rpms
/
pyOpenSSL
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check for error returns which cause segfaults in FIPS mode

Browse Source 
- Fix missing error check and leak found by gcc-with-cpychecker (#800086)
epel9
Tomas Mraz 12 years ago
parent 4302445b63
commit 40ddd8c2ce
2 changed files with 86 additions and 1 deletions
Show Stats Download Patch File Download Diff File

77
pyOpenSSL-0.13-check-error.patch
Unescape View File

@ -0,0 +1,77 @@
diff -up pyOpenSSL-0.13/OpenSSL/crypto/crypto.c.error pyOpenSSL-0.13/OpenSSL/crypto/crypto.c
--- pyOpenSSL-0.13/OpenSSL/crypto/crypto.c.error 2011-09-02 17:46:13.000000000 +0200
+++ pyOpenSSL-0.13/OpenSSL/crypto/crypto.c 2013-04-04 14:25:17.405118204 +0200
@@ -45,12 +45,15 @@ global_passphrase_callback(char *buf, in
func = (PyObject *)cb_arg;
argv = Py_BuildValue("(i)", rwflag);
+ if (argv == NULL)
+ return 0;
ret = PyEval_CallObject(func, argv);
Py_DECREF(argv);
if (ret == NULL)
return 0;
if (!PyBytes_Check(ret))
{
+ Py_DECREF(ret);
PyErr_SetString(PyExc_ValueError, "String expected");
return 0;
}
@@ -58,6 +61,7 @@ global_passphrase_callback(char *buf, in
if (nchars > len)
nchars = len;
strncpy(buf, PyBytes_AsString(ret), nchars);
+ Py_DECREF(ret);
return nchars;
}
@@ -637,7 +641,10 @@ crypto_sign(PyObject *spam, PyObject *ar
return NULL;
}
- EVP_SignInit(&md_ctx, digest);
+ if (EVP_SignInit(&md_ctx, digest) <= 0) {
+ exception_from_error_queue(crypto_Error);
+ return NULL;
+ }
EVP_SignUpdate(&md_ctx, data, data_len);
sig_len = sizeof(sig_buf);
err = EVP_SignFinal(&md_ctx, sig_buf, &sig_len, pkey->pkey);
@@ -692,7 +699,11 @@ crypto_verify(PyObject *spam, PyObject *
return NULL;
}
- EVP_VerifyInit(&md_ctx, digest);
+ if (EVP_VerifyInit(&md_ctx, digest) <= 0) {
+ exception_from_error_queue(crypto_Error);
+ EVP_PKEY_free(pkey);
+ return NULL;
+ }
EVP_VerifyUpdate(&md_ctx, data, data_len);
err = EVP_VerifyFinal(&md_ctx, signature, sig_len, pkey);
EVP_PKEY_free(pkey);
diff -up pyOpenSSL-0.13/OpenSSL/crypto/x509.c.error pyOpenSSL-0.13/OpenSSL/crypto/x509.c
--- pyOpenSSL-0.13/OpenSSL/crypto/x509.c.error 2011-09-02 17:46:13.000000000 +0200
+++ pyOpenSSL-0.13/OpenSSL/crypto/x509.c 2013-04-04 14:02:34.932847551 +0200
@@ -656,6 +656,7 @@ crypto_X509_digest(crypto_X509Obj *self,
if (!X509_digest(self->x509,digest,fp,&len))
{
exception_from_error_queue(crypto_Error);
+ return NULL;
}
tmp = malloc(3*len+1);
memset(tmp, 0, 3*len+1);
diff -up pyOpenSSL-0.13/OpenSSL/ssl/context.c.error pyOpenSSL-0.13/OpenSSL/ssl/context.c
--- pyOpenSSL-0.13/OpenSSL/ssl/context.c.error 2011-09-02 17:46:13.000000000 +0200
+++ pyOpenSSL-0.13/OpenSSL/ssl/context.c 2013-04-04 14:02:34.932847551 +0200
@@ -1215,6 +1215,10 @@ ssl_Context_init(ssl_ContextObj *self, i
}
self->ctx = SSL_CTX_new(method);
+ if (self->ctx == NULL) {
+ exception_from_error_queue(ssl_Error);
+ return NULL;
+ }
Py_INCREF(Py_None);
self->passphrase_callback = Py_None;
Py_INCREF(Py_None);

10
pyOpenSSL.spec
Unescape View File

@ -1,13 +1,16 @@
Summary: Python wrapper module around the OpenSSL library Summary: Python wrapper module around the OpenSSL library
Name: pyOpenSSL Name: pyOpenSSL
Version: 0.13 Version: 0.13
Release: 5%{?dist} Release: 6%{?dist}
Source0: http://pypi.python.org/packages/source/p/pyOpenSSL/%{name}-%{version}.tar.gz Source0: http://pypi.python.org/packages/source/p/pyOpenSSL/%{name}-%{version}.tar.gz
# Fedora specific patches # Fedora specific patches
Patch2: pyOpenSSL-elinks.patch Patch2: pyOpenSSL-elinks.patch
Patch3: pyOpenSSL-nopdfout.patch Patch3: pyOpenSSL-nopdfout.patch
Patch10: pyOpenSSL-0.13-check-error.patch
License: ASL 2.0 License: ASL 2.0
Group: Development/Libraries Group: Development/Libraries
Url: http://pyopenssl.sourceforge.net/ Url: http://pyopenssl.sourceforge.net/
@ -32,6 +35,7 @@ High-level wrapper around a subset of the OpenSSL library, includes among others
%setup -q %setup -q
%patch2 -p1 -b .elinks %patch2 -p1 -b .elinks
%patch3 -p1 -b .nopdfout %patch3 -p1 -b .nopdfout
%patch10 -p1 -b .error
# Fix permissions for debuginfo package # Fix permissions for debuginfo package
%{__chmod} -x OpenSSL/ssl/connection.c %{__chmod} -x OpenSSL/ssl/connection.c
@ -53,6 +57,10 @@ find doc/ -name pyOpenSSL.\*
%{python_sitearch}/%{name}*.egg-info %{python_sitearch}/%{name}*.egg-info
%changelog %changelog
* Thu Apr 4 2013 Tomáš Mráz <tmraz@redhat.com> - 0.13-6
- Check for error returns which cause segfaults in FIPS mode
- Fix missing error check and leak found by gcc-with-cpychecker (#800086)
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13-5 * Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

Write Preview
Loading…
Cancel
Save