On 3/16/21 12:25 AM, Rahul Taya wrote:
> Hi Martin,
>
> Is there any update for nghttp2 CVE-2020-11080 fix that you have sent
> earlier ?
>
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195938437%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ObeDQ1%2BH7hZU4D4TW4z5aRH%2FrLG1YXzKWpgMl2lqKA8%3D&reserved=0
> <
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195938437%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ObeDQ1%2BH7hZU4D4TW4z5aRH%2FrLG1YXzKWpgMl2lqKA8%3D&reserved=0>
>
> I think it's still not merged.
I took the v2 and its in dunfell-next.
-armin
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------------------------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com>
> *Sent:* Wednesday, March 3, 2021 9:22 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com>
> *Cc:* openembedded-devel <openembedded-devel@lists.openembedded.org>;
> Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>; Nisha Parrakat
> <Nisha.Parrakat@kpit.com>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for
> CVE-2019-9674
>
> On Wed, Mar 3, 2021 at 4:26 PM Rahul Taya <Rahul.Taya@kpit.com
> <
mailto:Rahul.Taya@kpit.com>> wrote:
>
> Hi Martin,
>
> No i run devtool modify python only once and it applies the patch
> in source file.
>
>
> Then you had to run "git am" manually in this directory and never
> finish? you need to finish it or all git am --abort when you give up.
>
> What i’ m not getting is how i generate a patch after this.
> By taking git diff b/w the original source file and the patched
> file or what?
>
>
> either "git format-patch" when you have applied the patch manually or
> "devtool finish --force-patch-refresh ..." will call "git
> format-patch" for you when devtool was able to apply the patch with
> just a fuzz.
>
> Anyway you're still expected to review the changes in regenerated
> patch to confirm that it still does what it was supposed to do.
>
> Yes martin you applied my patch in master-next which is also
> required for dunfell.As i have other patches too i.e
> CVE-2019-20907 for python that i have sent and nghttp2 patch
> that’s why i thought to fix their warnings also using devtool and
> then send to you for applying.
>
>
> I've already applied CVE-2019-20907 as well and fixed the patch-fuzz
> there, will push it to master-next as well. I'll push it to
> gatesgarth-next and dunfell-next as well.
>
> And for nghttp2 patch I've sent the fix as well, see:
>
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xsbSFmazK%2B%2BE0wQMCLWSnsuhksSbQ%2FoAuaNHQlmU%2Bms%3D&reserved=0
> <
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.openembedded.org%2Fmeta-openembedded-contrib%2Fcommit%2F%3Fh%3Djansa%2Fdunfell%26id%3D3a3a6c4e42d0b1c22d4e0d9cfd42d3e119972ce0&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xsbSFmazK%2B%2BE0wQMCLWSnsuhksSbQ%2FoAuaNHQlmU%2Bms%3D&reserved=0>
> which I've sent when your version of the patch was in dunfell-next, see:
>
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-devel%2Fmessage%2F89628&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QGhAlgm69bEyO0FPNPfpIDF25P%2F1igZNBXCvTF6oevY%3D&reserved=0
> <
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-devel%2Fmessage%2F89628&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QGhAlgm69bEyO0FPNPfpIDF25P%2F1igZNBXCvTF6oevY%3D&reserved=0>
>
> +oe-devel ML
>
> *From:* Martin Jansa <martin.jansa@gmail.com
> <
mailto:martin.jansa@gmail.com>>
> *Sent:* Wednesday, March 3, 2021 8:03:12 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com <
mailto:Rahul.Taya@kpit.com>>
> *Cc:* openembedded-devel@lists.openembedded.org
> <
mailto:openembedded-devel@lists.openembedded.org>
> <openembedded-devel@lists.openembedded.org
> <
mailto:openembedded-devel@lists.openembedded.org>>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix
> for CVE-2019-9674
>
> Did you run "devtool modify python" twice? If the first call
> failed to apply patches you need to go
> into workspace/sources/python and finish applying it manually.
