X-Git-Url: https://review.fuel-infra.org/gitweb?a=blobdiff_plain;f=cirros-testvm%2Fsrc-cirros%2Fbuildroot-2015.05%2Fpackage%2Fpython-pam%2F0003-memory-errors-CVE2012-1502.patch;fp=cirros-testvm%2Fsrc-cirros%2Fbuildroot-2015.05%2Fpackage%2Fpython-pam%2F0003-memory-errors-CVE2012-1502.patch;h=62405db058619b36ca2e7fd6ba66e8491a9edb30;hb=b0a0f15dfaa205161a7fcb20cf1b8cd4948c2ef3;hp=0000000000000000000000000000000000000000;hpb=c6ac3cd55ee2da956195eee393b0882105dfad4e;p=packages%2Ftrusty%2Fcirros-testvm.git

diff --git a/cirros-testvm/src-cirros/buildroot-2015.05/package/python-pam/0003-memory-errors-CVE2012-1502.patch b/cirros-testvm/src-cirros/buildroot-2015.05/package/python-pam/0003-memory-errors-CVE2012-1502.patch
new file mode 100644
index 0000000..62405db
--- /dev/null
+++ b/cirros-testvm/src-cirros/buildroot-2015.05/package/python-pam/0003-memory-errors-CVE2012-1502.patch
@@ -0,0 +1,136 @@
+[PATCH] Fix Double Free Corruption (CVE2012-1502)
+
+Downloaded from:
+http://pkgs.fedoraproject.org/cgit/PyPAM.git/plain/PyPAM-0.5.0-memory-errors.patch
+
+For details, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1502
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+diff -up PyPAM-0.5.0/PAMmodule.c.memory PyPAM-0.5.0/PAMmodule.c
+--- PyPAM-0.5.0/PAMmodule.c.memory	2012-05-07 17:22:54.503914026 +0200
++++ PyPAM-0.5.0/PAMmodule.c	2012-05-07 17:23:15.644381942 +0200
+@@ -37,33 +37,48 @@ static void PyPAM_Err(PyPAMObject *self,
+ 
+     err_msg = pam_strerror(self->pamh, result);
+     error = Py_BuildValue("(si)", err_msg, result);
+-    Py_INCREF(PyPAM_Error);
+     PyErr_SetObject(PyPAM_Error, error);
++    Py_XDECREF(error);
+ }
+ 
+ static int PyPAM_conv(int num_msg, const struct pam_message **msg,
+     struct pam_response **resp, void *appdata_ptr)
+ {
+-    PyObject                *args;
+-
++    PyObject *args, *msgList, *respList, *item;
++    struct pam_response *response, *spr;
+     PyPAMObject* self = (PyPAMObject *) appdata_ptr;
++
+     if (self->callback == NULL)
+         return PAM_CONV_ERR;
+ 
+     Py_INCREF(self);
+ 
+-    PyObject* msgList = PyList_New(num_msg);
+-    
++    msgList = PyList_New(num_msg);
++    if (msgList == NULL) {
++        Py_DECREF(self);
++        return PAM_CONV_ERR;
++    }
++
+     for (int i = 0; i < num_msg; i++) {
+-        PyList_SetItem(msgList, i,
+-            Py_BuildValue("(si)", msg[i]->msg, msg[i]->msg_style));
++        item = Py_BuildValue("(si)", msg[i]->msg, msg[i]->msg_style);
++        if (item == NULL) {
++            Py_DECREF(msgList);
++            Py_DECREF(self);
++            return PAM_CONV_ERR;
++        }
++        PyList_SetItem(msgList, i, item);
+     }
+-    
++
+     args = Py_BuildValue("(OO)", self, msgList);
+-    PyObject* respList = PyEval_CallObject(self->callback, args);
++    if (args == NULL) {
++        Py_DECREF(self);
++	Py_DECREF(msgList);
++        return PAM_CONV_ERR;
++    }
++    respList = PyEval_CallObject(self->callback, args);
+     Py_DECREF(args);
+     Py_DECREF(self);
+-    
++
+     if (respList == NULL)
+         return PAM_CONV_ERR;
+ 
+@@ -71,11 +86,15 @@ static int PyPAM_conv(int num_msg, const
+         Py_DECREF(respList);
+         return PAM_CONV_ERR;
+     }
+-    
+-    *resp = (struct pam_response *) malloc(
++
++    response = (struct pam_response *) malloc(
+         PyList_Size(respList) * sizeof(struct pam_response));
++    if (response == NULL) {
++        Py_DECREF(respList);
++        return PAM_CONV_ERR;
++    }
++    spr = response;
+ 
+-    struct pam_response* spr = *resp;
+     for (int i = 0; i < PyList_Size(respList); i++, spr++) {
+         PyObject* respTuple = PyList_GetItem(respList, i);
+         char* resp_text;
+@@ -85,7 +104,7 @@ static int PyPAM_conv(int num_msg, const
+                 free((--spr)->resp);
+                 --i;
+             }
+-            free(*resp);
++            free(response);
+             Py_DECREF(respList);
+             return PAM_CONV_ERR;
+         }
+@@ -95,7 +114,8 @@ static int PyPAM_conv(int num_msg, const
+     }
+ 
+     Py_DECREF(respList);
+-    
++    *resp = response;
++
+     return PAM_SUCCESS;
+ }
+ 
+@@ -122,7 +142,11 @@ static PyObject * PyPAM_pam(PyObject *se
+     PyPAMObject_Type.ob_type = &PyType_Type;
+     p = (PyPAMObject *) PyObject_NEW(PyPAMObject, &PyPAMObject_Type);
+ 
++    if (p == NULL)
++        return NULL;
++
+     if ((spc = (struct pam_conv *) malloc(sizeof(struct pam_conv))) == NULL) {
++        Py_DECREF((PyObject *)p);
+         PyErr_SetString(PyExc_MemoryError, "out of memory");
+         return NULL;
+     }
+@@ -455,9 +479,15 @@ static PyObject * PyPAM_getenvlist(PyObj
+     }
+     
+     retval = PyList_New(0);
++    if (retval == NULL)
++	return NULL;
+     
+     while ((cp = *(result++)) != NULL) {
+         entry = Py_BuildValue("s", cp);
++        if (entry == NULL) {
++            Py_DECREF(retval);
++            return NULL;
++        }
+         PyList_Append(retval, entry);
+         Py_DECREF(entry);
+     }