Added patch for Buffer Overflow in ARC2 module. Bug #258049. CVE-2009-0544

(Portage version: 2.2_rc16/cvs/Linux 2.6.18-gentoo-r3 i686)

3 files changed, 89 insertions, 1 deletions

diff --git a/dev-python/pycrypto/ChangeLog b/dev-python/pycrypto/ChangeLog
index 2031efecfa56..905dd71664d5 100644
--- a/dev-python/pycrypto/ChangeLog
+++ b/dev-python/pycrypto/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for dev-python/pycrypto
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-python/pycrypto/ChangeLog,v 1.64 2009/03/01 08:24:02 neurogeek Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-python/pycrypto/ChangeLog,v 1.65 2009/03/04 04:44:45 neurogeek Exp $
+
+*pycrypto-2.0.1-r8 (04 Mar 2009)
+
+  04 Mar 2009; Jesus Rivero <neurogeek@gentoo.org>
+  +files/pycrypto-2.0.1-CVE-2009-0544.patch, +pycrypto-2.0.1-r8.ebuild:
+  Added patch for Buffer Overflow in ARC2 module. Bug #258049. CVE-2009-0544
 
 *pycrypto-2.0.1-r7 (01 Mar 2009)
 
diff --git a/dev-python/pycrypto/files/pycrypto-2.0.1-CVE-2009-0544.patch b/dev-python/pycrypto/files/pycrypto-2.0.1-CVE-2009-0544.patch
new file mode 100644
index 000000000000..9a4734cf608d
--- /dev/null
+++ b/dev-python/pycrypto/files/pycrypto-2.0.1-CVE-2009-0544.patch
@@ -0,0 +1,23 @@
+--- src/ARC2.c.orig	2009-03-03 23:53:08.000000000 -0430
++++ src/ARC2.c	2009-03-03 23:53:08.000000000 -0430
+@@ -11,6 +11,7 @@
+  */
+ 
+ #include <string.h>  
++#include "Python.h"
+ 
+ #define MODULE_NAME ARC2
+ #define BLOCK_SIZE 8
+@@ -146,6 +147,12 @@
+ 	   We'll hardwire it to 1024. */
+ #define bits 1024
+ 
++    if ((U32)keylength > sizeof(self->xkey)) {
++       PyErr_SetString(PyExc_ValueError,
++               "ARC2 key length must be less than 128 bytes");
++       return;
++    }
++
+ 	memcpy(self->xkey, key, keylength);
+   
+ 	/* Phase 1: Expand input key to 128 bytes */
diff --git a/dev-python/pycrypto/pycrypto-2.0.1-r8.ebuild b/dev-python/pycrypto/pycrypto-2.0.1-r8.ebuild
new file mode 100644
index 000000000000..a02b5891373a
--- /dev/null
+++ b/dev-python/pycrypto/pycrypto-2.0.1-r8.ebuild
@@ -0,0 +1,59 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-python/pycrypto/pycrypto-2.0.1-r8.ebuild,v 1.1 2009/03/04 04:44:45 neurogeek Exp $
+
+NEED_PYTHON=2.5
+inherit distutils toolchain-funcs flag-o-matic
+
+DESCRIPTION="Python Cryptography Toolkit"
+HOMEPAGE="http://www.amk.ca/python/code/crypto.html"
+SRC_URI="http://www.amk.ca/files/python/crypto/${P}.tar.gz"
+
+LICENSE="freedist"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
+IUSE="bindist gmp test"
+
+RDEPEND="virtual/python
+	gmp? ( dev-libs/gmp )"
+DEPEND="${RDEPEND}
+	test? ( =dev-python/sancho-0.11-r1 )"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	use bindist && epatch "${FILESDIR}"/${P}-bindist.patch
+	epatch "${FILESDIR}"/${P}-sha256.patch
+	epatch "${FILESDIR}"/${P}-sha256-2.patch
+	epatch "${FILESDIR}"/${P}-gmp.patch
+	epatch "${FILESDIR}"/${P}-uint32.patch
+	epatch "${FILESDIR}"/${P}-sancho-package-rename.patch
+	epatch "${FILESDIR}"/${P}-2.6_hashlib.patch
+	#ARC2 buffer overlow. Bug 258049
+	epatch "${FILESDIR}"/${P}-CVE-2009-0544.patch
+}
+
+src_compile() {
+	use gmp \
+		&& export USE_GMP=1 \
+		|| export USE_GMP=0
+	# sha256 hashes occasionally trigger ssp when built with
+	# -finline-functions (implied by -O3).
+	gcc-specs-ssp && append-flags -fno-inline-functions
+	distutils_src_compile
+	python_need_rebuild
+}
+
+src_test() {
+	export PYTHONPATH=$(ls -d "${S}"/build/lib.*/)
+	python ./test.py || die "test failed"
+	if use test ; then
+		local x
+		cd test
+		for x in test_*.py ; do
+			python ${x} || die "${x} failed"
+		done
+	fi
+}
+
+DOCS="ACKS ChangeLog PKG-INFO README TODO Doc/pycrypt.tex"