>
> But as said in previous e-mails I've already updated your python
> patch to apply cleanly (and it's in meta-python2/master-next), so
> I'm not sure what you're trying to do now.
>
> On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya <Rahul.Taya@kpit.com
> <
mailto:Rahul.Taya@kpit.com>> wrote:
>
> Hi Martin,
>
> Firstlty i run : *devtool modify python*
>
> this command applied all the patches in the source code.
> After this when i run :
>
> devtool finish --force-patch-refresh <recipe> <layer_path>
>
> where recipe = python and layer path = /workspace/sources/python
>
> i'm getting message: *workspace/sources/python appears to be
> in the middle of 'git am' or 'git apply' - please resolve this
> first*
> *
> *
> Can you please help why i'm getting this and how to resolve it ?
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------------------------------------------------
> *From:* openembedded-devel@lists.openembedded.org
> <
mailto:openembedded-devel@lists.openembedded.org>
> <openembedded-devel@lists.openembedded.org
> <
mailto:openembedded-devel@lists.openembedded.org>> on behalf
> of Martin Jansa via lists.openembedded.org
> <
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openembedded.org%2F&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fYx5J2wpRfE6LeqzbnrNkLZ4sL3KSM7W3FXni%2FDtTC0%3D&reserved=0>
> <Martin.Jansa=gmail.com@lists.openembedded.org
> <
mailto:gmail.com@lists.openembedded.org>>
> *Sent:* Monday, March 1, 2021 8:16 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com
> <
mailto:Rahul.Taya@kpit.com>>
> *Cc:* openembedded-devel
> <openembedded-devel@lists.openembedded.org
> <
mailto:openembedded-devel@lists.openembedded.org>>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add
> fix for CVE-2019-9674
>
> > Can you please tell me what i should do if a fuzz is
> detected while applying patch or i see some warning message ?
>
> The QA warning/error message about patch-fuzz shows you how to
> easily resolve the fuzz with devtool.
>
> If it doesn't apply at all (like that nghttp2 patch), then you
> need to apply it manually by resolving all conflicts and then
> refresh the patch file (I usually create a git repo in ${S} if
> it isn't there already from SRC_URI, then manually apply the
> failing patch and then git format-patch it).
>
> On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com
> <
mailto:Rahul.Taya@kpit.com>> wrote:
>
> Hi Martin,
>
> Yes i think you are right it can be possible that i
> overlooked or missed the warning.
>
> Can you please tell me what i should do if a fuzz is
> detected while applying patch or i see some warning message ?
>
>
> For nghttp patch please check attached screenshot this is
> the last message that i saw.
> Can you tell me what next to do for that patch ?
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------------------------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com
> <
mailto:martin.jansa@gmail.com>>
> *Sent:* Thursday, February 25, 2021 10:33 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com
> <
mailto:Rahul.Taya@kpit.com>>
> *Cc:* openembedded-devel
> <openembedded-devel@lists.openembedded.org
> <
mailto:openembedded-devel@lists.openembedded.org>>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python:
> Add fix for CVE-2019-9674
>
> Hi Rahul,
>
> you probably don't have patch-fuzz in ERROR_QA and
> overlooked the warning generated by this QA check which is
> by default only in WARN_QA.
>
> Or you weren't testing it with master branch as the
> subject says it's for dunfell, but it the python version
> is the same in master and dunfell, so the warning should
> be triggered in both.
>
> On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya
> <Rahul.Taya@kpit.com <
mailto:Rahul.Taya@kpit.com>> wrote:
>
> Hi Martin,
>
> I have tested my changes before sending to you or ML i
> don’t know why it is failing now at your side.
>
> Thanks and Regards,
> Rahul
>
> Get Outlook for iOS
> <
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=K8y18HmJbO47jEv4XNH932mE%2B0QyT7wt1oH%2BbcZ7dmc%3D&reserved=0>
> ------------------------------------------------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com
> <
mailto:martin.jansa@gmail.com>>
> *Sent:* Thursday, February 25, 2021 8:25:50 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com
> <
mailto:Rahul.Taya@kpit.com>>
> *Cc:* openembedded-devel
> <openembedded-devel@lists.openembedded.org
> <
mailto:openembedded-devel@lists.openembedded.org>>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH]
> python: Add fix for CVE-2019-9674
>
> Hi,
>
> normally you should fork meta-python2 and send a link
> to meta-python2 change I can cherry-pick, not the blob
> in otherwise empty repo.
