diff --git a/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch new file mode 100644 index 0000000..587d6f9 --- /dev/null +++ b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch @@ -0,0 +1,39 @@ +From ae99040f6c1f329d6b6c984f39c920f09d383925 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Mon, 11 Jul 2016 11:21:29 +0200 +Subject: [PATCH] CVE-2016-5636 fix + +--- + Modules/zipimport.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/Modules/zipimport.c b/Modules/zipimport.c +index 8fe9195..f72e89f 100644 +--- a/Modules/zipimport.c ++++ b/Modules/zipimport.c +@@ -1071,6 +1071,10 @@ get_data(PyObject *archive, PyObject *toc_entry) + &date, &crc)) { + return NULL; + } ++ if (data_size < 0) { ++ PyErr_Format(ZipImportError, "negative data size"); ++ return NULL; ++ } + + fp = _Py_fopen_obj(archive, "rb"); + if (!fp) { +@@ -1111,6 +1115,11 @@ get_data(PyObject *archive, PyObject *toc_entry) + } + file_offset += l; /* Start of file data */ + ++ if (data_size > LONG_MAX - 1) { ++ fclose(fp); ++ PyErr_NoMemory(); ++ return NULL; ++ } + bytes_size = compress == 0 ? data_size : data_size + 1; + if (bytes_size == 0) + bytes_size++; +-- +2.7.4 + diff --git a/00209-prevent-buffer-overflow-in-zipimport-module.patch b/00209-prevent-buffer-overflow-in-zipimport-module.patch deleted file mode 100644 index ea23556..0000000 --- a/00209-prevent-buffer-overflow-in-zipimport-module.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/Modules/zipimport.c b/Modules/zipimport.c -index 06abb31..914bf5d 100644 ---- a/Modules/zipimport.c -+++ b/Modules/zipimport.c -@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *toc_entry) - } - file_offset += l; /* Start of file data */ - -+ if (data_size > LONG_MAX - 1) { -+ fclose(fp); -+ PyErr_NoMemory(); -+ return NULL; -+ } - bytes_size = compress == 0 ? data_size : data_size + 1; - if (bytes_size == 0) - bytes_size++; diff --git a/python3.spec b/python3.spec index 336c87e..7b9c2b0 100644 --- a/python3.spec +++ b/python3.spec @@ -140,7 +140,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python3 Version: %{pybasever}.3 -Release: 10%{?dist} +Release: 11%{?dist} License: Python Group: Development/Languages @@ -730,11 +730,14 @@ Patch203: 00203-disable-threading-test-koji.patch # openssl requires DH keys to be > 768bits Patch204: 00204-increase-dh-keys-size.patch -# https://bugs.python.org/issue26171 +# 00209 # +# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560 +# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859 # https://hg.python.org/cpython/rev/10dad6da1b28/ +# https://hg.python.org/cpython/rev/5533a9e02b21 # Fix possible integer overflow and heap corruption in zipimporter.get_data() -# FIXED UPSTREAM -Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch +# FIXED UPSTREAM: https://bugs.python.org/issue26171 +Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch # 00210 # # CVE-2016-0772 python: smtplib StartTLS stripping attack @@ -1947,7 +1950,10 @@ rm -fr %{buildroot} # ====================================================== %changelog -* Fri Jul 08 2016 Charalampos Stratakis - 3.4.3-10 +* Mon Jul 11 2016 Charalampos Stratakis - 3.4.3-11 +- Refactor patch for properly fixing CVE-2016-5636 + +* Mon Jul 11 2016 Charalampos Stratakis - 3.4.3-10 - Fix test_pyexpat failure with Expat version of 2.2.0 * Fri Jun 24 2016 Tomas Orsava - 3.4.3-9