mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-05 16:28:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

python: Backport CVE-2013-1752 fix from upstream

Browse Source 
This back ported patch fixes CVE-2013-1752 for smtplib

(From OE-Core rev: 4af111e94edc93657c94de6b584c099571b4cf40)

Signed-off-by: Maxin B. John <maxin.john@enea.com>
Reviewed-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Maxin B. John
2014-02-28 12:53:33 +01:00
committed by Richard Purdie
parent 617819a6bf
commit bbe9cb7339
2 changed files with 102 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-smtplib-fix.patch Normal file
View File

@@ -0,0 +1,101 @@
Upstream-Status: Backport
Reference: http://bugs.python.org/issue16042
CVE-2013-1752: smtplib: Limit amount of data read by limiting the
call to readline(). Original patch by Christian Heimes
Signed-off-by: Maxin B. John <maxin.john@enea.com>
---
diff -Naur Python-2.7.3-orig/Lib/smtplib.py Python-2.7.3/Lib/smtplib.py
--- Python-2.7.3-orig/Lib/smtplib.py 2012-04-10 01:07:31.000000000 +0200
+++ Python-2.7.3/Lib/smtplib.py 2014-02-27 14:15:24.444198465 +0100
@@ -57,6 +57,7 @@
SMTP_PORT = 25
SMTP_SSL_PORT = 465
CRLF = "\r\n"
+_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
@@ -179,10 +180,14 @@
def __init__(self, sslobj):
self.sslobj = sslobj
- def readline(self):
+ def readline(self, size=-1):
+ if size < 0:
+ size = None
str = ""
chr = None
while chr != "\n":
+ if size is not None and len(str) >= size:
+ break
chr = self.sslobj.read(1)
if not chr:
break
@@ -351,7 +356,7 @@
self.file = self.sock.makefile('rb')
while 1:
try:
- line = self.file.readline()
+ line = self.file.readline(_MAXLINE + 1)
except socket.error as e:
self.close()
raise SMTPServerDisconnected("Connection unexpectedly closed: "
@@ -361,6 +366,8 @@
raise SMTPServerDisconnected("Connection unexpectedly closed")
if self.debuglevel > 0:
print>>stderr, 'reply:', repr(line)
+ if len(line) > _MAXLINE:
+ raise SMTPResponseException(500, "Line too long.")
resp.append(line[4:].strip())
code = line[:3]
# Check that the error code is syntactically correct.
diff -Naur Python-2.7.3-orig/Lib/test/test_smtplib.py Python-2.7.3/Lib/test/test_smtplib.py
--- Python-2.7.3-orig/Lib/test/test_smtplib.py 2012-04-10 01:07:32.000000000 +0200
+++ Python-2.7.3/Lib/test/test_smtplib.py 2014-02-27 14:15:24.448198293 +0100
@@ -292,6 +292,33 @@
HOST, self.port, 'localhost', 3)
+@unittest.skipUnless(threading, 'Threading required for this test.')
+class TooLongLineTests(unittest.TestCase):
+ respdata = '250 OK' + ('.' * smtplib._MAXLINE * 2) + '\n'
+
+ def setUp(self):
+ self.old_stdout = sys.stdout
+ self.output = StringIO.StringIO()
+ sys.stdout = self.output
+
+ self.evt = threading.Event()
+ self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ self.sock.settimeout(15)
+ self.port = test_support.bind_port(self.sock)
+ servargs = (self.evt, self.respdata, self.sock)
+ threading.Thread(target=server, args=servargs).start()
+ self.evt.wait()
+ self.evt.clear()
+
+ def tearDown(self):
+ self.evt.wait()
+ sys.stdout = self.old_stdout
+
+ def testLineTooLong(self):
+ self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
+ HOST, self.port, 'localhost', 3)
+
+
sim_users = {'Mr.A@somewhere.com':'John A',
'Ms.B@somewhere.com':'Sally B',
'Mrs.C@somewhereesle.com':'Ruth C',
@@ -511,7 +538,8 @@
def test_main(verbose=None):
test_support.run_unittest(GeneralTests, DebuggingServerTests,
NonConnectingTests,
- BadHELOServerTests, SMTPSimTests)
+ BadHELOServerTests, SMTPSimTests,
+ TooLongLineTests)
if __name__ == '__main__':
test_main()