Bug 210324 - security/vuxml, lang/python*: Security vulnerability -- Heap overflow in zipimporter module (CVE-2016-5636)
Summary: security/vuxml, lang/python*: Security vulnerability -- Heap overflow in zipi...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ruslan Makhmatkhanov
URL: http://bugs.python.org/issue26171
Keywords: needs-qa, patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2016-06-16 16:16 UTC by VK
Modified: 2016-06-17 17:05 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback+

Attachments
VuXML entry for Pythons' vuln CVE-2016-5636 (1.45 KB, patch)
2016-06-16 16:16 UTC, VK 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2016-06-16 16:16:10 UTC 
Created attachment 171488 [details]
VuXML entry for Pythons' vuln CVE-2016-5636

Looks like Python 3.5, 3.4 and 2.7 are vulnerable to CVE-2016-5636.

* Upstream issue: http://bugs.python.org/issue26171
* CVE assignment: http://openwall.com/lists/oss-security/2016/06/16/1

Attached is a vuxml entry patch. Please check it, this is my first vuxml submission.

I also have not checked the status/vulnerability of python32 and python33, I am listing the hereby given three versions since that's what the upstream reported and patched.
Comment 1 VK freebsd_triage 2016-06-16 16:16:46 UTC 
Remove accidental extra feedback request.
Comment 2 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2016-06-17 09:03:21 UTC 
I'll take it
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-06-17 17:04:15 UTC 
A commit references this bug:

Author: rm
Date: Fri Jun 17 17:03:58 UTC 2016
New revision: 417018
URL: https://svnweb.freebsd.org/changeset/ports/417018

Log:
  Document integer overflow in python's zipimport module

  PR:		210324
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	CVE-2016-5636

Changes:
  head/security/vuxml/vuln.xml
Comment 4 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2016-06-17 17:05:06 UTC 
Committed, thank you!