diff options
author | James Le Cuirot <chewi@gentoo.org> | 2017-08-31 22:15:12 +0100 |
---|---|---|
committer | James Le Cuirot <chewi@gentoo.org> | 2017-08-31 22:16:19 +0100 |
commit | 4d4181e97c8eb35dbb021f4d6a8daca122aa52c3 (patch) | |
tree | c233d67ee02d8693b7ecf7c172e32a152c0e033d /dev-java/jython | |
parent | profiles: mask dev-python/kaa-base[tls] (diff) | |
download | gentoo-4d4181e97c8eb35dbb021f4d6a8daca122aa52c3.tar.gz gentoo-4d4181e97c8eb35dbb021f4d6a8daca122aa52c3.tar.bz2 gentoo-4d4181e97c8eb35dbb021f4d6a8daca122aa52c3.zip |
dev-java/jython: Patch against CVE-2016-4000 (bug #621876)
Also unpeg the dev-java/asm version as 5.1 works fine. 5.0.3 was the
latest when that restriction was put in place so a newer version could
not have been breaking it.
Package-Manager: Portage-2.3.8, Repoman-2.3.2
Diffstat (limited to 'dev-java/jython')
-rw-r--r-- | dev-java/jython/files/CVE-2016-4000.patch | 158 | ||||
-rw-r--r-- | dev-java/jython/jython-2.7.0-r2.ebuild (renamed from dev-java/jython/jython-2.7.0-r1.ebuild) | 3 |
2 files changed, 160 insertions, 1 deletions
diff --git a/dev-java/jython/files/CVE-2016-4000.patch b/dev-java/jython/files/CVE-2016-4000.patch new file mode 100644 index 000000000000..81785eb05b07 --- /dev/null +++ b/dev-java/jython/files/CVE-2016-4000.patch @@ -0,0 +1,158 @@ + +# HG changeset patch +# User Jim Baker <jim.baker@rackspace.com> +# Date 1454384221 25200 +# Node ID d06e29d100c04576735e86c75a26c5f33669bb72 +# Parent b6735606c13df95f770527e629954407f82808c5 +Do not deserialize PyFunction objects. Fixes #2454 + +Instead use standard Python pickling; or subclass PyFunction. + +diff --git a/Lib/test/test_java_integration.py b/Lib/test/test_java_integration.py +--- a/Lib/test/test_java_integration.py ++++ b/Lib/test/test_java_integration.py +@@ -14,8 +14,9 @@ import re + from collections import deque + from test import test_support + +-from java.lang import (ClassCastException, ExceptionInInitializerError, String, Runnable, System, +- Runtime, Math, Byte) ++from java.lang import ( ++ ClassCastException, ExceptionInInitializerError, UnsupportedOperationException, ++ String, Runnable, System, Runtime, Math, Byte) + from java.math import BigDecimal, BigInteger + from java.net import URI + from java.io import (ByteArrayInputStream, ByteArrayOutputStream, File, FileInputStream, +@@ -656,13 +657,30 @@ class SerializationTest(unittest.TestCas + self.assertEqual(date_list, roundtrip_serialization(date_list)) + + def test_java_serialization_pycode(self): +- + def universal_answer(): + return 42 + + serialized_code = roundtrip_serialization(universal_answer.func_code) + self.assertEqual(eval(serialized_code), universal_answer()) + ++ def test_java_serialization_pyfunction(self): ++ # Not directly supported due to lack of general utility ++ # (globals will usually be in the function object in ++ # func_globals), and problems with unserialization ++ # vulnerabilities. Users can always subclass from PyFunction ++ # for specific cases, as seen in PyCascading ++ import new ++ def f(): ++ return 6 * 7 + max(0, 1, 2) ++ # However, using the new module, it's possible to create a ++ # function with no globals, which means the globals will come ++ # from the current context ++ g = new.function(f.func_code, {}, "g") ++ # But still forbid Java deserialization of this function ++ # object. Use pickling or other support instead. ++ with self.assertRaises(UnsupportedOperationException): ++ roundtrip_serialization(g) ++ + def test_builtin_names(self): + import __builtin__ + names = [x for x in dir(__builtin__)] +@@ -872,7 +890,7 @@ class SingleMethodInterfaceTest(unittest + future.get() + self.assertEqual(x, [42]) + +- @unittest.skip("FIXME: not working") ++ @unittest.skip("FIXME: not working; see http://bugs.jython.org/issue2115") + def test_callable_object(self): + callable_obj = CallableObject() + future = self.executor.submit(callable_obj) +diff --git a/Lib/test/test_new.py b/Lib/test/test_new.py +--- a/Lib/test/test_new.py ++++ b/Lib/test/test_new.py +@@ -24,18 +24,10 @@ class NewTest(unittest.TestCase): + c = new.instance(C, {'yolks': 3}) + + o = new.instance(C) +- +- # __dict__ is a non dict mapping in Jython +- if test_support.is_jython: +- self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty") +- else: +- self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") ++ self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") + del o + o = new.instance(C, None) +- if test_support.is_jython: +- self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty") +- else: +- self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") ++ self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") + del o + + def break_yolks(self): +@@ -109,7 +101,14 @@ class NewTest(unittest.TestCase): + test_closure(g, (1, 1), ValueError) # closure is wrong size + test_closure(f, g.func_closure, ValueError) # no closure needed + +- if hasattr(new, 'code') and not test_support.is_jython: ++ # [Obsolete] Note: Jython will never have new.code() ++ # ++ # Who said that?!!! guess what, we do! :) ++ # ++ # Unfortunately we still need a way to compile to Python bytecode, ++ # so support is still incomplete, as seen in the fact that we need ++ # to get values from CPython 2.7. ++ if hasattr(new, 'code'): + def test_code(self): + # bogus test of new.code() + def f(a): pass +@@ -117,16 +116,16 @@ class NewTest(unittest.TestCase): + c = f.func_code + argcount = c.co_argcount + nlocals = c.co_nlocals +- stacksize = c.co_stacksize ++ stacksize = 1 # TODO c.co_stacksize + flags = c.co_flags +- codestring = c.co_code +- constants = c.co_consts +- names = c.co_names ++ codestring = 'd\x00\x00S' # TODO c.co_code ++ constants = (None,) # TODO c.co_consts ++ names = () # TODO c.co_names + varnames = c.co_varnames + filename = c.co_filename + name = c.co_name + firstlineno = c.co_firstlineno +- lnotab = c.co_lnotab ++ lnotab = '' # TODO c.co_lnotab, but also see http://bugs.jython.org/issue1638 + freevars = c.co_freevars + cellvars = c.co_cellvars + +diff --git a/src/org/python/core/PyBytecode.java b/src/org/python/core/PyBytecode.java +--- a/src/org/python/core/PyBytecode.java ++++ b/src/org/python/core/PyBytecode.java +@@ -66,6 +66,12 @@ public class PyBytecode extends PyBaseCo + + debug = defaultDebug; + ++ if (argcount < 0) { ++ throw Py.ValueError("code: argcount must not be negative"); ++ } else if (nlocals < 0) { ++ throw Py.ValueError("code: nlocals must not be negative"); ++ } ++ + co_argcount = nargs = argcount; + co_varnames = varnames; + co_nlocals = nlocals; // maybe assert = varnames.length; +diff --git a/src/org/python/core/PyFunction.java b/src/org/python/core/PyFunction.java +--- a/src/org/python/core/PyFunction.java ++++ b/src/org/python/core/PyFunction.java +@@ -545,6 +545,9 @@ public class PyFunction extends PyObject + @Override + public boolean isSequenceType() { return false; } + ++ private Object readResolve() { ++ throw new UnsupportedOperationException(); ++ } + + /* Traverseproc implementation */ + @Override + diff --git a/dev-java/jython/jython-2.7.0-r1.ebuild b/dev-java/jython/jython-2.7.0-r2.ebuild index d0870d8b4ac0..c0b7572345d4 100644 --- a/dev-java/jython/jython-2.7.0-r1.ebuild +++ b/dev-java/jython/jython-2.7.0-r2.ebuild @@ -20,7 +20,7 @@ IUSE="examples test" CP_DEPEND="dev-java/antlr:3 dev-java/netty-transport:0 - =dev-java/asm-5.0.3:4 + >=dev-java/asm-5:4 dev-java/commons-compress:0 dev-java/guava:20 dev-java/jffi:1.2 @@ -66,6 +66,7 @@ PATCHES=( "${FILESDIR}"/${PN}-2.7_beta1-dont-always-recompile-classes.patch "${FILESDIR}"/${PN}-2.7_beta2-maxrepeat-import.patch "${FILESDIR}"/${PN}-2.7.0-build.xml.patch + "${FILESDIR}"/CVE-2016-4000.patch ) src_prepare() { |