Add patches to fix the remaining two functions reported as being

vulnerable to CVE-2013-1752, following the general theme of overflow
of line lengths.  This fixes the smtp and pop functions.
Taken / adapted from http://bugs.python.org/issue16041 and
http://bugs.python.org/issue16042.
PKGREVISION bumped.

7 files changed, 200 insertions, 2 deletions

diff --git a/lang/python27/Makefile b/lang/python27/Makefile
index 2f89596fba8..d1f756f10a9 100644
--- a/lang/python27/Makefile
+++ b/lang/python27/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.41 2014/06/02 06:12:03 adam Exp $
+# $NetBSD: Makefile,v 1.42 2014/06/09 17:58:31 he Exp $
 
 .include "dist.mk"
 
 PKGNAME=	python27-${PY_DISTVERSION}
+PKGREVISION=	1
 CATEGORIES=	lang python
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
diff --git a/lang/python27/distinfo b/lang/python27/distinfo
index 586ad0494a2..7aa75a680e5 100644
--- a/lang/python27/distinfo
+++ b/lang/python27/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.40 2014/06/02 06:12:03 adam Exp $
+$NetBSD: distinfo,v 1.41 2014/06/09 17:58:31 he Exp $
 
 SHA1 (Python-2.7.7.tar.xz) = 5f82557cac5abf18d1df6f8bb2029aa335b321f4
 RMD160 (Python-2.7.7.tar.xz) = 988da9490e8d66a2456accdce5dbe9ba875d5a18
@@ -6,6 +6,11 @@ Size (Python-2.7.7.tar.xz) = 10496500 bytes
 SHA1 (patch-Include_node.h) = 673d148b625711ac47e4bfeb0f5b0d5b31f94d7e
 SHA1 (patch-Include_pyerrors.h) = 3eba043c83b1d1df4918524f7b53047a6ed372ae
 SHA1 (patch-Lib_distutils_unixccompiler.py) = 39b967dc2ae648143d5841f22602a21063b4d5ea
+SHA1 (patch-Lib_poplib.py) = 5d7f64b028abd2fd43651f27a7f2ce7efe5b0859
+SHA1 (patch-Lib_smtplib.py) = f1118bbc53b4e292eb9a28ef3ef10eb4aa553bc3
+SHA1 (patch-Lib_test_test__poplib.py) = 1bdef76b687d042272e35c08521d4244d2c7fbe1
+SHA1 (patch-Lib_test_test_smtplib.py) = 9e8a7f826c7d0f493746718b49fc27ac97c2cbb1
+SHA1 (patch-Misc_NEWS) = 773d71d171a4d4e915297f723a37f5c5e5ef2bd4
 SHA1 (patch-Modules___ssl.c) = aaddaea5bcd6c84d3d896c7c37f710933b8228bc
 SHA1 (patch-Modules_getpath.c) = f68b38eb90f974b67ceab3922ce7f92eb77f25c3
 SHA1 (patch-aa) = 990e4025bb6a37715e1f5df1831499f0ab08acfa
diff --git a/lang/python27/patches/patch-Lib_poplib.py b/lang/python27/patches/patch-Lib_poplib.py
new file mode 100644
index 00000000000..6f43af0a2ec
--- /dev/null
+++ b/lang/python27/patches/patch-Lib_poplib.py
@@ -0,0 +1,43 @@
+$NetBSD: patch-Lib_poplib.py,v 1.1 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752.
+From http://bugs.python.org/issue16041.
+
+--- Lib/poplib.py.orig	2014-06-09 11:29:36.000000000 +0000
++++ Lib/poplib.py
+@@ -32,6 +32,12 @@ CR = '\r'
+ LF = '\n'
+ CRLF = CR+LF
+ 
++# maximal line length when calling readline(). This is to prevent
++# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
++# 512 characters, including CRLF. We have selected 2048 just to be on
++# the safe side.
++_MAXLINE = 2048
++
+ 
+ class POP3:
+ 
+@@ -103,7 +109,10 @@ class POP3:
+     # Raise error_proto('-ERR EOF') if the connection is closed.
+ 
+     def _getline(self):
+-        line = self.file.readline()
++        line = self.file.readline(_MAXLINE + 1)
++        if len(line) > _MAXLINE:
++            raise error_proto('line too long')
++
+         if self._debugging > 1: print '*get*', repr(line)
+         if not line: raise error_proto('-ERR EOF')
+         octets = len(line)
+@@ -363,7 +372,10 @@ else:
+             line = ""
+             renewline = re.compile(r'.*?\n')
