On 11/10/2015 04:57 PM, Tudor Florea wrote: > There was not feedback on this. > Under the same CVE there lay actually many python vulnerabilities that are > still applicable for dizzy branch. > Among those only poplib module is covered > (python-2.7.3-CVE-2013-1752-poplib-fix.patch) > This patch covers httplib modules and I have also a patch for the remaining > modules. > Should I (re)send the patch?
yes. regards, Armin > Regards > Tudor. > > > -----Original Message----- > From: Tudor Florea [mailto:tudor.flo...@enea.com] > Sent: Friday, July 03, 2015 5:25 AM > To: openembedded-core@lists.openembedded.org > Cc: Tudor Florea <tudor.flo...@enea.com> > Subject: [dizzy] [PATCH] python: Backport CVE-2013-1752 fix from upstream > > This back ported patch fixes CVE-2013-1752 for httplib > References: > http://bugs.python.org/issue16037 > https://access.redhat.com/security/cve/CVE-2013-1752 > > The httplib module / package can read arbitrary amounts of data from its > socket when it's parsing the HTTP header. This may lead to issues when a user > connects to a broken HTTP server or something that isn't a HTTP at all > > Signed-off-by: Tudor Florea <tudor.flo...@enea.com> > --- > .../python-2.7.3-CVE-2013-1752-httplib-fix.patch | 45 > ++++++++++++++++++++++ > meta/recipes-devtools/python/python_2.7.3.bb | 1 + > 2 files changed, 46 insertions(+) > create mode 100644 > meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch > > diff --git > a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch > > b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-httplib-fix.patch > new file mode 100644 > index 0000000..e68f53f > --- /dev/null > +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-htt > +++ plib-fix.patch > @@ -0,0 +1,45 @@ > +Upstream-Status: Backport > + > +CVE-2013-1752: httplib: HTTPMessage.readheaders() raises an > +HTTPException when more than 100 headers are read. > +Patch by Jyrki Pulliainen and Daniel Eriksson. > + > +Signed-off-by: Tudor Florea <tudor.flo...@enea.com> > +--- > +diff -r 133ee2b48e52 Lib/httplib.py > +--- a/Lib/httplib.py Fri Aug 01 23:51:51 2014 -0700 > ++++ b/Lib/httplib.py Sat Aug 02 13:59:25 2014 +0000 > +@@ -214,6 +214,7 @@ > + > + # maximal line length when calling readline(). > + _MAXLINE = 65536 > ++_MAXHEADERS = 100 > + > + class HTTPMessage(mimetools.Message): > + > +@@ -271,6 +272,8 @@ > + elif self.seekable: > + tell = self.fp.tell > + while True: > ++ if len(hlist) > _MAXHEADERS: > ++ raise HTTPException("got more than %d headers" % > ++ _MAXHEADERS) > + if tell: > + try: > + startofline = tell() diff -r 133ee2b48e52 > +Lib/test/test_httplib.py > +--- a/Lib/test/test_httplib.py Fri Aug 01 23:51:51 2014 -0700 > ++++ b/Lib/test/test_httplib.py Sat Aug 02 13:59:25 2014 +0000 > +@@ -262,6 +262,13 @@ > + if resp.read() != "": > + self.fail("Did not expect response from HEAD request") > + > ++ def test_too_many_headers(self): > ++ headers = '\r\n'.join('Header%d: foo' % i for i in xrange(200)) + > '\r\n' > ++ text = ('HTTP/1.1 200 OK\r\n' + headers) > ++ s = FakeSocket(text) > ++ r = httplib.HTTPResponse(s) > ++ self.assertRaises(httplib.HTTPException, r.begin) > ++ > + def test_send_file(self): > + expected = 'GET /foo HTTP/1.1\r\nHost: example.com\r\n' \ > + 'Accept-Encoding: identity\r\nContent-Length:' > diff --git a/meta/recipes-devtools/python/python_2.7.3.bb > b/meta/recipes-devtools/python/python_2.7.3.bb > index cbe8d7f..d603587 100644 > --- a/meta/recipes-devtools/python/python_2.7.3.bb > +++ b/meta/recipes-devtools/python/python_2.7.3.bb > @@ -40,6 +40,7 @@ SRC_URI += "\ > file://posix_close.patch \ > file://python-2.7.3-CVE-2014-7185.patch \ > file://python2.7.3-nossl3.patch \ > + file://python-2.7.3-CVE-2013-1752-httplib-fix.patch \ > " > > S = "${WORKDIR}/Python-${PV}" > -- > 1.9.1 > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
