From 24629af206fda411f97844447c97420922c609e2 Mon Sep 17 00:00:00 2001 From: Rahul Taya Date: Tue, 16 Feb 2021 20:53:49 +0530 Subject: python: Add fix for CVE-2019-9674 For python and python-native added patch to fix CVE-2019-9674 Signed-off-by: Rahul Taya Signed-off-by: Martin Jansa --- recipes-devtools/python/python.inc | 1 + recipes-devtools/python/python/CVE-2019-9674.patch | 88 ++++++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch (limited to 'recipes-devtools/python') diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc index a4ba0c5..787f23e 100644 --- a/recipes-devtools/python/python.inc +++ b/recipes-devtools/python/python.inc @@ -8,6 +8,7 @@ INC_PR = "r1" LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ + file://CVE-2019-9674.patch \ " SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43" diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch new file mode 100644 index 0000000..94718a8 --- /dev/null +++ b/recipes-devtools/python/python/CVE-2019-9674.patch @@ -0,0 +1,88 @@ +From 051219e9993f5f4caa752480004c4a568798c908 Mon Sep 17 00:00:00 2001 +From: JunWei Song +Date: Wed, 11 Sep 2019 23:04:12 +0800 +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + (#13378) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* bpo-36260: Add pitfalls to zipfile module documentation + +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. +This gave us the idea of documentation improvement. + +So, we moved a little bit forward :P +And the doc patch can be found (pr). + +* fix trailing whitespace + +* 📜🤖 Added by blurb_it. + +* Reformat text for consistency. + +Upstream-Status: Backport [https://github.com/python/cpython/commit/3ba51d587f6897a45301ce9126300c14fcd4eba2] +CVE: CVE-2019-9674 + +Comment: From the original patch skipped changes for file +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +as this file is not present in our source code. + +--- + Doc/library/zipfile.rst | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst +index ba613b3..76b9d5a 100644 +--- a/Doc/library/zipfile.rst ++++ b/Doc/library/zipfile.rst +@@ -554,4 +554,45 @@ Command-line options + Test whether the zipfile is valid or not. + + ++Decompression pitfalls ++---------------------- ++ ++The extraction in zipfile module might fail due to some pitfalls listed below. ++ ++From file itself ++~~~~~~~~~~~~~~~~ ++ ++Decompression may fail due to incorrect password / CRC checksum / ZIP format or ++unsupported compression method / decryption. ++ ++File System limitations ++~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Exceeding limitations on different file systems can cause decompression failed. ++Such as allowable characters in the directory entries, length of the file name, ++length of the pathname, size of a single file, and number of files, etc. ++ ++Resources limitations ++~~~~~~~~~~~~~~~~~~~~~ ++ ++The lack of memory or disk volume would lead to decompression ++failed. For example, decompression bombs (aka `ZIP bomb`_) ++apply to zipfile library that can cause disk volume exhaustion. ++ ++Interruption ++~~~~~~~~~~~~ ++ ++Interruption during the decompression, such as pressing control-C or killing the ++decompression process may result in incomplete decompression of the archive. ++ ++Default behaviors of extraction ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Not knowing the default extraction behaviors ++can cause unexpected decompression results. ++For example, when extracting the same archive twice, ++it overwrites files without asking. ++ ++ ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT -- cgit 1.2.3-korg