+             match = renewline.match(self.buffer)
++
+             while not match:
++                if len(self.buffer) > _MAXLINE:
++                    raise error_proto('line too long')
+                 self._fillBuffer()
+                 match = renewline.match(self.buffer)
+             line = match.group(0)
diff --git a/lang/python27/patches/patch-Lib_smtplib.py b/lang/python27/patches/patch-Lib_smtplib.py
new file mode 100644
index 00000000000..6843a9e7f26
--- /dev/null
+++ b/lang/python27/patches/patch-Lib_smtplib.py
@@ -0,0 +1,51 @@
+$NetBSD: patch-Lib_smtplib.py,v 1.1 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752 for the SMTP part.
+From http://bugs.python.org/issue16042.
+
+--- Lib/smtplib.py.orig	2014-05-31 18:58:39.000000000 +0000
++++ Lib/smtplib.py
+@@ -57,6 +57,7 @@ __all__ = ["SMTPException", "SMTPServerD
+ SMTP_PORT = 25
+ SMTP_SSL_PORT = 465
+ CRLF = "\r\n"
++_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
+ 
+ OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
+ 
+@@ -179,10 +180,14 @@ else:
+         def __init__(self, sslobj):
+             self.sslobj = sslobj
+ 
+-        def readline(self):
++        def readline(self, size=-1):
++            if size < 0:
++                size = None
+             str = ""
+             chr = None
+             while chr != "\n":
++                if size is not None and len(str) >= size:
++                    break
+                 chr = self.sslobj.read(1)
+                 if not chr:
+                     break
+@@ -353,7 +358,7 @@ class SMTP:
+             self.file = self.sock.makefile('rb')
+         while 1:
+             try:
+-                line = self.file.readline()
++                line = self.file.readline(_MAXLINE + 1)
+             except socket.error as e:
+                 self.close()
+                 raise SMTPServerDisconnected("Connection unexpectedly closed: "
+@@ -362,7 +367,9 @@ class SMTP:
+                 self.close()
+                 raise SMTPServerDisconnected("Connection unexpectedly closed")
+             if self.debuglevel > 0:
+-                print>>stderr, 'reply:', repr(line)
++                print >>stderr, 'reply:', repr(line)
++            if len(line) > _MAXLINE:
++                raise SMTPResponseException(500, "Line too long.")
+             resp.append(line[4:].strip())
+             code = line[:3]
+             # Check that the error code is syntactically correct.
diff --git a/lang/python27/patches/patch-Lib_test_test__poplib.py b/lang/python27/patches/patch-Lib_test_test__poplib.py
new file mode 100644
index 00000000000..8a18b553200
--- /dev/null
+++ b/lang/python27/patches/patch-Lib_test_test__poplib.py
@@ -0,0 +1,27 @@
+$NetBSD: patch-Lib_test_test__poplib.py,v 1.1 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752.
+From http://bugs.python.org/issue16041.
+
+--- Lib/test/test_poplib.py.orig	2014-06-09 11:29:38.000000000 +0000
++++ Lib/test/test_poplib.py
+@@ -81,7 +81,7 @@ class DummyPOP3Handler(asynchat.async_ch
+ 
+     def cmd_list(self, arg):
+         if arg:
+-            self.push('+OK %s %s' %(arg, arg))
++            self.push('+OK %s %s' % (arg, arg))
+         else:
+             self.push('+OK')
+             asynchat.async_chat.push(self, LIST_RESP)
+@@ -198,6 +198,10 @@ class TestPOP3Class(TestCase):
+                     113)
+         self.assertEqual(self.client.retr('foo'), expected)
