diff options
Diffstat (limited to 'lang/python26/patches/patch-CVE-2012-1150-Doc_using_cmdline.rst')
-rw-r--r-- | lang/python26/patches/patch-CVE-2012-1150-Doc_using_cmdline.rst | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/lang/python26/patches/patch-CVE-2012-1150-Doc_using_cmdline.rst b/lang/python26/patches/patch-CVE-2012-1150-Doc_using_cmdline.rst new file mode 100644 index 00000000000..85c8fb2e2d5 --- /dev/null +++ b/lang/python26/patches/patch-CVE-2012-1150-Doc_using_cmdline.rst @@ -0,0 +1,75 @@ +$NetBSD: patch-CVE-2012-1150-Doc_using_cmdline.rst,v 1.1 2012/03/25 09:09:05 tron Exp $ + +Fix for CVE-2012-1150 taken from here: + +http://hg.python.org/cpython/rev/6b7704fe1be1 + +--- Doc/using/cmdline.rst.orig 2010-07-09 08:51:43.000000000 +0100 ++++ Doc/using/cmdline.rst 2012-03-25 09:51:50.000000000 +0100 +@@ -21,7 +21,7 @@ + + When invoking Python, you may specify any of these options:: + +- python [-BdEiOQsStuUvVWxX3?] [-c command | -m module-name | script | - ] [args] ++ python [-BdEiOQsRStuUvVWxX3?] [-c command | -m module-name | script | - ] [args] + + The most common use case is, of course, a simple invocation of a script:: + +@@ -239,6 +239,29 @@ + :pep:`238` -- Changing the division operator + + ++.. cmdoption:: -R ++ ++ Turn on hash randomization, so that the :meth:`__hash__` values of str, ++ bytes and datetime objects are "salted" with an unpredictable random value. ++ Although they remain constant within an individual Python process, they are ++ not predictable between repeated invocations of Python. ++ ++ This is intended to provide protection against a denial-of-service caused by ++ carefully-chosen inputs that exploit the worst case performance of a dict ++ insertion, O(n^2) complexity. See ++ http://www.ocert.org/advisories/ocert-2011-003.html for details. ++ ++ Changing hash values affects the order in which keys are retrieved from a ++ dict. Although Python has never made guarantees about this ordering (and it ++ typically varies between 32-bit and 64-bit builds), enough real-world code ++ implicitly relies on this non-guaranteed behavior that the randomization is ++ disabled by default. ++ ++ See also :envvar:`PYTHONHASHSEED`. ++ ++ .. versionadded:: 2.6.8 ++ ++ + .. cmdoption:: -s + + Don't add user site directory to sys.path +@@ -501,6 +524,27 @@ + + .. versionadded:: 2.6 + ++.. envvar:: PYTHONHASHSEED ++ ++ If this variable is set to ``random``, the effect is the same as specifying ++ the :option:`-R` option: a random value is used to seed the hashes of str, ++ bytes and datetime objects. ++ ++ If :envvar:`PYTHONHASHSEED` is set to an integer value, it is used as a ++ fixed seed for generating the hash() of the types covered by the hash ++ randomization. ++ ++ Its purpose is to allow repeatable hashing, such as for selftests for the ++ interpreter itself, or to allow a cluster of python processes to share hash ++ values. ++ ++ The integer must be a decimal number in the range [0,4294967295]. ++ Specifying the value 0 will lead to the same hash values as when hash ++ randomization is disabled. ++ ++ .. versionadded:: 2.6.8 ++ ++ + .. envvar:: PYTHONIOENCODING + + Overrides the encoding used for stdin/stdout/stderr, in the syntax |