diff options
5 files changed, 125 insertions, 0 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index c6581fee551b..664aed7fbc9a 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -129,6 +129,7 @@ foundationdb = 118; newrelic = 119; starbound = 120; + hydra = 121; # When adding a uid, make sure it doesn't match an existing gid. diff --git a/pkgs/development/interpreters/python/2.7/CVE-2014-1912.patch b/pkgs/development/interpreters/python/2.7/CVE-2014-1912.patch new file mode 100644 index 000000000000..95399bf76073 --- /dev/null +++ b/pkgs/development/interpreters/python/2.7/CVE-2014-1912.patch @@ -0,0 +1,57 @@ +# Edited from Mercurial patch: deleted the NEWS hunk, since it didn't apply cleanly. +# It added the following line to NEWS: +# - Issue #20246: Fix buffer overflow in socket.recvfrom_into. + +# HG changeset patch +# User Benjamin Peterson <benjamin@python.org> +# Date 1389671978 18000 +# Node ID 87673659d8f7ba1623cd4914f09ad3d2ade034e9 +# Parent 2631d33ee7fbd5f0288931ef37872218d511d2e8 +complain when nbytes > buflen to fix possible buffer overflow (closes #20246) + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +--- a/Lib/test/test_socket.py ++++ b/Lib/test/test_socket.py +@@ -1620,6 +1620,16 @@ class BufferIOTest(SocketConnectedTest): + + _testRecvFromIntoMemoryview = _testRecvFromIntoArray + ++ def testRecvFromIntoSmallBuffer(self): ++ # See issue #20246. ++ buf = bytearray(8) ++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) ++ ++ def _testRecvFromIntoSmallBuffer(self): ++ with test_support.check_py3k_warnings(): ++ buf = buffer(MSG*2048) ++ self.serv_conn.send(buf) ++ + + TIPC_STYPE = 2000 + TIPC_LOWER = 200 +diff --git a/Misc/ACKS b/Misc/ACKS +--- a/Misc/ACKS ++++ b/Misc/ACKS +@@ -979,6 +979,7 @@ Eric V. Smith + Christopher Smith + Gregory P. Smith + Roy Smith ++Ryan Smith-Roberts + Rafal Smotrzyk + Dirk Soede + Paul Sokolovsky +diff --git a/Misc/NEWS b/Misc/NEWS +--- a/Modules/socketmodule.c ++++ b/Modules/socketmodule.c +@@ -2742,6 +2742,10 @@ sock_recvfrom_into(PySocketSockObject *s + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ goto error; + } + + readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr); + diff --git a/pkgs/development/interpreters/python/2.7/default.nix b/pkgs/development/interpreters/python/2.7/default.nix index e9277ce2dafb..eeadc3c8cc7f 100644 --- a/pkgs/development/interpreters/python/2.7/default.nix +++ b/pkgs/development/interpreters/python/2.7/default.nix @@ -28,6 +28,10 @@ let # patch python to put zero timestamp into pyc # if DETERMINISTIC_BUILD env var is set ./deterministic-build.patch + + # See http://bugs.python.org/issue20246 + # This will be fixed in 2.7.7. + ./CVE-2014-1912.patch ]; postPatch = stdenv.lib.optionalString (stdenv.gcc.libc != null) '' diff --git a/pkgs/development/interpreters/python/3.2/CVE-2014-1912.patch b/pkgs/development/interpreters/python/3.2/CVE-2014-1912.patch new file mode 100644 index 000000000000..c69efd17f964 --- /dev/null +++ b/pkgs/development/interpreters/python/3.2/CVE-2014-1912.patch @@ -0,0 +1,57 @@ +# Edited from Mercurial patch: deleted the NEWS hunk, since it didn't apply cleanly. +# It added the following line to NEWS: +# - Issue #20246: Fix buffer overflow in socket.recvfrom_into. + + +# HG changeset patch +# User Benjamin Peterson <benjamin@python.org> +# Date 1389671978 18000 +# Node ID 9c56217e5c793685eeaf0ee224848c402bdf1e4c +# Parent 2b5cd6d4d149dea6c6941b7e07ada248b29fc9f6 +complain when nbytes > buflen to fix possible buffer overflow (closes #20246) + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +--- a/Lib/test/test_socket.py ++++ b/Lib/test/test_socket.py +@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest): + + _testRecvFromIntoMemoryview = _testRecvFromIntoArray + ++ def testRecvFromIntoSmallBuffer(self): ++ # See issue #20246. ++ buf = bytearray(8) ++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) ++ ++ def _testRecvFromIntoSmallBuffer(self): ++ self.serv_conn.send(MSG*2048) ++ + + TIPC_STYPE = 2000 + TIPC_LOWER = 200 +diff --git a/Misc/ACKS b/Misc/ACKS +--- a/Misc/ACKS ++++ b/Misc/ACKS +@@ -1020,6 +1020,7 @@ Eric V. Smith + Christopher Smith + Gregory P. Smith + Roy Smith ++Ryan Smith-Roberts + Rafal Smotrzyk + Dirk Soede + Paul Sokolovsky +diff --git a/Misc/NEWS b/Misc/NEWS +--- a/Modules/socketmodule.c ++++ b/Modules/socketmodule.c +@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyBuffer_Release(&pbuf); ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ return NULL; + } + + readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); + diff --git a/pkgs/development/interpreters/python/3.2/default.nix b/pkgs/development/interpreters/python/3.2/default.nix index 03f2d392bd11..c103b0f59cde 100644 --- a/pkgs/development/interpreters/python/3.2/default.nix +++ b/pkgs/development/interpreters/python/3.2/default.nix @@ -32,6 +32,12 @@ stdenv.mkDerivation { sha256 = "0pxs234g08v3lar09lvzxw4vqdpwkbqmvkv894j2w7aklskcjd6v"; }; + patches = + [ + # See http://bugs.python.org/issue20246 + ./CVE-2014-1912.patch + ]; + NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isLinux "-lgcc_s"; preConfigure = '' |