+ 
++    def test_too_long_lines(self):
++        self.assertRaises(poplib.error_proto, self.client._shortcmd,
++                          'echo %s' % (3000 * 'a'))
++
+     def test_dele(self):
+         self.assertOK(self.client.dele('foo'))
+ 
diff --git a/lang/python27/patches/patch-Lib_test_test_smtplib.py b/lang/python27/patches/patch-Lib_test_test_smtplib.py
new file mode 100644
index 00000000000..14ee7279e20
--- /dev/null
+++ b/lang/python27/patches/patch-Lib_test_test_smtplib.py
@@ -0,0 +1,50 @@
+$NetBSD: patch-Lib_test_test_smtplib.py,v 1.1 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752 for the SMTP part.
+From http://bugs.python.org/issue16042.
+
+--- Lib/test/test_smtplib.py.orig	2014-05-31 18:58:39.000000000 +0000
++++ Lib/test/test_smtplib.py
+@@ -292,6 +292,32 @@ class BadHELOServerTests(unittest.TestCa
+                             HOST, self.port, 'localhost', 3)
+ 
+ 
++class TooLongLineTests(TestCase):
++    respdata = '250 OK' + ('.' * smtplib._MAXLINE * 2) + '\n'
++
++    def setUp(self):
++        self.old_stdout = sys.stdout
++        self.output = StringIO.StringIO()
++        sys.stdout = self.output
++
++        self.evt = threading.Event()
++        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++        self.sock.settimeout(15)
++        self.port = test_support.bind_port(self.sock)
++        servargs = (self.evt, self.respdata, self.sock)
++        threading.Thread(target=server, args=servargs).start()
++        self.evt.wait()
++        self.evt.clear()
++
++    def tearDown(self):
++        self.evt.wait()
++        sys.stdout = self.old_stdout
++
++    def testLineTooLong(self):
++        self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
++                          HOST, self.port, 'localhost', 3)
++
++
+ sim_users = {'Mr.A@somewhere.com':'John A',
+              'Ms.B@somewhere.com':'Sally B',
+              'Mrs.C@somewhereesle.com':'Ruth C',
+@@ -511,7 +537,8 @@ class SMTPSimTests(unittest.TestCase):
+ def test_main(verbose=None):
+     test_support.run_unittest(GeneralTests, DebuggingServerTests,
+                               NonConnectingTests,
+-                              BadHELOServerTests, SMTPSimTests)
++                              BadHELOServerTests, SMTPSimTests,
++                              TooLongLineTests)
+ 
+ if __name__ == '__main__':
+     test_main()
diff --git a/lang/python27/patches/patch-Misc_NEWS b/lang/python27/patches/patch-Misc_NEWS
new file mode 100644
index 00000000000..4e738c28153
--- /dev/null
+++ b/lang/python27/patches/patch-Misc_NEWS
@@ -0,0 +1,21 @@
+$NetBSD: patch-Misc_NEWS,v 1.3 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752 for the SMTP and Pop parts.
+From http://bugs.python.org/issue16042 and issue16041.
+ 
+--- Misc/NEWS.orig      2014-06-09 11:29:34.000000000 +0000
++++ Misc/NEWS
+@@ -585,6 +585,13 @@ Library
+   prevent readline() calls from consuming too much memory.  Patch by Jyrki
+   Pulliainen.
+ 
++- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
++  prevent readline() calls from consuming too much memory.  Patch by Jyrki
++  Pulliainen.
++
++- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
++  limiting the call to readline().  Original patch by Christian Heimes.
++
+ - Issue #12641: Avoid passing "-mno-cygwin" to the mingw32 compiler, except
+   when necessary.  Patch by Oscar Benjamin.
+