>
> But as I've said in previous reply, I've already
> manually applied your change in meta-python2
> master-next where it's now failing:
>
> ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:
>
> Applying patch CVE-2019-9674.patch
> patching file Doc/library/zipfile.rst
> Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).
>
>
> The context lines in the patches can be updated with devtool:
>
> devtool modify python-native
> devtool finish --force-patch-refresh python-native <layer_path>
>
> Don't forget to review changes done by devtool!
>
> ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
>
> so I'll fix this as well, but next time please better test your changes (nghttp2 patch also didn't apply, see my reply there, not sure if you have fixed that in v2)
>
> Regards,
>
>
>
>
> On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya
> <Rahul.Taya@kpit.com <
mailto:Rahul.Taya@kpit.com>> wrote:
>
> Hi Martin,
>
> I removed the emoticons and uploaded the patch to
> my git repo pls access below link:
>
>
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195948434%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TvrhfQwvCCDTHu8%2BNvwUFBmVE%2B3wUDm3pvrtk%2FWrWwM%3D&reserved=0
> <
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4tGGvUZsd4qTLg4%2BgJPEZnJ861DfmBW0xFMQSLvQ7S8%3D&reserved=0>
>
>
> Thanks and Regards,
> Rahul Taya
> ------------------------------------------------------------------------
> *From:* Martin Jansa <martin.jansa@gmail.com
> <
mailto:martin.jansa@gmail.com>>
> *Sent:* Thursday, February 18, 2021 10:58 PM
> *To:* Rahul Taya <Rahul.Taya@kpit.com
> <
mailto:Rahul.Taya@kpit.com>>
> *Cc:* openembedded-devel
> <openembedded-devel@lists.openembedded.org
> <
mailto:openembedded-devel@lists.openembedded.org>>;
> Khem Raj <raj.khem@gmail.com
> <
mailto:raj.khem@gmail.com>>; Nisha Parrakat
> <Nisha.Parrakat@kpit.com
> <
mailto:Nisha.Parrakat@kpit.com>>; Harpritkaur
> Bhandari <Harpritkaur.Bhandari@kpit.com
> <
mailto:Harpritkaur.Bhandari@kpit.com>>
> *Subject:* Re: [oe] [meta-python2][dunfell][PATCH]
> python: Add fix for CVE-2019-9674
>
> "git am" doesn't like those emoticons in the
> .patch file..
>
> git am ~/py2/cur/16136689*
> error: cannot convert from 8bit to UTF-8
> fatal: could not parse patch
>
> either drop them or upload it to some git repo so
> I can cherry-pick it from there.
