Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 4fb92ae60d68
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 45309624069f
Choose a head ref
  • 8 commits
  • 3 files changed
  • 2 contributors

Commits on Feb 20, 2021

  1. Merge staging-next into staging

    @FRidh
    FRidh committed Feb 20, 2021
    Copy the full SHA
    b3d3fab View commit details

  2. python39: 3.9.1 -> 3.9.2

    @FRidh
    FRidh committed Feb 20, 2021

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    a39b5b5 View commit details

  3. python38: 3.8.7 -> 3.8.8

    @FRidh
    FRidh committed Feb 20, 2021
    Copy the full SHA
    84edcad View commit details

  4. python37: 3.7.9 -> 3.7.10

    @FRidh
    FRidh committed Feb 20, 2021
    Copy the full SHA
    2cbc212 View commit details

  5. python27: Fix CVE-2021-3177 

    Thanks to the Gentoo team maintaining a fork of python2¹ we can easily
apply their backported patch for this security vulnerability.

[1] https://gitweb.gentoo.org/fork/cpython.git/
    @mweinelt @FRidh
    mweinelt authored and FRidh committed Feb 20, 2021
    Copy the full SHA
    85cde0d View commit details

  6. python36: 3.6.12 -> 3.6.13

    @FRidh
    FRidh committed Feb 20, 2021
    Copy the full SHA
    8ab9914 View commit details

  7. python310: 3.10.0a4 -> 3.10.0a5

    @FRidh
    FRidh committed Feb 20, 2021
    Copy the full SHA
    04f4369 View commit details

  8. Merge staging-next into staging

    @FRidh
    FRidh committed Feb 20, 2021
    Copy the full SHA
    4530962 View commit details
181 changes: 181 additions & 0 deletions pkgs/development/interpreters/python/cpython/2.7/CVE-2021-3177.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
From fab838b2ee7cfb9037c24f0f18dfe01aa379b3f7 Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 18 Jan 2021 15:11:46 -0600
Subject: [3.6] closes bpo-42938: Replace snprintf with Python unicode
formatting in ctypes param reprs. (GH-24250)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)

Co-authored-by: Benjamin Peterson <benjamin@python.org>
Rebased for Python 2.7 by Michał Górny <mgorny@gentoo.org>
---
Lib/ctypes/test/test_parameters.py | 43 +++++++++++++++++++
.../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 +
Modules/_ctypes/callproc.c | 49 +++++++++++-----------
3 files changed, 69 insertions(+), 25 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst

diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py
index 23c1b6e225..3456882ccb 100644
--- a/Lib/ctypes/test/test_parameters.py
+++ b/Lib/ctypes/test/test_parameters.py
@@ -206,6 +206,49 @@ class SimpleTypesTestCase(unittest.TestCase):
with self.assertRaises(ZeroDivisionError):
WorseStruct().__setstate__({}, b'foo')

+ def test_parameter_repr(self):
+ from ctypes import (
+ c_bool,
+ c_char,
+ c_wchar,
+ c_byte,
+ c_ubyte,
+ c_short,
+ c_ushort,
+ c_int,
+ c_uint,
+ c_long,
+ c_ulong,
+ c_longlong,
+ c_ulonglong,
+ c_float,
+ c_double,
+ c_longdouble,
+ c_char_p,
+ c_wchar_p,
+ c_void_p,
+ )
+ self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
+ self.assertEqual(repr(c_char.from_param('a')), "<cparam 'c' (a)>")
+ self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
+ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
+ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
+ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
+ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
+ self.assertRegexpMatches(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
+ self.assertRegexpMatches(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
+ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
+ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
+ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
+ self.assertRegexpMatches(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
+ self.assertRegexpMatches(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
+ self.assertRegexpMatches(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
+ self.assertRegexpMatches(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
+
################################################################

if __name__ == '__main__':
diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
new file mode 100644
index 0000000000..7df65a156f
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
@@ -0,0 +1,2 @@
+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and
+:class:`ctypes.c_longdouble` values.
diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
index 066fefc0cc..421addf353 100644
--- a/Modules/_ctypes/callproc.c
+++ b/Modules/_ctypes/callproc.c
@@ -460,50 +460,51 @@ PyCArg_dealloc(PyCArgObject *self)
static PyObject *
PyCArg_repr(PyCArgObject *self)
{
- char buffer[256];
switch(self->tag) {
case 'b':
case 'B':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyString_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.b);
- break;
case 'h':
case 'H':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyString_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.h);
- break;
case 'i':
case 'I':
- sprintf(buffer, "<cparam '%c' (%d)>",
+ return PyString_FromFormat("<cparam '%c' (%d)>",
self->tag, self->value.i);
- break;
case 'l':
case 'L':
- sprintf(buffer, "<cparam '%c' (%ld)>",
+ return PyString_FromFormat("<cparam '%c' (%ld)>",
self->tag, self->value.l);
- break;

