summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArthur Zamarin <arthurzam@gentoo.org>2021-09-12 19:36:09 +0300
committerArthur Zamarin <arthurzam@gentoo.org>2021-09-12 19:36:09 +0300
commit384deab9737c204d6c61b06fa96d4e9ab93a18c1 (patch)
treed28af905c422560ac2fe1aa68a8f402eb3cbe35c /dev-python
parentdev-python/tomli: keyword ~x64-macos (diff)
downloadgentoo-384deab9737c204d6c61b06fa96d4e9ab93a18c1.tar.gz
gentoo-384deab9737c204d6c61b06fa96d4e9ab93a18c1.tar.bz2
gentoo-384deab9737c204d6c61b06fa96d4e9ab93a18c1.zip
dev-python/rencode: import fix CVE-2021-40839
Bug: https://bugs.gentoo.org/812437 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>
Diffstat (limited to 'dev-python')
-rw-r--r--dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch34
-rw-r--r--dev-python/rencode/rencode-1.0.6-r2.ebuild35
2 files changed, 69 insertions, 0 deletions
diff --git a/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch b/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch
new file mode 100644
index 000000000000..0a997d408017
--- /dev/null
+++ b/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch
@@ -0,0 +1,34 @@
+From: Andrew Resch <andrewresch@gmail.com>
+Date: Mon, 9 Aug 2021 20:44:51 -0700
+Subject: [PATCH] Fix checking if typecode is valid while decoding.
+
+This bug will cause rencode to hang if the invalid typecode is included
+in a sequence type (list, dict) since the position will not change and
+the loop checking for the termination byte never returns.
+
+This change is a copy of PR #29 with a few aesthetic changes.
+
+--- a/rencode/rencode.pyx
++++ b/rencode/rencode.pyx
+@@ -527,6 +527,8 @@
+ return decode_fixed_dict(data, pos)
+ elif typecode == CHR_DICT:
+ return decode_dict(data, pos)
++ else:
++ raise ValueError("Invalid typecode: %d at pos: %d" % (typecode, pos[0]))
+
+ def loads(data, decode_utf8=False):
+ """
+--- a/tests/test_rencode.py
++++ b/tests/test_rencode.py
+@@ -223,5 +223,10 @@
+ assert rencode_orig.__version__
+ self.assertEqual(rencode.__version__[1:], rencode_orig.__version__[1:], "version number does not match")
+
++ def test_invalid_typecode(self):
++ s = b";\x2f\x7f"
++ with self.assertRaises(ValueError):
++ rencode.loads(s)
++
+ if __name__ == '__main__':
+ unittest.main()
diff --git a/dev-python/rencode/rencode-1.0.6-r2.ebuild b/dev-python/rencode/rencode-1.0.6-r2.ebuild
new file mode 100644
index 000000000000..db75d8fdb887
--- /dev/null
+++ b/dev-python/rencode/rencode-1.0.6-r2.ebuild
@@ -0,0 +1,35 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..10} )
+
+inherit distutils-r1
+
+DESCRIPTION="similar to bencode from the BitTorrent project"
+HOMEPAGE="https://github.com/aresch/rencode"
+SRC_URI="https://github.com/aresch/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~sparc ~x86 ~amd64-linux ~x86-linux"
+
+BDEPEND="dev-python/cython[${PYTHON_USEDEP}]"
+
+distutils_enable_tests pytest
+
+PATCHES=(
+ # https://github.com/aresch/rencode/commit/16e61e1ff4294bddb7c881536d3d454355c78969
+ "${FILESDIR}/${P}-drop-wheel-dependency.patch"
+ # bug #812437
+ "${FILESDIR}/${P}-fix-CVE-2021-40839.patch"
+)
+
+python_test() {
+ # The C extension ("_rencode") can't be imported from "${S}/rencode"
+ # so we need to cd somewhere else to make sure "rencode" is imported
+ # from ${BUILD_DIR}/lib (thanks to PYTHONPATH).
+ cd "${T}" || die
+ epytest "${S}"
+}