From deaf977dc174798d8853c37943707dbc5b3bed23 Mon Sep 17 00:00:00 2001 From: dumol Date: Wed, 31 Jul 2024 10:46:53 +0000 Subject: [PATCH] Adjusted hot fixes to cleanly apply on Windows. --- src/python/CVE-2021-4189.diff | 20 ------ src/python/CVE-2022-48560.diff | 127 --------------------------------- 2 files changed, 147 deletions(-) delete mode 100644 src/python/CVE-2022-48560.diff diff --git a/src/python/CVE-2021-4189.diff b/src/python/CVE-2021-4189.diff index 305f662d5..a55ff85d6 100644 --- a/src/python/CVE-2021-4189.diff +++ b/src/python/CVE-2021-4189.diff @@ -1,23 +1,3 @@ -diff --git a/Doc/whatsnew/2.7.rst b/Doc/whatsnew/2.7.rst -index bc297ef4ee89fb..71d410bcd1fbf0 100644 ---- a/Doc/whatsnew/2.7.rst -+++ b/Doc/whatsnew/2.7.rst -@@ -2777,6 +2777,15 @@ It has been replaced by the new ``make regen-all`` target. - - .. _acks27: - -+Security fix for FTP -+================================ -+ -+A security fix alters the :class:`ftplib.FTP` behavior to not trust the -+IPv4 address sent from the remote server when setting up a passive data -+channel. We reuse the ftp server IP address instead. For unusual code -+requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` -+attribute on your FTP instance to ``True``. (See :issue:`43285`) -+ - Acknowledgements - ================ - diff --git a/Lib/ftplib.py b/Lib/ftplib.py index 6644554792791b..7c772e6ee5ee16 100644 --- a/Lib/ftplib.py diff --git a/src/python/CVE-2022-48560.diff b/src/python/CVE-2022-48560.diff deleted file mode 100644 index 7d9562ff7..000000000 --- a/src/python/CVE-2022-48560.diff +++ /dev/null @@ -1,127 +0,0 @@ -diff --git a/Lib/test/test_heapq.py b/Lib/test/test_heapq.py -index c4de593bb820a8..0f2990971184a2 100644 ---- a/Lib/test/test_heapq.py -+++ b/Lib/test/test_heapq.py -@@ -396,6 +396,40 @@ def test_heappop_mutating_heap(self): - with self.assertRaises((IndexError, RuntimeError)): - self.module.heappop(heap) - -+ def test_comparison_operator_modifiying_heap(self): -+ # See bpo-39421: Strong references need to be taken -+ # when comparing objects as they can alter the heap -+ class EvilClass(int): -+ def __lt__(self, o): -+ # heap.clear() -+ del heap[:] -+ return NotImplemented -+ -+ heap = [] -+ self.module.heappush(heap, EvilClass(0)) -+ self.assertRaises(IndexError, self.module.heappushpop, heap, 1) -+ -+ def test_comparison_operator_modifiying_heap_two_heaps(self): -+ -+ class h(int): -+ def __lt__(self, o): -+ # list2.clear() -+ del list2[:] -+ return NotImplemented -+ -+ class g(int): -+ def __lt__(self, o): -+ # list1.clear() -+ del list1[:] -+ return NotImplemented -+ -+ list1, list2 = [], [] -+ -+ self.module.heappush(list1, h(0)) -+ self.module.heappush(list2, g(0)) -+ -+ self.assertRaises((IndexError, RuntimeError), self.module.heappush, list1, g(1)) -+ self.assertRaises((IndexError, RuntimeError), self.module.heappush, list2, h(1)) - - class TestErrorHandlingPython(TestErrorHandling): - module = py_heapq -diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-01-22-15-53-37.bpo-39421.O3nG7u.rst b/Misc/NEWS.d/next/Core and Builtins/2020-01-22-15-53-37.bpo-39421.O3nG7u.rst -new file mode 100644 -index 00000000000000..bae008150ee127 ---- /dev/null -+++ b/Misc/NEWS.d/next/Core and Builtins/2020-01-22-15-53-37.bpo-39421.O3nG7u.rst -@@ -0,0 +1,2 @@ -+Fix possible crashes when operating with the functions in the :mod:`heapq` -+module and custom comparison operators. -diff --git a/Modules/_heapqmodule.c b/Modules/_heapqmodule.c -index 5b0ef691545ba5..9e2c5c784cb30d 100644 ---- a/Modules/_heapqmodule.c -+++ b/Modules/_heapqmodule.c -@@ -52,7 +52,11 @@ _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos) - while (pos > startpos) { - parentpos = (pos - 1) >> 1; - parent = PyList_GET_ITEM(heap, parentpos); -+ Py_INCREF(newitem); -+ Py_INCREF(parent); - cmp = cmp_lt(newitem, parent); -+ Py_DECREF(parent); -+ Py_DECREF(newitem); - if (cmp == -1) - return -1; - if (size != PyList_GET_SIZE(heap)) { -@@ -93,9 +97,13 @@ _siftup(PyListObject *heap, Py_ssize_t pos) - childpos = 2*pos + 1; /* leftmost child position */ - rightpos = childpos + 1; - if (rightpos < endpos) { -- cmp = cmp_lt( -- PyList_GET_ITEM(heap, childpos), -- PyList_GET_ITEM(heap, rightpos)); -+ PyObject* a = PyList_GET_ITEM(heap, childpos); -+ PyObject* b = PyList_GET_ITEM(heap, rightpos); -+ Py_INCREF(a); -+ Py_INCREF(b); -+ cmp = cmp_lt(a,b); -+ Py_DECREF(a); -+ Py_DECREF(b); - if (cmp == -1) - return -1; - if (cmp == 0) -@@ -236,7 +244,10 @@ heappushpop(PyObject *self, PyObject *args) - return item; - } - -- cmp = cmp_lt(PyList_GET_ITEM(heap, 0), item); -+ PyObject* top = PyList_GET_ITEM(heap, 0); -+ Py_INCREF(top); -+ cmp = cmp_lt(top, item); -+ Py_DECREF(top); - if (cmp == -1) - return NULL; - if (cmp == 0) { -@@ -395,7 +406,11 @@ _siftdownmax(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos) - while (pos > startpos){ - parentpos = (pos - 1) >> 1; - parent = PyList_GET_ITEM(heap, parentpos); -+ Py_INCREF(parent); -+ Py_INCREF(newitem); - cmp = cmp_lt(parent, newitem); -+ Py_DECREF(parent); -+ Py_DECREF(newitem); - if (cmp == -1) { - Py_DECREF(newitem); - return -1; -@@ -436,9 +451,13 @@ _siftupmax(PyListObject *heap, Py_ssize_t pos) - childpos = 2*pos + 1; /* leftmost child position */ - rightpos = childpos + 1; - if (rightpos < endpos) { -- cmp = cmp_lt( -- PyList_GET_ITEM(heap, rightpos), -- PyList_GET_ITEM(heap, childpos)); -+ PyObject* a = PyList_GET_ITEM(heap, rightpos); -+ PyObject* b = PyList_GET_ITEM(heap, childpos); -+ Py_INCREF(a); -+ Py_INCREF(b); -+ cmp = cmp_lt(a, b); -+ Py_DECREF(a); -+ Py_DECREF(b); - if (cmp == -1) { - Py_DECREF(newitem); - return -1;