diff -u python2.7-2.7.12/debian/changelog python2.7-2.7.12/debian/changelog --- python2.7-2.7.12/debian/changelog +++ python2.7-2.7.12/debian/changelog @@ -1,3 +1,13 @@ +python2.7 (2.7.12-1ubuntu0~16.04.2) xenial-security; urgency=medium + + * SECURITY UPDATE: integer overflow in the PyString_DecodeEscape + function + - debian/patches/CVE-2017-1000158.patch: fix this integer overflow + in Objects/stringobject.c. + - CVE-2017-1000158 + + -- Leonidas S. Barbosa Mon, 20 Nov 2017 15:23:56 -0300 + python2.7 (2.7.12-1ubuntu0~16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: use of HTTP_PROXY flag supplied by attacker in CGI diff -u python2.7-2.7.12/debian/patches/series.in python2.7-2.7.12/debian/patches/series.in --- python2.7-2.7.12/debian/patches/series.in +++ python2.7-2.7.12/debian/patches/series.in @@ -71,0 +72 @@ +CVE-2017-1000158.patch only in patch2: unchanged: --- python2.7-2.7.12.orig/debian/patches/CVE-2017-1000158.patch +++ python2.7-2.7.12/debian/patches/CVE-2017-1000158.patch @@ -0,0 +1,57 @@ +From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001 +From: Jay Bosamiya +Date: Sun, 18 Jun 2017 22:11:03 +0530 +Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in + PyString_DecodeEscape (#2174) + +#--- +# Misc/ACKS | 1 + +# Misc/NEWS | 3 +++ +# Objects/stringobject.c | 8 +++++++- +# 3 files changed, 11 insertions(+), 1 deletion(-) +# +#diff --git a/Misc/ACKS b/Misc/ACKS +#index 95be42717a0..a411bc5ffc8 100644 +#--- a/Misc/ACKS +#+++ b/Misc/ACKS +#@@ -152,6 +152,7 @@ Gregory Bond +# Matias Bordese +# Jonas Borgström +# Jurjen Bos +#+Jay Bosamiya +# Peter Bosch +# Dan Boswell +# Eric Bouck +#diff --git a/Misc/NEWS b/Misc/NEWS +#index b89f6ea62d8..62559edf837 100644 +#--- a/Misc/NEWS +#+++ b/Misc/NEWS +#@@ -10,6 +10,9 @@ What's New in Python 2.7.14? +# Core and Builtins +# ----------------- +# +#+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape. +#+ Patch by Jay Bosamiya. +#+ +# - bpo-27945: Fixed various segfaults with dict when input collections are +# mutated during searching, inserting or comparing. Based on patches by +# Duane Griffin and Tim Mitchell. +diff --git a/Objects/stringobject.c b/Objects/stringobject.c +index c78e19316a0..59d22e76946 100644 +--- a/Objects/stringobject.c ++++ b/Objects/stringobject.c +@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s, + char *p, *buf; + const char *end; + PyObject *v; +- Py_ssize_t newlen = recode_encoding ? 4*len:len; ++ Py_ssize_t newlen; ++ /* Check for integer overflow */ ++ if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) { ++ PyErr_SetString(PyExc_OverflowError, "string is too large"); ++ return NULL; ++ } ++ newlen = recode_encoding ? 4*len:len; + v = PyString_FromStringAndSize((char *)NULL, newlen); + if (v == NULL) + return NULL;