Created attachment 171489 [details] Patch pythons against CVE-2016-5636 Backported patches for pythons, for CVE-2016-5636. This includes Python 3.5, 3.4 and 2.7 and are upstream patches. I have not tried to apply the fix to 3.3 and 3.2. Poudriere 10.3-p5 amd64 builds fine.
Created attachment 171491 [details] Patch python33 against CVE-2016-5636 This backports the fix to python33 as well. I'm attaching it as separate patch for review because it is not part of upstream. Investigating why that is so, since 3.3 is in security-only mode 'till next year. Poudriere builds it. Python's test suite passed for 'zipimport'.
I'll take it
Thanks. Meanwhile it turns out Python 3.3 should be added to this as well. I've submit my backport from Bug #210324 upstream and they will likely act on it: https://bugs.python.org/issue26171
A commit references this bug: Author: rm Date: Fri Jun 17 17:09:06 UTC 2016 New revision: 417019 URL: https://svnweb.freebsd.org/changeset/ports/417019 Log: lang/python[xx]: backport upstream fix for CVE-2016-5636 Add patch for integer overflow in zipimport module to all our python ports. While I'm here, get rid of -f flag in ${RM} invocation, because ${RM} already expands to rm -f, so in result we are getting something like: /bin/rm -f -f /wrkdirs/usr/ports/lang/python35/work/stage/usr/local/lib/libpython3.so PR: 210325 Submitted by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Security: 1d0f6852-33d8-11e6-a671-60a44ce6887b With hat: python Changes: head/lang/python27/Makefile head/lang/python27/files/patch-Modules_zipimport.c head/lang/python33/Makefile head/lang/python33/files/patch-Modules_zipimport.c head/lang/python34/Makefile head/lang/python34/files/patch-Modules_zipimport.c head/lang/python35/Makefile head/lang/python35/files/patch-Modules_zipimport.c
Committed, thank you for greate contribution Vladimir! I also added patch for python33.
Re-open for MFH (to quarterly)
A commit references this bug: Author: rm Date: Sun Jun 19 06:42:27 UTC 2016 New revision: 417101 URL: https://svnweb.freebsd.org/changeset/ports/417101 Log: MFH: r417019 lang/python[xx]: backport upstream fix for CVE-2016-5636 Add patch for integer overflow in zipimport module to all our python ports. While I'm here, get rid of -f flag in ${RM} invocation, because ${RM} already expands to rm -f, so in result we are getting something like: /bin/rm -f -f /wrkdirs/usr/ports/lang/python35/work/stage/usr/local/lib/libpython3.so PR: 210325 Submitted by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Security: 1d0f6852-33d8-11e6-a671-60a44ce6887b With hat: python Approved by: ports-secteam (junovitch) Changes: _U branches/2016Q2/ branches/2016Q2/lang/python27/Makefile branches/2016Q2/lang/python27/files/patch-Modules_zipimport.c branches/2016Q2/lang/python33/Makefile branches/2016Q2/lang/python33/files/patch-Modules_zipimport.c branches/2016Q2/lang/python34/Makefile branches/2016Q2/lang/python34/files/patch-Modules_zipimport.c branches/2016Q2/lang/python35/Makefile branches/2016Q2/lang/python35/files/patch-Modules_zipimport.c
Merged to 2016Q2