- Mark Python as Secure

- Fix DoS via malformed XML-RPC / HTTP POST Submitted by: rm@ Reported by: many Obtained from: python hg Security: http://www.vuxml.org/freebsd/b4f8be9e-56b2-11e1-9fb7-003067b2972c.html
svn path=/head/; revision=291731
2025-02-01 10:59:55 +00:00 · 2012-02-18 17:53:53 +00:00 · 2012-02-18 17:53:53 +00:00 · c70027929c · 2021-03-31 03:12:20 +00:00
commit c70027929c
parent 02e663d404
11 changed files with 131 additions and 5 deletions
--- a/lang/python25/Makefile
+++ b/lang/python25/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	python25
 PORTVERSION=	2.5.6
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	lang python ipv6
 MASTER_SITES=	${PYTHON_MASTER_SITES}
 MASTER_SITE_SUBDIR=	${PYTHON_MASTER_SITE_SUBDIR}
--- a/lang/python25/files/patch-CVE-2012-0845
+++ b/lang/python25/files/patch-CVE-2012-0845
@ -0,0 +1,14 @@
+--- Lib/SimpleXMLRPCServer.py.orig	2011-06-11 19:46:23.000000000 +0400
+++ Lib/SimpleXMLRPCServer.py	2012-02-15 12:50:23.000000000 +0400
+@@ -486,7 +486,10 @@
+             L = []
+             while size_remaining:
+                 chunk_size = min(size_remaining, max_chunk_size)
+-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
+                 size_remaining -= len(L[-1])
+             data = ''.join(L)
+ 
--- a/lang/python26/Makefile
+++ b/lang/python26/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	python26
 PORTVERSION=	2.6.7
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	lang python ipv6
 MASTER_SITES=	${PYTHON_MASTER_SITES}
 MASTER_SITE_SUBDIR=	${PYTHON_MASTER_SITE_SUBDIR}
--- a/lang/python26/files/patch-CVE-2012-0845
+++ b/lang/python26/files/patch-CVE-2012-0845
@ -0,0 +1,14 @@
+--- Lib/SimpleXMLRPCServer.py.orig	2011-06-11 19:46:23.000000000 +0400
+++ Lib/SimpleXMLRPCServer.py	2012-02-15 12:50:23.000000000 +0400
+@@ -486,7 +486,10 @@
+             L = []
+             while size_remaining:
+                 chunk_size = min(size_remaining, max_chunk_size)
+-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
+                 size_remaining -= len(L[-1])
+             data = ''.join(L)
+ 
--- a/lang/python27/Makefile
+++ b/lang/python27/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	python27
 PORTVERSION=	2.7.2
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	lang python ipv6
 MASTER_SITES=	${PYTHON_MASTER_SITES}
 MASTER_SITE_SUBDIR=	${PYTHON_MASTER_SITE_SUBDIR}
--- a/lang/python27/files/patch-CVE-2012-0845
+++ b/lang/python27/files/patch-CVE-2012-0845
@ -0,0 +1,14 @@
+--- Lib/SimpleXMLRPCServer.py.orig	2011-06-11 19:46:23.000000000 +0400
+++ Lib/SimpleXMLRPCServer.py	2012-02-15 12:50:23.000000000 +0400
+@@ -486,7 +486,10 @@
+             L = []
+             while size_remaining:
+                 chunk_size = min(size_remaining, max_chunk_size)
+-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
+                 size_remaining -= len(L[-1])
+             data = ''.join(L)
+ 
--- a/lang/python31/Makefile
+++ b/lang/python31/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	python31
 PORTVERSION=	3.1.4
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	lang python ipv6
 MASTER_SITES=	${PYTHON_MASTER_SITES}
 MASTER_SITE_SUBDIR=	${PYTHON_MASTER_SITE_SUBDIR}
--- a/lang/python31/files/patch-CVE-2012-0845
+++ b/lang/python31/files/patch-CVE-2012-0845
@ -0,0 +1,15 @@
+diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