#ifdef HAVE_LONG_LONG
case 'q':
case 'Q':
- sprintf(buffer,
+ return PyString_FromFormat(
"<cparam '%c' (%" PY_FORMAT_LONG_LONG "d)>",
self->tag, self->value.q);
- break;
#endif
case 'd':
- sprintf(buffer, "<cparam '%c' (%f)>",
- self->tag, self->value.d);
- break;
- case 'f':
- sprintf(buffer, "<cparam '%c' (%f)>",
- self->tag, self->value.f);
- break;
-
+ case 'f': {
+ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
+ if (f == NULL) {
+ return NULL;
+ }
+ PyObject *r = PyObject_Repr(f);
+ if (r == NULL) {
+ Py_DECREF(f);
+ return NULL;
+ }
+ PyObject *result = PyString_FromFormat(
+ "<cparam '%c' (%s)>", self->tag, PyString_AsString(r));
+ Py_DECREF(r);
+ Py_DECREF(f);
+ return result;
+ }
case 'c':
- sprintf(buffer, "<cparam '%c' (%c)>",
+ return PyString_FromFormat("<cparam '%c' (%c)>",
self->tag, self->value.c);
- break;

/* Hm, are these 'z' and 'Z' codes useful at all?
Shouldn't they be replaced by the functionality of c_string
@@ -512,16 +513,14 @@ PyCArg_repr(PyCArgObject *self)
case 'z':
case 'Z':
case 'P':
- sprintf(buffer, "<cparam '%c' (%p)>",
+ return PyString_FromFormat("<cparam '%c' (%p)>",
self->tag, self->value.p);
break;

default:
- sprintf(buffer, "<cparam '%c' at %p>",
+ return PyString_FromFormat("<cparam '%c' at %p>",
self->tag, self);
- break;
}
- return PyString_FromString(buffer);
}

static PyMemberDef PyCArgType_members[] = {
--
cgit v1.2.3

3 changes: 3 additions & 0 deletions pkgs/development/interpreters/python/cpython/2.7/default.nix
View file
Original file line number Diff line number Diff line change
@@ -103,6 +103,9 @@ let

# Patch is likely to go away in the next release (if there is any)
./CVE-2019-20907.patch

./CVE-2021-3177.patch

] ++ optionals (x11Support && stdenv.isDarwin) [
./use-correct-tcl-tk-on-darwin.patch
] ++ optionals stdenv.isLinux [
20 changes: 10 additions & 10 deletions pkgs/development/interpreters/python/default.nix
View file
Original file line number Diff line number Diff line change
@@ -128,10 +128,10 @@ in {
sourceVersion = {
major = "3";
minor = "6";
patch = "12";
patch = "13";
suffix = "";
};
sha256 = "cJU6m11okdkuZdGEw1EhJqFYFL7hXh7/LdzOBDNOmpk=";
sha256 = "pHpDpTq7QihqLBGWU0P/VnEbnmTo0RvyxnAaT7jOGg8=";
inherit (darwin) configd;
inherit passthruFun;
};
@@ -141,10 +141,10 @@ in {
sourceVersion = {
major = "3";
minor = "7";
patch = "9";
patch = "10";
suffix = "";
};
sha256 = "008v6g1jkrjrdmiqlgjlq6msbbj848bvkws6ppwva1ahn03k14li";
sha256 = "+NgudXLIbsnVXIYnquUEAST9IgOvQAw4PIIbmAMG7ms=";
inherit (darwin) configd;
inherit passthruFun;
};
@@ -154,10 +154,10 @@ in {
sourceVersion = {
major = "3";
minor = "8";
patch = "7";
patch = "8";
suffix = "";
};
sha256 = "sha256-3cwd8Wu1uHqkLsXSCluQLy0IjKommyjgFZD5enmOxQo=";
sha256 = "fGZCSf935EPW6g5M8OWH6ukYyjxI0IHRkV/iofG8xcw=";
inherit (darwin) configd;
inherit passthruFun;
};
@@ -167,10 +167,10 @@ in {
sourceVersion = {
major = "3";
minor = "9";
patch = "1";
patch = "2";
suffix = "";
};
sha256 = "1zq3k4ymify5ig739zyvx9s2ainvchxb1zpy139z74krr653y74r";
sha256 = "PCA0xU+BFEj1FmaNzgnSQAigcWw6eU3YY5tTiMveJH0=";
inherit (darwin) configd;
inherit passthruFun;
};
@@ -181,9 +181,9 @@ in {
major = "3";
minor = "10";
patch = "0";
suffix = "a4";
suffix = "a5";
};
sha256 = "sha256-McHBl7IZuOH96je/izkxur0Edirn+igVkQU/pbek73M=";
sha256 = "BBjlfnA24hnx5rYwOyHnEfZM/Q/dsIlNjxnzev/8XU0=";
inherit (darwin) configd;
inherit passthruFun;
};