[OE-core] [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
Tudor Florea
Tudor.Florea at enea.com
Wed Nov 11 00:57:01 UTC 2015
There was not feedback on this.
Under the same CVE there lay actually many python vulnerabilities that are still applicable for dizzy branch.
Among those only poplib module is covered (python-2.7.3-CVE-2013-1752-poplib-fix.patch)
This patch covers httplib modules and I have also a patch for the remaining modules.
Should I (re)send the patch?
Regards
Tudor.
-----Original Message-----
From: Tudor Florea [mailto:tudor.florea at enea.com]
Sent: Friday, July 03, 2015 5:25 AM
To: openembedded-core at lists.openembedded.org
Cc: Tudor Florea <Tudor.Florea at enea.com>
Subject: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream
This back ported patch fixes CVE-2013-1752 for httplib
References:
http://bugs.python.org/issue16037
https://access.redhat.com/security/cve/CVE-2013-1752
The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all
Signed-off-by: Tudor Florea <tudor.florea at enea.com>
---
.../python-2.7.3-CVE-2013-1752-httplib-fix.patch | 45 ++++++++++++++++++++++
meta/recipes-devtools/python/python_2.7.3.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch
new file mode 100644
index 0000000..e68f53f
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-htt
+++ plib-fix.patch
@@ -0,0 +1,45 @@
+Upstream-Status: Backport
+
+CVE-2013-1752: httplib: HTTPMessage.readheaders() raises an
+HTTPException when more than 100 headers are read.
+Patch by Jyrki Pulliainen and Daniel Eriksson.
+
+Signed-off-by: Tudor Florea <tudor.florea at enea.com>
+---
+diff -r 133ee2b48e52 Lib/httplib.py
+--- a/Lib/httplib.py Fri Aug 01 23:51:51 2014 -0700
++++ b/Lib/httplib.py Sat Aug 02 13:59:25 2014 +0000
+@@ -214,6 +214,7 @@
+
+ # maximal line length when calling readline().
+ _MAXLINE = 65536
++_MAXHEADERS = 100
+
+ class HTTPMessage(mimetools.Message):
+
+@@ -271,6 +272,8 @@
+ elif self.seekable:
+ tell = self.fp.tell
+ while True:
++ if len(hlist) > _MAXHEADERS:
++ raise HTTPException("got more than %d headers" %
++ _MAXHEADERS)
+ if tell:
+ try:
+ startofline = tell() diff -r 133ee2b48e52
+Lib/test/test_httplib.py
+--- a/Lib/test/test_httplib.py Fri Aug 01 23:51:51 2014 -0700
++++ b/Lib/test/test_httplib.py Sat Aug 02 13:59:25 2014 +0000
+@@ -262,6 +262,13 @@
+ if resp.read() != "":
+ self.fail("Did not expect response from HEAD request")
+
++ def test_too_many_headers(self):
++ headers = '\r\n'.join('Header%d: foo' % i for i in xrange(200)) + '\r\n'
++ text = ('HTTP/1.1 200 OK\r\n' + headers)
++ s = FakeSocket(text)
++ r = httplib.HTTPResponse(s)
++ self.assertRaises(httplib.HTTPException, r.begin)
++
+ def test_send_file(self):
+ expected = 'GET /foo HTTP/1.1\r\nHost: example.com\r\n' \
+ 'Accept-Encoding: identity\r\nContent-Length:'
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index cbe8d7f..d603587 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -40,6 +40,7 @@ SRC_URI += "\
file://posix_close.patch \
file://python-2.7.3-CVE-2014-7185.patch \
file://python2.7.3-nossl3.patch \
+ file://python-2.7.3-CVE-2013-1752-httplib-fix.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
1.9.1
More information about the Openembedded-core
mailing list