fix CVE-2019-18874

2021-10-20 19:26:44 +08:00 · 2021-10-20 19:26:44 +08:00 · 2f0531fa5c
commit 2f0531fa5c
parent b6bd1654eb
3 changed files with 97 additions and 1 deletions
--- a/CVE-2019-18874-1.patch
+++ b/CVE-2019-18874-1.patch
@ -0,0 +1,59 @@
+Backport of:
+
+From 7d512c8e4442a896d56505be3e78f1156f443465 Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <ret2libc@users.noreply.github.com>
+Date: Wed, 13 Nov 2019 14:54:21 +0100
+Subject: [PATCH] Use Py_CLEAR instead of Py_DECREF to also set the variable to
+ NULL (#1616)
+
+These files contain loops that convert system data into python objects
+and during the process they create objects and dereference their
+refcounts after they have been added to the resulting list.
+
+However, in case of errors during the creation of those python objects,
+the refcount to previously allocated objects is dropped again with
+Py_XDECREF, which should be a no-op in case the paramater is NULL. Even
+so, in most of these loops the variables pointing to the objects are
+never set to NULL, even after Py_DECREF is called at the end of the loop
+iteration. This means, after the first iteration, if an error occurs
+those python objects will get their refcount dropped two times,
+resulting in a possible double-free.
+---
+ psutil/_psutil_aix.c     | 18 +++++++-------
+ psutil/_psutil_bsd.c     | 30 +++++++++++-----------
+ psutil/_psutil_linux.c   | 14 +++++------
+ psutil/_psutil_osx.c     | 39 ++++++++++++++---------------
+ psutil/_psutil_sunos.c   | 43 ++++++++++++++++----------------
+ psutil/_psutil_windows.c | 54 ++++++++++++++++++++--------------------
+ 6 files changed, 97 insertions(+), 101 deletions(-)
+
+--- a/psutil/_psutil_linux.c
+++ b/psutil/_psutil_linux.c
+@@ -232,9 +232,9 @@ psutil_disk_partitions(PyObject *self, P
+             goto error;
+         if (PyList_Append(py_retlist, py_tuple))
+             goto error;
+-        Py_DECREF(py_dev);
+-        Py_DECREF(py_mountp);
+-        Py_DECREF(py_tuple);
+        Py_CLEAR(py_dev);
+        Py_CLEAR(py_mountp);
+        Py_CLEAR(py_tuple);
+     }
+     endmntent(file);
+     return py_retlist;
+@@ -488,10 +488,10 @@ psutil_users(PyObject *self, PyObject *a
+             goto error;
+         if (PyList_Append(py_retlist, py_tuple))
+             goto error;
+-        Py_DECREF(py_username);
+-        Py_DECREF(py_tty);
+-        Py_DECREF(py_hostname);
+-        Py_DECREF(py_tuple);
+        Py_CLEAR(py_username);
+        Py_CLEAR(py_tty);
+        Py_CLEAR(py_hostname);
+        Py_CLEAR(py_tuple);
+     }
+     endutent();
+     return py_retlist;
--- a/CVE-2019-18874-2.patch
+++ b/CVE-2019-18874-2.patch
@ -0,0 +1,31 @@
+From 3a9bccfd2c6d2e6538298cd3892058b1204056e0 Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <ret2libc@users.noreply.github.com>
+Date: Mon, 18 Nov 2019 15:51:39 +0100
+Subject: [PATCH] psutil/_psutil_posix.c: better clear variables to ensure they
+ are NULL (#1624)
+
+---
+ psutil/_psutil_posix.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/psutil/_psutil_posix.c b/psutil/_psutil_posix.c
+index 209e787d5..aa6008491 100644
+--- a/psutil/_psutil_posix.c
+++ b/psutil/_psutil_posix.c
+@@ -324,11 +324,11 @@ psutil_net_if_addrs(PyObject* self, PyObject* args) {
+             goto error;
+         if (PyList_Append(py_retlist, py_tuple))
+             goto error;
+-        Py_DECREF(py_tuple);
+-        Py_DECREF(py_address);
+-        Py_DECREF(py_netmask);
+-        Py_DECREF(py_broadcast);
+-        Py_DECREF(py_ptp);
+        Py_CLEAR(py_tuple);
+        Py_CLEAR(py_address);
+        Py_CLEAR(py_netmask);
+        Py_CLEAR(py_broadcast);
+        Py_CLEAR(py_ptp);
+     }
+ 
+     freeifaddrs(ifaddr);
--- a/python-psutil.spec
+++ b/python-psutil.spec
@ -1,11 +1,14 @@
 Name:           python-psutil
 Version:        5.4.3
-Release:        8
+Release:        9
 Summary:        A library for retrieving information on running processes and system utilization in Python
 License:        BSD
 URL:            https://github.com/giampaolo/psutil
 Source0:        https://github.com/giampaolo/psutil/archive/release-%{version}.tar.gz#/psutil-%{version}.tar.gz

+Patch0001:      CVE-2019-18874-1.patch
+Patch0002:      CVE-2019-18874-2.patch
+
 BuildRequires:  gcc python2-devel python3-devel procps-ng python2-mock python3-mock python2-ipaddress

 %description
@ -68,6 +71,9 @@ done
 %{python3_sitearch}/*.egg-info

 %changelog
+* Wed Oct 20 2021 yaoxin <yaoxin30@huawei.com> - 5.4.3-9
+- Fix CVE-2019-18874
+
 * Fri Aug 21 2020 shixuantong <shixuantong@huawei.com> - 5.4.3-8
 - add release version for rebuild