python: backport security fix for CVE-2014-1912.

A vulnerability was reported [1] in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code. This vulnerable function, socket.recvfrom_into(), was introduced in Python 2.5. Earlier versions are not affected by this flaw nor is Python 3.3.4 which is already in Homebrew. [1] http://bugs.python.org/issue20246 Closes Homebrew/homebrew#27194. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com>
2014-03-04 17:59:59 +00:00 · 2014-03-04 17:59:59 +00:00 · 734f1a5cd8
parent b3f7103fdb
commit 734f1a5cd8
1 changed files with 8 additions and 1 deletions
--- a/Formula/python.rb
+++ b/Formula/python.rb
@ -35,9 +35,16 @@ class Python < Formula
  end

  def patches
+    p = {}
+    # Backported security fix for CVE-2014-1912:
+    # http://bugs.python.org/issue20246
+    p[:p0] = "https://gist.githubusercontent.com/leepa/9351856/raw/7f9130077fd760fcf9a25f50b69d9c77b155fbc5/CVE-2014-1912.patch"
    # Patch to disable the search for Tk.framework, since Homebrew's Tk is
    # a plain unix build. Remove `-lX11`, too because our Tk is "AquaTk".
-    DATA if build.with? 'brewed-tk'
+    if build.with? "brewed-tk"
+      p[:p1] = DATA
+    end
+    p
  end

  def lib_cellar