From 2cf8a5cee9e4e5357383c9f50bd9368501bf5ec6 Mon Sep 17 00:00:00 2001
From: Lee Packham
Date: Tue, 4 Mar 2014 17:59:59 +0000
Subject: python: backport security fix for CVE-2014-1912.

A vulnerability was reported [1] in Python's socket module, due to a
boundary error within the sock_recvfrom_into() function, which could be
exploited to cause a buffer overflow.

This could be used to crash a Python application that uses the
socket.recvfrom_info() function or, possibly, execute arbitrary code
with the permissions of the user running vulnerable Python code.

This vulnerable function, socket.recvfrom_into(), was introduced in
Python 2.5. Earlier versions are not affected by this flaw nor is Python
3.3.4 which is already in Homebrew.

[1] http://bugs.python.org/issue20246

Closes #27194.

Signed-off-by: Mike McQuaid <mike@mikemcquaid.com>
---
 Library/Formula/python.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Library/Formula/python.rb b/Library/Formula/python.rb
index 9c59043fe..02c5ba2d0 100644
--- a/Library/Formula/python.rb
+++ b/Library/Formula/python.rb
@@ -35,9 +35,16 @@ class Python < Formula
   end
 
   def patches
+    p = {}
+    # Backported security fix for CVE-2014-1912:
+    # http://bugs.python.org/issue20246
+    p[:p0] = "https://gist.githubusercontent.com/leepa/9351856/raw/7f9130077fd760fcf9a25f50b69d9c77b155fbc5/CVE-2014-1912.patch"
     # Patch to disable the search for Tk.framework, since Homebrew's Tk is
     # a plain unix build. Remove `-lX11`, too because our Tk is "AquaTk".
-    DATA if build.with? 'brewed-tk'
+    if build.with? "brewed-tk"
+      p[:p1] = DATA
+    end
+    p
   end
 
   def lib_cellar
-- 
cgit v1.2.3