>
> On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya
> <Rahul.Taya@kpit.com <
mailto:Rahul.Taya@kpit.com>>
> wrote:
>
> For python and python-native added patch to fix
> CVE-2019-9674
>
> Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com
> <
mailto:Rahul.Taya@kpit.com>>
> ---
> recipes-devtools/python/python.inc
> | 1 +
> .../python/python/CVE-2019-9674.patch
> | 83 +++++++++++++++++++
> 2 files changed, 84 insertions(+)
> create mode 100644
> recipes-devtools/python/python/CVE-2019-9674.patch
>
> diff --git
> a/recipes-devtools/python/python.inc
> b/recipes-devtools/python/python.inc
> index a4ba0c5..787f23e 100644
> --- a/recipes-devtools/python/python.inc
> +++ b/recipes-devtools/python/python.inc
> @@ -8,6 +8,7 @@ INC_PR = "r1"
> LIC_FILES_CHKSUM =
> "
file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
>
> SRC_URI =
> "
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YgvZGm4S04pyLBIJ1uWZUBOFfwjncvYCBQqtxcpb%2Ffk%3D&reserved=0{PV}/Python-${PV}.tar.xz
> <
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=o8CLLBE3r1qCYvQCa0UnT%2F0YyrWtA%2FJTrF9qc4SI1C8%3D&reserved=0>
> \
> +
file://CVE-2019-9674.patch \
> "
>
> SRC_URI[sha256sum] =
> "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
> diff --git
> a/recipes-devtools/python/python/CVE-2019-9674.patch
> b/recipes-devtools/python/python/CVE-2019-9674.patch
> new file mode 100644
> index 0000000..647d9da
> --- /dev/null
> +++
> b/recipes-devtools/python/python/CVE-2019-9674.patch
> @@ -0,0 +1,83 @@
> +From 3ba51d587f6897a45301ce9126300c14fcd4eba2
> Mon Sep 17 00:00:00 2001
> +From: JunWei Song <sungboss2004@gmail.com
> <
mailto:sungboss2004@gmail.com>>
> +Date: Wed, 11 Sep 2019 23:04:12 +0800
> +Subject: [PATCH] bpo-36260: Add pitfalls to
> zipfile module documentation
> + (#13378)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +* bpo-36260: Add pitfalls to zipfile module
> documentation
> +
> +We saw vulnerability warning description
> (including zip bomb) in Doc/library/xml.rst file.
> +This gave us the idea of documentation
> improvement.
> +
> +So, we moved a little bit forward :P
> +And the doc patch can be found (pr).
> +
> +* fix trailing whitespace
> +
> +* 📜🤖 Added by blurb_it.
> +
> +* Reformat text for consistency.
> +
> +Upstream-Status:
> Backport[
https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LigtTtKiQqOE1DaKdduFpRk45Po8xzKiuUUQ6WMUF0s%3D&reserved=0
> <
https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LigtTtKiQqOE1DaKdduFpRk45Po8xzKiuUUQ6WMUF0s%3D&reserved=0>]
> +CVE: CVE-2019-9674
> +Link:
>
https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LigtTtKiQqOE1DaKdduFpRk45Po8xzKiuUUQ6WMUF0s%3D&reserved=0
> <
https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195958428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LigtTtKiQqOE1DaKdduFpRk45Po8xzKiuUUQ6WMUF0s%3D&reserved=0>
> +Comment: From the original patch skipped
> changes for file
> +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
> +as this file is not present in our source code.
> +---
> + Doc/library/zipfile.rst
> | 41 +++++++++++++++++++
> + 1 files changed, 41 insertions(+)
> +
> +diff --git a/Doc/library/zipfile.rst
> b/Doc/library/zipfile.rst
> +index b421ea5..2e0a91d 100644
> +--- a/Doc/library/zipfile.rst
> ++++ b/Doc/library/zipfile.rst
> +@@ -574,4 +574,45 @@ Instances have the
> following attributes:
> +
> + Size of the uncompressed file.
> +
> ++Decompression pitfalls
> ++----------------------
> ++
> ++The extraction in zipfile module might fail
> due to some pitfalls listed below.
> ++
> ++From file itself
> ++~~~~~~~~~~~~~~~~
> ++
> ++Decompression may fail due to incorrect
> password / CRC checksum / ZIP format or
> ++unsupported compression method / decryption.
> ++
> ++File System limitations
> ++~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Exceeding limitations on different file
> systems can cause decompression failed.
> ++Such as allowable characters in the
> directory entries, length of the file name,
> ++length of the pathname, size of a single
> file, and number of files, etc.
> ++
> ++Resources limitations
> ++~~~~~~~~~~~~~~~~~~~~~
> ++
> ++The lack of memory or disk volume would lead
> to decompression
> ++failed. For example, decompression bombs
> (aka `ZIP bomb`_)
> ++apply to zipfile library that can cause disk
> volume exhaustion.
> ++
> ++Interruption
> ++~~~~~~~~~~~~
> ++
> ++Interruption during the decompression, such
> as pressing control-C or killing the
> ++decompression process may result in
> incomplete decompression of the archive.
> ++
> ++Default behaviors of extraction
> ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ++
> ++Not knowing the default extraction behaviors
> ++can cause unexpected decompression results.
> ++For example, when extracting the same
> archive twice,
> ++it overwrites files without asking.
> ++
> ++
> ++.. _ZIP bomb:
>
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195968419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NincL7zuqCKvA8QsLsyaaOZnhMw38Rd%2FEuy4gs7A7y0%3D&reserved=0
> <
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195968419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NincL7zuqCKvA8QsLsyaaOZnhMw38Rd%2FEuy4gs7A7y0%3D&reserved=0>
> + .. _PKZIP Application Note:
>
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195968419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=60Az8NdjIo%2F9gbQMWhnSgHZE9WtnAfcCmo0d25HexUc%3D&reserved=0
> <
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7Ca0b16d21b0fc42869bf008d8e8ff3230%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637515530195968419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=60Az8NdjIo%2F9gbQMWhnSgHZE9WtnAfcCmo0d25HexUc%3D&reserved=0>
> --
> 2.17.1
>
> This message contains information that may be
> privileged or confidential and is the property
> of the KPIT Technologies Ltd. It is intended
> only for the person to whom it is addressed.
> If you are not the intended recipient, you are
> not authorized to read, print, retain copy,
> disseminate, distribute, or use this message
> or any part thereof. If you receive this
> message in error, please notify the sender
> immediately and delete all copies of this
> message. KPIT Technologies Ltd. does not
> accept any liability for virus infected mails.
>
>
>
> This message contains information that may be
> privileged or confidential and is the property of
> the KPIT Technologies Ltd. It is intended only for
> the person to whom it is addressed. If you are not
> the intended recipient, you are not authorized to
> read, print, retain copy, disseminate, distribute,
> or use this message or any part thereof. If you
> receive this message in error, please notify the
> sender immediately and delete all copies of this
> message. KPIT Technologies Ltd. does not accept
> any liability for virus infected mails.
>
> This message contains information that may be
> privileged or confidential and is the property of the
> KPIT Technologies Ltd. It is intended only for the
> person to whom it is addressed. If you are not the
> intended recipient, you are not authorized to read,
> print, retain copy, disseminate, distribute, or use
> this message or any part thereof. If you receive this
> message in error, please notify the sender immediately
> and delete all copies of this message. KPIT
> Technologies Ltd. does not accept any liability for
> virus infected mails.
>
> This message contains information that may be privileged
> or confidential and is the property of the KPIT
> Technologies Ltd. It is intended only for the person to
> whom it is addressed. If you are not the intended
> recipient, you are not authorized to read, print, retain
> copy, disseminate, distribute, or use this message or any
> part thereof. If you receive this message in error, please
> notify the sender immediately and delete all copies of
> this message. KPIT Technologies Ltd. does not accept any
> liability for virus infected mails.
>
> This message contains information that may be privileged or
> confidential and is the property of the KPIT Technologies Ltd.
> It is intended only for the person to whom it is addressed. If
> you are not the intended recipient, you are not authorized to
> read, print, retain copy, disseminate, distribute, or use this
> message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all
> copies of this message. KPIT Technologies Ltd. does not accept
> any liability for virus infected mails.
>
> This message contains information that may be privileged or
> confidential and is the property of the KPIT Technologies Ltd. It
> is intended only for the person to whom it is addressed. If you
> are not the intended recipient, you are not authorized to read,
> print, retain copy, disseminate, distribute, or use this message
> or any part thereof. If you receive this message in error, please
> notify the sender immediately and delete all copies of this
> message. KPIT Technologies Ltd. does not accept any liability for
> virus infected mails.
>
> This message contains information that may be privileged or
> confidential and is the property of the KPIT Technologies Ltd. It is
> intended only for the person to whom it is addressed. If you are not
> the intended recipient, you are not authorized to read, print, retain
> copy, disseminate, distribute, or use this message or any part
> thereof. If you receive this message in error, please notify the
> sender immediately and delete all copies of this message. KPIT
> Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>