head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.8
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.6
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.4
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.2
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2011Q1:1.1.0.26
	pkgsrc-2011Q1-base:1.1
	pkgsrc-2010Q4:1.1.0.24
	pkgsrc-2010Q4-base:1.1
	pkgsrc-2010Q3:1.1.0.22
	pkgsrc-2010Q3-base:1.1
	pkgsrc-2010Q2:1.1.0.20
	pkgsrc-2010Q2-base:1.1
	pkgsrc-2010Q1:1.1.0.18
	pkgsrc-2010Q1-base:1.1
	pkgsrc-2009Q4:1.1.0.16
	pkgsrc-2009Q4-base:1.1
	pkgsrc-2009Q3:1.1.0.14
	pkgsrc-2009Q3-base:1.1
	pkgsrc-2009Q2:1.1.0.12
	pkgsrc-2009Q2-base:1.1
	pkgsrc-2009Q1:1.1.0.10
	pkgsrc-2009Q1-base:1.1
	pkgsrc-2008Q4:1.1.0.8
	pkgsrc-2008Q4-base:1.1
	pkgsrc-2008Q3:1.1.0.6
	pkgsrc-2008Q3-base:1.1
	cube-native-xorg:1.1.0.4
	cube-native-xorg-base:1.1
	pkgsrc-2008Q2:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2011.04.23.08.53.53;	author obache;	state dead;
branches;
next	1.1;

1.1
date	2008.08.07.11.20.18;	author drochner;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2008.08.07.11.20.18;	author tron;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2008.08.10.17.02.26;	author tron;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update python24 to 2.4.6.

What's New in Python 2.4.6?
===========================

*Release date: 19-Dec-2008*



What's New in Python 2.4.6c1?
=============================

*Release date: 13-Dec-2008*

Core and builtins
-----------------

- Issue #4469: Prevent expandtabs() on string and unicode
  objects from causing a segfault when a large width is passed
  on 32-bit platforms. CVE-2008-5031.

- Issue #4317: Fixed a crash in the imageop.rgb2rgb8() function.

- Issue #4230: Fix a crash when a class has a custom __getattr__ and an
  __getattribute__ method that deletes the __getattr__ attribute.

- Apply security patches from Apple. CVE-2008-2315.

- Issue #2620: Overflow checking when allocating or reallocating memory
  was not always being done properly in some python types and extension
  modules.  PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have
  all been updated to perform better checks and places in the code that
  would previously leak memory on the error path when such an allocation
  failed have been fixed.

- Issue #1179: Fix CVE-2007-4965 and CVE-2008-1679, multiple integer
  overflows in the imageop and rgbimgmodule modules.

- Issue #2586: Fix CVE-2008-1721, zlib crash from
  zlib.decompressobj().flush(val) when val is not positive.

- Issues #2588, #2589: Fix potential integer underflow and overflow
  conditions in the PyOS_vsnprintf C API function. CVE-2008-3144.

- Issue #2587: In the C API, PyString_FromStringAndSize() takes a signed size
  parameter but was not verifying that it was greater than zero.  Values
  less than zero will now raise a SystemError and return NULL to indicate a
  bug in the calling C code. CVE-2008-1887.

- Security Issue #2: imageop did not validate arguments correctly and could
  segfault as a result. CVE-2008-4864.

Extension Modules
-----------------

Library
-------

Tests
-----

Build
-----

Tools/Demos
-----------

- Tools/faqwiz/move-faqwiz.sh: Fix unsecure use of temporary files.
@
text
@$NetBSD: patch-bm,v 1.1 2008/08/07 11:20:18 drochner Exp $

--- Python/mysnprintf.c.orig	2001-12-21 17:32:15.000000000 +0100
+++ Python/mysnprintf.c
@@@@ -54,18 +54,28 @@@@ int
 PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 {
 	int len;  /* # bytes written, excluding \0 */
-#ifndef HAVE_SNPRINTF
+#ifdef HAVE_SNPRINTF
+#define _PyOS_vsnprintf_EXTRA_SPACE 1
+#else
+#define _PyOS_vsnprintf_EXTRA_SPACE 512
 	char *buffer;
 #endif
 	assert(str != NULL);
 	assert(size > 0);
 	assert(format != NULL);
+	/* We take a size_t as input but return an int.  Sanity check
+	 * our input so that it won't cause an overflow in the
+         * vsnprintf return value or the buffer malloc size.  */
+	if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) {
+		len = -666;
+		goto Done;
+	}
 
 #ifdef HAVE_SNPRINTF
 	len = vsnprintf(str, size, format, va);
 #else
 	/* Emulate it. */
-	buffer = PyMem_MALLOC(size + 512);
+	buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE);
 	if (buffer == NULL) {
 		len = -666;
 		goto Done;
@@@@ -75,7 +85,7 @@@@ PyOS_vsnprintf(char *str, size_t size, c
 	if (len < 0)
 		/* ignore the error */;
 
-	else if ((size_t)len >= size + 512)
+	else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE)
 		Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf");
 
 	else {
@@@@ -86,8 +96,10 @@@@ PyOS_vsnprintf(char *str, size_t size, c
 		str[to_copy] = '\0';
 	}
 	PyMem_FREE(buffer);
-Done:
 #endif
-	str[size-1] = '\0';
+Done:
+	if (size > 0)
+		str[size-1] = '\0';
 	return len;
+#undef _PyOS_vsnprintf_EXTRA_SPACE
 }
@


