python: Add fix for CVE-2019-9674

For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

2 files changed, 89 insertions, 0 deletions

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
 
 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+           file://CVE-2019-9674.patch \
            "
 
 SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..94718a8
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,88 @@
+From 051219e9993f5f4caa752480004c4a568798c908 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/3ba51d587f6897a45301ce9126300c14fcd4eba2]
+CVE: CVE-2019-9674
+
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+as this file is not present in our source code.
+
+---
+ Doc/library/zipfile.rst | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index ba613b3..76b9d5a 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -554,4 +554,45 @@ Command-line options
+    Test whether the zipfile is valid or not.
+ 
+ 
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression failed.
++Such as allowable characters in the directory entries, length of the file name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT