For python and python-native added patch to fix CVE-2019-9674 Signed-off-by: Rahul Taya --- recipes-devtools/python/python.inc | 1 + .../python/python/CVE-2019-9674.patch | 83 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/python.inc index a4ba0c5..787f23e 100644 --- a/recipes-devtools/python/python.inc +++ b/recipes-devtools/python/python.inc @@ -8,6 +8,7 @@ INC_PR = "r1" LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ + file://CVE-2019-9674.patch \ " SRC_URI[sha256sum] = "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43" diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-devtools/python/python/CVE-2019-9674.patch new file mode 100644 index 0000000..647d9da --- /dev/null +++ b/recipes-devtools/python/python/CVE-2019-9674.patch @@ -0,0 +1,83 @@ +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001 +From: JunWei Song +Date: Wed, 11 Sep 2019 23:04:12 +0800 +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation + (#13378) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* bpo-36260: Add pitfalls to zipfile module documentation + +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. +This gave us the idea of documentation improvement. + +So, we moved a little bit forward :P +And the doc patch can be found (pr). + +* fix trailing whitespace + +* 📜🤖 Added by blurb_it. + +* Reformat text for consistency. + +Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz] +CVE: CVE-2019-9674 +Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz +Comment: From the original patch skipped changes for file +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +as this file is not present in our source code. +--- + Doc/library/zipfile.rst | 41 +++++++++++++++++++ + 1 files changed, 41 insertions(+) + +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst +index b421ea5..2e0a91d 100644 +--- a/Doc/library/zipfile.rst ++++ b/Doc/library/zipfile.rst +@@ -574,4 +574,45 @@ Instances have the following attributes: + + Size of the uncompressed file. + ++Decompression pitfalls ++---------------------- ++ ++The extraction in zipfile module might fail due to some pitfalls listed below. ++ ++From file itself ++~~~~~~~~~~~~~~~~ ++ ++Decompression may fail due to incorrect password / CRC checksum / ZIP format or ++unsupported compression method / decryption. ++ ++File System limitations ++~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Exceeding limitations on different file systems can cause decompression failed. ++Such as allowable characters in the directory entries, length of the file name, ++length of the pathname, size of a single file, and number of files, etc. ++ ++Resources limitations ++~~~~~~~~~~~~~~~~~~~~~ ++ ++The lack of memory or disk volume would lead to decompression ++failed. For example, decompression bombs (aka `ZIP bomb`_) ++apply to zipfile library that can cause disk volume exhaustion. ++ ++Interruption ++~~~~~~~~~~~~ ++ ++Interruption during the decompression, such as pressing control-C or killing the ++decompression process may result in incomplete decompression of the archive. ++ ++Default behaviors of extraction ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Not knowing the default extraction behaviors ++can cause unexpected decompression results. ++For example, when extracting the same archive twice, ++it overwrites files without asking. ++ ++ ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT -- 2.17.1 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.