diff options
Diffstat (limited to 'lang/python26/patches/patch-CVE-2012-1150-Misc_python.man')
| -rw-r--r-- | lang/python26/patches/patch-CVE-2012-1150-Misc_python.man | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/lang/python26/patches/patch-CVE-2012-1150-Misc_python.man b/lang/python26/patches/patch-CVE-2012-1150-Misc_python.man new file mode 100644 index 00000000000..e9067175e74 --- /dev/null +++ b/lang/python26/patches/patch-CVE-2012-1150-Misc_python.man @@ -0,0 +1,58 @@ +$NetBSD: patch-CVE-2012-1150-Misc_python.man,v 1.1 2012/03/25 09:09:05 tron Exp $ + +Fix for CVE-2012-1150 taken from here: + +http://hg.python.org/cpython/rev/6b7704fe1be1 + +--- Misc/python.man.orig 2010-01-31 16:09:16.000000000 +0000 ++++ Misc/python.man 2012-03-25 09:51:50.000000000 +0100 +@@ -34,6 +34,9 @@ + .B \-O0 + ] + [ ++.B \-R ++] ++[ + .B -Q + .I argument + ] +@@ -151,6 +154,18 @@ + .B \-O0 + Discard docstrings in addition to the \fB-O\fP optimizations. + .TP ++.B \-R ++Turn on "hash randomization", so that the hash() values of str, bytes and ++datetime objects are "salted" with an unpredictable pseudo-random value. ++Although they remain constant within an individual Python process, they are ++not predictable between repeated invocations of Python. ++.IP ++This is intended to provide protection against a denial of service ++caused by carefully-chosen inputs that exploit the worst case performance ++of a dict insertion, O(n^2) complexity. See ++http://www.ocert.org/advisories/ocert-2011-003.html ++for details. ++.TP + .BI "\-Q " argument + Division control; see PEP 238. The argument must be one of "old" (the + default, int/int and long/long return an int or long), "new" (new +@@ -411,6 +426,20 @@ + If this is set to a non-empty string it is equivalent to specifying + the \fB\-v\fP option. If set to an integer, it is equivalent to + specifying \fB\-v\fP multiple times. ++.IP PYTHONHASHSEED ++If this variable is set to "random", the effect is the same as specifying ++the \fB-R\fP option: a random value is used to seed the hashes of str, ++bytes and datetime objects. ++ ++If PYTHONHASHSEED is set to an integer value, it is used as a fixed seed for ++generating the hash() of the types covered by the hash randomization. Its ++purpose is to allow repeatable hashing, such as for selftests for the ++interpreter itself, or to allow a cluster of python processes to share hash ++values. ++ ++The integer must be a decimal number in the range [0,4294967295]. Specifying ++the value 0 will lead to the same hash values as when hash randomization is ++disabled. + .SH AUTHOR + The Python Software Foundation: http://www.python.org/psf + .SH INTERNET RESOURCES |