dev-java/jython: Patch against CVE-2016-4000 (bug #621876)

Also unpeg the dev-java/asm version as 5.1 works fine. 5.0.3 was the
latest when that restriction was put in place so a newer version could
not have been breaking it.

Package-Manager: Portage-2.3.8, Repoman-2.3.2

2 files changed, 160 insertions, 1 deletions

diff --git a/dev-java/jython/files/CVE-2016-4000.patch b/dev-java/jython/files/CVE-2016-4000.patch
new file mode 100644
index 000000000000..81785eb05b07
--- /dev/null
+++ b/dev-java/jython/files/CVE-2016-4000.patch
@@ -0,0 +1,158 @@
+
+# HG changeset patch
+# User Jim Baker <jim.baker@rackspace.com>
+# Date 1454384221 25200
+# Node ID d06e29d100c04576735e86c75a26c5f33669bb72
+# Parent  b6735606c13df95f770527e629954407f82808c5
+Do not deserialize PyFunction objects. Fixes #2454
+
+Instead use standard Python pickling; or subclass PyFunction.
+
+diff --git a/Lib/test/test_java_integration.py b/Lib/test/test_java_integration.py
+--- a/Lib/test/test_java_integration.py
++++ b/Lib/test/test_java_integration.py
+@@ -14,8 +14,9 @@ import re
+ from collections import deque
+ from test import test_support
+ 
+-from java.lang import (ClassCastException, ExceptionInInitializerError, String, Runnable, System,
+-        Runtime, Math, Byte)
++from java.lang import (
++    ClassCastException, ExceptionInInitializerError, UnsupportedOperationException,
++    String, Runnable, System, Runtime, Math, Byte)
+ from java.math import BigDecimal, BigInteger
+ from java.net import URI
+ from java.io import (ByteArrayInputStream, ByteArrayOutputStream, File, FileInputStream,
+@@ -656,13 +657,30 @@ class SerializationTest(unittest.TestCas
+         self.assertEqual(date_list, roundtrip_serialization(date_list))
+ 
+     def test_java_serialization_pycode(self):
+-
+         def universal_answer():
+             return 42
+ 
+         serialized_code = roundtrip_serialization(universal_answer.func_code)
+         self.assertEqual(eval(serialized_code), universal_answer())
+ 
++    def test_java_serialization_pyfunction(self):
++        # Not directly supported due to lack of general utility
++        # (globals will usually be in the function object in
++        # func_globals), and problems with unserialization
++        # vulnerabilities. Users can always subclass from PyFunction
++        # for specific cases, as seen in PyCascading
++        import new
++        def f():
++            return 6 * 7 + max(0, 1, 2)
++        # However, using the new module, it's possible to create a
++        # function with no globals, which means the globals will come
++        # from the current context
++        g = new.function(f.func_code, {}, "g")
++        # But still forbid Java deserialization of this function
++        # object. Use pickling or other support instead.
++        with self.assertRaises(UnsupportedOperationException):
++            roundtrip_serialization(g)
++
+     def test_builtin_names(self):
+         import __builtin__
+         names = [x for x in dir(__builtin__)]
+@@ -872,7 +890,7 @@ class SingleMethodInterfaceTest(unittest
+         future.get()
+         self.assertEqual(x, [42])
+ 
+-    @unittest.skip("FIXME: not working")
++    @unittest.skip("FIXME: not working; see http://bugs.jython.org/issue2115")
+     def test_callable_object(self):
+         callable_obj = CallableObject()
+         future = self.executor.submit(callable_obj)
+diff --git a/Lib/test/test_new.py b/Lib/test/test_new.py
+--- a/Lib/test/test_new.py
++++ b/Lib/test/test_new.py
+@@ -24,18 +24,10 @@ class NewTest(unittest.TestCase):
+         c = new.instance(C, {'yolks': 3})
+ 
+         o = new.instance(C)
+-
+-        # __dict__ is a non dict mapping in Jython
+-        if test_support.is_jython:
+-            self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty")
+-        else:
+-            self.assertEqual(o.__dict__, {}, "new __dict__ should be empty")