+--- Lib/xmlrpc/server.py
+++ Lib/xmlrpc/server.py
+@@ -476,7 +476,10 @@
+             L = []
+             while size_remaining:
+                 chunk_size = min(size_remaining, max_chunk_size)
+-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
+                 size_remaining -= len(L[-1])
+             data = b''.join(L)
+ 
--- a/lang/python31/pr-patch
+++ b/lang/python31/pr-patch
@ -0,0 +1,23 @@
+
+--- python31ppc.diff begins here ---
+Index: files/patch-Modules-_ctypes-libffi-src-powerpc-ffitarget.h
+===================================================================
+RCS file: files/patch-Modules-_ctypes-libffi-src-powerpc-ffitarget.h
+diff -N files/patch-Modules-_ctypes-libffi-src-powerpc-ffitarget.h
+--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-Modules-_ctypes-libffi-src-powerpc-ffitarget.h	17 Nov 2011 05:09:15 -0000
+@@ -0,0 +1,11 @@
+--- Modules/_ctypes/libffi/src/powerpc/ffitarget.h.orig	2011-11-16 20:32:42.000000000 -0800
++++ Modules/_ctypes/libffi/src/powerpc/ffitarget.h	2011-11-16 20:33:23.000000000 -0800
+@@ -78,6 +78,8 @@
+   FFI_SYSV,
+   FFI_GCC_SYSV,
+   FFI_LINUX64,
++  FFI_LINUX,
++  FFI_LINUX_SOFT_FLOAT,
+   FFI_DEFAULT_ABI = FFI_SYSV,
+ #endif
+ 
+--- python31ppc.diff ends here ---
+
+
--- a/lang/python32/Makefile
+++ b/lang/python32/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	python32
 PORTVERSION=	3.2.2
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	lang python ipv6
 MASTER_SITES=	${PYTHON_MASTER_SITES}
 MASTER_SITE_SUBDIR=	${PYTHON_MASTER_SITE_SUBDIR}
--- a/lang/python32/files/patch-CVE-2012-0845
+++ b/lang/python32/files/patch-CVE-2012-0845
@ -0,0 +1,46 @@
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+--- Lib/test/test_xmlrpc.py
+++ Lib/test/test_xmlrpc.py
+@@ -519,12 +519,7 @@
+ 
+     def tearDown(self):
+         # wait on the server thread to terminate
+-        self.evt.wait(4.0)
+-        # XXX this code does not work, and in fact stop_serving doesn't exist.
+-        if not self.evt.is_set():
+-            self.evt.set()
+-            stop_serving()
+-            raise RuntimeError("timeout reached, test has failed")
+        self.evt.wait()
+ 
+         # disable traceback reporting
+         xmlrpc.server.SimpleXMLRPCServer._send_traceback_header = False
+@@ -671,6 +666,13 @@
+         server = xmlrpclib.ServerProxy("http://%s:%d/RPC2" % (ADDR, PORT))
+         self.assertEqual(server.add("a", "\xe9"), "a\xe9")
+ 
+    def test_partial_post(self):
+        # Check that a partial POST doesn't make the server loop: issue #14001.
+        conn = http.client.HTTPConnection(ADDR, PORT)
+        conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
+        conn.close()
+
+
+ class MultiPathServerTestCase(BaseServerTestCase):
+     threadFunc = staticmethod(http_multi_server)
+     request_count = 2
+diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
+--- Lib/xmlrpc/server.py
+++ Lib/xmlrpc/server.py
+@@ -476,7 +476,10 @@
+             L = []
+             while size_remaining:
+                 chunk_size = min(size_remaining, max_chunk_size)
+-                L.append(self.rfile.read(chunk_size))
+                chunk = self.rfile.read(chunk_size)
+                if not chunk:
+                    break
+                L.append(chunk)
+                 size_remaining -= len(L[-1])
+             data = b''.join(L)
+