diff options
| author |   Arthur Zamarin <arthurzam@gentoo.org> | 2021-09-12 19:36:09 +0300 |
|---|---|---|
| committer | Arthur Zamarin <arthurzam@gentoo.org> | 2021-09-12 19:36:09 +0300 |
| commit | 384deab9737c204d6c61b06fa96d4e9ab93a18c1 (patch) | |
| tree | d28af905c422560ac2fe1aa68a8f402eb3cbe35c /dev-python/rencode | |
| parent | dev-python/tomli: keyword ~x64-macos (diff) | |
| download | gentoo-384deab9737c204d6c61b06fa96d4e9ab93a18c1.tar.gz gentoo-384deab9737c204d6c61b06fa96d4e9ab93a18c1.tar.bz2 gentoo-384deab9737c204d6c61b06fa96d4e9ab93a18c1.zip | |
dev-python/rencode: import fix CVE-2021-40839
Bug: https://bugs.gentoo.org/812437
Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>
Diffstat (limited to 'dev-python/rencode')
| -rw-r--r-- | dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch | 34 | ||||
| -rw-r--r-- | dev-python/rencode/rencode-1.0.6-r2.ebuild | 35 |
2 files changed, 69 insertions, 0 deletions
diff --git a/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch b/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch new file mode 100644 index 000000000000..0a997d408017 --- /dev/null +++ b/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch @@ -0,0 +1,34 @@ +From: Andrew Resch <andrewresch@gmail.com> +Date: Mon, 9 Aug 2021 20:44:51 -0700 +Subject: [PATCH] Fix checking if typecode is valid while decoding. + +This bug will cause rencode to hang if the invalid typecode is included +in a sequence type (list, dict) since the position will not change and +the loop checking for the termination byte never returns. + +This change is a copy of PR #29 with a few aesthetic changes. + +--- a/rencode/rencode.pyx ++++ b/rencode/rencode.pyx +@@ -527,6 +527,8 @@ + return decode_fixed_dict(data, pos) + elif typecode == CHR_DICT: + return decode_dict(data, pos) ++ else: ++ raise ValueError("Invalid typecode: %d at pos: %d" % (typecode, pos[0])) + + def loads(data, decode_utf8=False): + """ +--- a/tests/test_rencode.py ++++ b/tests/test_rencode.py +@@ -223,5 +223,10 @@ + assert rencode_orig.__version__ + self.assertEqual(rencode.__version__[1:], rencode_orig.__version__[1:], "version number does not match") + ++ def test_invalid_typecode(self): ++ s = b";\x2f\x7f" ++ with self.assertRaises(ValueError): ++ rencode.loads(s) ++ + if __name__ == '__main__': + unittest.main() diff --git a/dev-python/rencode/rencode-1.0.6-r2.ebuild b/dev-python/rencode/rencode-1.0.6-r2.ebuild new file mode 100644 index 000000000000..db75d8fdb887 --- /dev/null +++ b/dev-python/rencode/rencode-1.0.6-r2.ebuild @@ -0,0 +1,35 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{8..10} ) + +inherit distutils-r1 + +DESCRIPTION="similar to bencode from the BitTorrent project" +HOMEPAGE="https://github.com/aresch/rencode" +SRC_URI="https://github.com/aresch/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~sparc ~x86 ~amd64-linux ~x86-linux" + +BDEPEND="dev-python/cython[${PYTHON_USEDEP}]" + +distutils_enable_tests pytest + +PATCHES=( + # https://github.com/aresch/rencode/commit/16e61e1ff4294bddb7c881536d3d454355c78969 + "${FILESDIR}/${P}-drop-wheel-dependency.patch" + # bug #812437 + "${FILESDIR}/${P}-fix-CVE-2021-40839.patch" +) + +python_test() { + # The C extension ("_rencode") can't be imported from "${S}/rencode" + # so we need to cd somewhere else to make sure "rencode" is imported + # from ${BUILD_DIR}/lib (thanks to PYTHONPATH). + cd "${T}" || die + epytest "${S}" +} |