1.1
log
@Add a patch from the upstream 2.5 branch (svn rev.63883) to fix an
integer overflow in the vsnprintf replacement function.
This is likely not a real problem, and the patch wasn't pulled to
the upstream 2.4 branch, but so we can formally declare our 2.4
as not vulnerable now.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-bm was added on branch pkgsrc-2008Q2 on 2008-08-10 17:02:26 +0000
@
text
@d1 57
@


1.1.2.2
log
@Pullup ticket 2480 - requested by drochner
Security patches for python24

Revisions pulled up:
- lang/python24/Makefile		1.44-1.45
- lang/python24/distinfo		1.29-1.31
- lang/python24/patches/patch-ba	1.1
- lang/python24/patches/patch-bb	1.1
- lang/python24/patches/patch-bc	1.1
- lang/python24/patches/patch-bd	1.1
- lang/python24/patches/patch-be	1.1
- lang/python24/patches/patch-bf	1.1
- lang/python24/patches/patch-bg	1.1
- lang/python24/patches/patch-bh	1.1
- lang/python24/patches/patch-bi	1.1
- lang/python24/patches/patch-bj	1.1
- lang/python24/patches/patch-bk	1.1
- lang/python24/patches/patch-bl	1.1
- lang/python24/patches/patch-bm	1.1
---
    Module Name:    pkgsrc
    Committed By:   joerg
    Date:           Mon Jul 14 14:42:51 UTC 2008

    Modified Files:
        pkgsrc/lang/python24: Makefile

    Log Message:
    Always build depend on readline, so that devel/py-readline can pick up
    the right config. Bump revision.
---
    Module Name:    pkgsrc
    Committed By:   drochner
    Date:           Tue Aug  5 10:13:34 UTC 2008

    Modified Files:
            pkgsrc/lang/python24: Makefile distinfo
    Added Files:
            pkgsrc/lang/python24/patches: patch-ba patch-bb patch-bc patch-bd
                patch-be patch-bf patch-bg

    Log Message:
    add patches from upstream svn rev.65333, fix integer overflows in
    memory allocation (CVE-2008-2315)
---
    Module Name:    pkgsrc
    Committed By:   drochner
    Date:           Tue Aug  5 10:45:46 UTC 2008

    Modified Files:
            pkgsrc/lang/python24: distinfo
    Added Files:
            pkgsrc/lang/python24/patches: patch-bh patch-bi patch-bj patch-bk
                patch-bl

    Log Message:
    also apply upstream svn rev.65262, fixes overflow checks in memory
    allocation (CVE-2008-3142), ride on PKGREVISION bump some minutes ago
---
    Module Name:    pkgsrc
    Committed By:   drochner
    Date:           Thu Aug  7 11:20:18 UTC 2008

    Modified Files:
            pkgsrc/lang/python24: distinfo
    Added Files:
            pkgsrc/lang/python24/patches: patch-bm

    Log Message:
    Add a patch from the upstream 2.5 branch (svn rev.63883) to fix an
    integer overflow in the vsnprintf replacement function.
    This is likely not a real problem, and the patch wasn't pulled to
    the upstream 2.4 branch, but so we can formally declare our 2.4
    as not vulnerable now.
@
text
@a0 57
$NetBSD: patch-bm,v 1.1 2008/08/07 11:20:18 drochner Exp $

--- Python/mysnprintf.c.orig	2001-12-21 17:32:15.000000000 +0100
+++ Python/mysnprintf.c
@@@@ -54,18 +54,28 @@@@ int
 PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 {
 	int len;  /* # bytes written, excluding \0 */
-#ifndef HAVE_SNPRINTF
+#ifdef HAVE_SNPRINTF
+#define _PyOS_vsnprintf_EXTRA_SPACE 1
+#else
+#define _PyOS_vsnprintf_EXTRA_SPACE 512
 	char *buffer;
 #endif
 	assert(str != NULL);
 	assert(size > 0);
 	assert(format != NULL);
+	/* We take a size_t as input but return an int.  Sanity check
+	 * our input so that it won't cause an overflow in the
+         * vsnprintf return value or the buffer malloc size.  */
+	if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) {
+		len = -666;
+		goto Done;
+	}
 
 #ifdef HAVE_SNPRINTF
 	len = vsnprintf(str, size, format, va);
 #else
 	/* Emulate it. */
-	buffer = PyMem_MALLOC(size + 512);
+	buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE);
 	if (buffer == NULL) {
 		len = -666;
 		goto Done;
@@@@ -75,7 +85,7 @@@@ PyOS_vsnprintf(char *str, size_t size, c
 	if (len < 0)
 		/* ignore the error */;
 
-	else if ((size_t)len >= size + 512)
+	else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE)
 		Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf");
 
 	else {
@@@@ -86,8 +96,10 @@@@ PyOS_vsnprintf(char *str, size_t size, c
 		str[to_copy] = '\0';
 	}
 	PyMem_FREE(buffer);
-Done:
 #endif
-	str[size-1] = '\0';
+Done:
+	if (size > 0)
+		str[size-1] = '\0';
 	return len;
+#undef _PyOS_vsnprintf_EXTRA_SPACE
 }
@