There was not feedback on this. Under the same CVE there lay actually many python vulnerabilities that are still applicable for dizzy branch. Among those only poplib module is covered (python-2.7.3-CVE-2013-1752-poplib-fix.patch) This patch covers httplib modules and I have also a patch for the remaining modules. Should I (re)send the patch? Regards Tudor.
-----Original Message----- From: Tudor Florea [mailto:tudor.flo...@enea.com] Sent: Friday, July 03, 2015 5:25 AM To: openembedded-core@lists.openembedded.org Cc: Tudor Florea <tudor.flo...@enea.com> Subject: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream This back ported patch fixes CVE-2013-1752 for httplib References: http://bugs.python.org/issue16037 https://access.redhat.com/security/cve/CVE-2013-1752 The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all Signed-off-by: Tudor Florea <tudor.flo...@enea.com> --- .../python-2.7.3-CVE-2013-1752-httplib-fix.patch | 45 ++++++++++++++++++++++ meta/recipes-devtools/python/python_2.7.3.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch new file mode 100644 index 0000000..e68f53f --- /dev/null +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-htt +++ plib-fix.patch @@ -0,0 +1,45 @@ +Upstream-Status: Backport + +CVE-2013-1752: httplib: HTTPMessage.readheaders() raises an +HTTPException when more than 100 headers are read. +Patch by Jyrki Pulliainen and Daniel Eriksson. + +Signed-off-by: Tudor Florea <tudor.flo...@enea.com> +--- +diff -r 133ee2b48e52 Lib/httplib.py +--- a/Lib/httplib.py Fri Aug 01 23:51:51 2014 -0700 ++++ b/Lib/httplib.py Sat Aug 02 13:59:25 2014 +0000 +@@ -214,6 +214,7 @@ + + # maximal line length when calling readline(). + _MAXLINE = 65536 ++_MAXHEADERS = 100 + + class HTTPMessage(mimetools.Message): + +@@ -271,6 +272,8 @@ + elif self.seekable: + tell = self.fp.tell + while True: ++ if len(hlist) > _MAXHEADERS: ++ raise HTTPException("got more than %d headers" % ++ _MAXHEADERS) + if tell: + try: + startofline = tell() diff -r 133ee2b48e52 +Lib/test/test_httplib.py +--- a/Lib/test/test_httplib.py Fri Aug 01 23:51:51 2014 -0700 ++++ b/Lib/test/test_httplib.py Sat Aug 02 13:59:25 2014 +0000 +@@ -262,6 +262,13 @@ + if resp.read() != "": + self.fail("Did not expect response from HEAD request") + ++ def test_too_many_headers(self): ++ headers = '\r\n'.join('Header%d: foo' % i for i in xrange(200)) + '\r\n' ++ text = ('HTTP/1.1 200 OK\r\n' + headers) ++ s = FakeSocket(text) ++ r = httplib.HTTPResponse(s) ++ self.assertRaises(httplib.HTTPException, r.begin) ++ + def test_send_file(self): + expected = 'GET /foo HTTP/1.1\r\nHost: example.com\r\n' \ + 'Accept-Encoding: identity\r\nContent-Length:' diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb index cbe8d7f..d603587 100644 --- a/meta/recipes-devtools/python/python_2.7.3.bb +++ b/meta/recipes-devtools/python/python_2.7.3.bb @@ -40,6 +40,7 @@ SRC_URI += "\ file://posix_close.patch \ file://python-2.7.3-CVE-2014-7185.patch \ file://python2.7.3-nossl3.patch \ + file://python-2.7.3-CVE-2013-1752-httplib-fix.patch \ " S = "${WORKDIR}/Python-${PV}" -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