++        self.assertEqual(o.__dict__, {}, "new __dict__ should be empty")
+         del o
+         o = new.instance(C, None)
+-        if test_support.is_jython:
+-            self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty")
+-        else:
+-            self.assertEqual(o.__dict__, {}, "new __dict__ should be empty")
++        self.assertEqual(o.__dict__, {}, "new __dict__ should be empty")
+         del o
+ 
+         def break_yolks(self):
+@@ -109,7 +101,14 @@ class NewTest(unittest.TestCase):
+         test_closure(g, (1, 1), ValueError) # closure is wrong size
+         test_closure(f, g.func_closure, ValueError) # no closure needed
+ 
+-    if hasattr(new, 'code') and not test_support.is_jython:
++    # [Obsolete] Note: Jython will never have new.code()
++    #
++    # Who said that?!!! guess what, we do! :)
++    # 
++    # Unfortunately we still need a way to compile to Python bytecode,
++    # so support is still incomplete, as seen in the fact that we need
++    # to get values from CPython 2.7.
++    if hasattr(new, 'code'):
+         def test_code(self):
+             # bogus test of new.code()
+             def f(a): pass
+@@ -117,16 +116,16 @@ class NewTest(unittest.TestCase):
+             c = f.func_code
+             argcount = c.co_argcount
+             nlocals = c.co_nlocals
+-            stacksize = c.co_stacksize
++            stacksize = 1  # TODO c.co_stacksize
+             flags = c.co_flags
+-            codestring = c.co_code
+-            constants = c.co_consts
+-            names = c.co_names
++            codestring = 'd\x00\x00S'  # TODO c.co_code
++            constants = (None,)  # TODO c.co_consts
++            names = ()  # TODO c.co_names
+             varnames = c.co_varnames
+             filename = c.co_filename
+             name = c.co_name
+             firstlineno = c.co_firstlineno
+-            lnotab = c.co_lnotab
++            lnotab = '' # TODO c.co_lnotab, but also see http://bugs.jython.org/issue1638
+             freevars = c.co_freevars
+             cellvars = c.co_cellvars
+ 
+diff --git a/src/org/python/core/PyBytecode.java b/src/org/python/core/PyBytecode.java
+--- a/src/org/python/core/PyBytecode.java
++++ b/src/org/python/core/PyBytecode.java
+@@ -66,6 +66,12 @@ public class PyBytecode extends PyBaseCo
+ 
+         debug = defaultDebug;
+ 
++        if (argcount < 0) {
++            throw Py.ValueError("code: argcount must not be negative");
++        } else if (nlocals < 0) {
++            throw Py.ValueError("code: nlocals must not be negative");
++        }
++
+         co_argcount = nargs = argcount;
+         co_varnames = varnames;
+         co_nlocals = nlocals; // maybe assert = varnames.length;
+diff --git a/src/org/python/core/PyFunction.java b/src/org/python/core/PyFunction.java
+--- a/src/org/python/core/PyFunction.java
++++ b/src/org/python/core/PyFunction.java
+@@ -545,6 +545,9 @@ public class PyFunction extends PyObject
+     @Override
+     public boolean isSequenceType() { return false; }
+ 
++    private Object readResolve() {
++        throw new UnsupportedOperationException();
++    }
+ 
+     /* Traverseproc implementation */
+     @Override
+
diff --git a/dev-java/jython/jython-2.7.0-r1.ebuild b/dev-java/jython/jython-2.7.0-r2.ebuild
index d0870d8b4ac0..c0b7572345d4 100644
--- a/dev-java/jython/jython-2.7.0-r1.ebuild
+++ b/dev-java/jython/jython-2.7.0-r2.ebuild
@@ -20,7 +20,7 @@ IUSE="examples test"
 
 CP_DEPEND="dev-java/antlr:3
 	dev-java/netty-transport:0
-	=dev-java/asm-5.0.3:4
+	>=dev-java/asm-5:4
 	dev-java/commons-compress:0
 	dev-java/guava:20
 	dev-java/jffi:1.2
@@ -66,6 +66,7 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-2.7_beta1-dont-always-recompile-classes.patch
 	"${FILESDIR}"/${PN}-2.7_beta2-maxrepeat-import.patch
 	"${FILESDIR}"/${PN}-2.7.0-build.xml.patch
+	"${FILESDIR}"/CVE-2016-4000.patch
 )
 
 src_prepare() {