Bug 210325 - lang/python35, lang/python34, lang/python33, lang/python27: Backport patches for CVE-2016-5636
Summary: lang/python35, lang/python34, lang/python33, lang/python27: Backport patches ...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ruslan Makhmatkhanov
URL: http://bugs.python.org/issue26171
Keywords: easy, patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2016-06-16 16:23 UTC by VK
Modified: 2016-06-19 08:16 UTC (History)
5 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly+


Attachments
Patch pythons against CVE-2016-5636 (3.31 KB, patch)
2016-06-16 16:23 UTC, VK
vlad-fbsd: maintainer-approval? (python)
Details | Diff
Patch python33 against CVE-2016-5636 (1.20 KB, patch)
2016-06-16 18:23 UTC, VK
vlad-fbsd: maintainer-approval? (python)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2016-06-16 16:23:39 UTC
Created attachment 171489 [details]
Patch pythons against CVE-2016-5636

Backported patches for pythons, for CVE-2016-5636.

This includes Python 3.5, 3.4 and 2.7 and are upstream patches. I have not tried to apply the fix to 3.3 and 3.2.

Poudriere 10.3-p5 amd64 builds fine.
Comment 1 VK freebsd_triage 2016-06-16 18:23:17 UTC
Created attachment 171491 [details]
Patch python33 against CVE-2016-5636

This backports the fix to python33 as well. I'm attaching it as separate patch for review because it is not part of upstream. Investigating why that is so, since 3.3 is in security-only mode 'till next year.

Poudriere builds it. Python's test suite passed for 'zipimport'.
Comment 2 Ruslan Makhmatkhanov freebsd_committer 2016-06-17 09:03:33 UTC
I'll take it
Comment 3 VK freebsd_triage 2016-06-17 09:49:11 UTC
Thanks. Meanwhile it turns out Python 3.3 should be added to this as well. I've submit my backport from Bug #210324 upstream and they will likely act on it:

https://bugs.python.org/issue26171
Comment 4 commit-hook freebsd_committer 2016-06-17 17:09:17 UTC
A commit references this bug:

Author: rm
Date: Fri Jun 17 17:09:06 UTC 2016
New revision: 417019
URL: https://svnweb.freebsd.org/changeset/ports/417019

Log:
  lang/python[xx]: backport upstream fix for CVE-2016-5636

  Add patch for integer overflow in zipimport module to all our python ports.

  While I'm here, get rid of -f flag in ${RM} invocation, because ${RM} already
  expands to rm -f, so in result we are getting something like:

  /bin/rm -f -f /wrkdirs/usr/ports/lang/python35/work/stage/usr/local/lib/libpython3.so

  PR:		210325
  Submitted by:	 Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	1d0f6852-33d8-11e6-a671-60a44ce6887b
  With hat:	python

Changes:
  head/lang/python27/Makefile
  head/lang/python27/files/patch-Modules_zipimport.c
  head/lang/python33/Makefile
  head/lang/python33/files/patch-Modules_zipimport.c
  head/lang/python34/Makefile
  head/lang/python34/files/patch-Modules_zipimport.c
  head/lang/python35/Makefile
  head/lang/python35/files/patch-Modules_zipimport.c
Comment 5 Ruslan Makhmatkhanov freebsd_committer 2016-06-17 17:12:10 UTC
Committed, thank you for greate contribution Vladimir!
I also added patch for python33.
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2016-06-19 02:16:01 UTC
Re-open for MFH (to quarterly)
Comment 7 commit-hook freebsd_committer 2016-06-19 06:43:19 UTC
A commit references this bug:

Author: rm
Date: Sun Jun 19 06:42:27 UTC 2016
New revision: 417101
URL: https://svnweb.freebsd.org/changeset/ports/417101

Log:
  MFH: r417019

  lang/python[xx]: backport upstream fix for CVE-2016-5636

  Add patch for integer overflow in zipimport module to all our python ports.

  While I'm here, get rid of -f flag in ${RM} invocation, because ${RM} already
  expands to rm -f, so in result we are getting something like:

  /bin/rm -f -f /wrkdirs/usr/ports/lang/python35/work/stage/usr/local/lib/libpython3.so

  PR:		210325
  Submitted by:	 Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	1d0f6852-33d8-11e6-a671-60a44ce6887b
  With hat:	python

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/lang/python27/Makefile
  branches/2016Q2/lang/python27/files/patch-Modules_zipimport.c
  branches/2016Q2/lang/python33/Makefile
  branches/2016Q2/lang/python33/files/patch-Modules_zipimport.c
  branches/2016Q2/lang/python34/Makefile
  branches/2016Q2/lang/python34/files/patch-Modules_zipimport.c
  branches/2016Q2/lang/python35/Makefile
  branches/2016Q2/lang/python35/files/patch-Modules_zipimport.c
Comment 8 Ruslan Makhmatkhanov freebsd_committer 2016-06-19 06:44:41 UTC
Merged to 2016Q2