib/httplib.py Sat Aug 02 13:59:25 2014 +0000
> +@@ -214,6 +214,7 @@
> +
> + # maximal line length when calling readline().
> + _MAXLINE = 65536
> ++_MAXHEADERS = 100
> +
> + class HTTPMessage(mimetools.Message):
> +
> +@@ -271,6 +272,8 @@
> + elif self.seekable:
> + tell = self.fp.tell
> + while True:
> ++ if len(hlist) > _MAXHEADERS:
> ++ raise HTTPException("got more than %d headers" %
> ++ _MAXHEADERS)
> + if tell:
> + try:
> + startofline = tell() diff -r 133ee2b48e52
> +Lib/test/test_httplib.py
> +--- a/Lib/test/test_httplib.py Fri Aug 01 23:51:51 2014 -0700
> ++++ b/Lib/test/test_httplib.py Sat Aug 02 13:59:25 2014 +0000
> +@@ -262,6 +262,13 @@
> + if resp.read() != "":
> + self.fail("Did not expect response from HEAD request")
> +
> ++ def test_too_many_headers(self):
> ++ headers = '\r\n'.join('Header%d: foo' % i for i in xrange(200)) + '\r\n'
> ++ text = ('HTTP/1.1 200 OK\r\n' + headers)
> ++ s = FakeSocket(text)
> ++ r = httplib.HTTPResponse(s)
> ++ self.assertRaises(httplib.HTTPException, r.begin)
> ++
> + def test_send_file(self):
> + expected = 'GET /foo HTTP/1.1\r\nHost: example.com\r\n' \
> + 'Accept-Encoding: identity\r\nContent-Length:'
> diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
> index cbe8d7f..d603587 100644
> --- a/meta/recipes-devtools/python/python_2.7.3.bb
> +++ b/meta/recipes-devtools/python/python_2.7.3.bb
> @@ -40,6 +40,7 @@ SRC_URI += "\
> file://posix_close.patch \
> file://python-2.7.3-CVE-2014-7185.patch \
> file://python2.7.3-nossl3.patch \
> + file://python-2.7.3-CVE-2013-1752-httplib-fix.patch \
> "
>
> S = "${WORKDIR}/Python-${PV}"
> --
> 1.9.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-11-11 1:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-03 2:25 [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream Tudor Florea
2015-11-11 0:57 ` Tudor Florea
2015-11-11 1:32 ` akuster808
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox