From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) by mx.groups.io with SMTP id smtpd.web09.7408.1614782005120660257 for ; Wed, 03 Mar 2021 06:33:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=iA6/g3XW; spf=pass (domain: gmail.com, ip: 209.85.218.44, mailfrom: martin.jansa@gmail.com) Received: by mail-ej1-f44.google.com with SMTP id bm21so23779641ejb.4 for ; Wed, 03 Mar 2021 06:33:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xd9ceKbOKcVLawXQajX2YgUobL42NWb884q+5qUSz6c=; b=iA6/g3XWV1+gp4xMc+swS2HRSbc8dO6f/rNCyxUHIb93XUGd1Obxx8AoV0zzw1Bv9B GO8UDvHCU+ixj16r/YhHx5VH1eBNTLhPcMeOTs2fSx6lKGrYgHpTmyvotwfN3Tw6K2Br DeWumEMIVHfyxsLweFNFUx/1gGXfaGelwy+LJertfipWGPBEXCz6fMYdXVyHEqs23K0L TQ5Sl2Cal/rkNmYHRjVWLntq2A9IMoaSUPncPL0fDGhXa4rWIzPiDbRMkLIcR1sd//2N djp8WYNzyCPRlwh6SQX2n6MiHQDc4WrEv1cxvKO18Bo6VRs56OKzHz1vsp1tRt5Su6J1 QjXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xd9ceKbOKcVLawXQajX2YgUobL42NWb884q+5qUSz6c=; b=ajNzr7XA2e27eaHGfll9+zJtqJJ7HVz9DgomOeemwUFPPvxVIt/7Vz7qFygD9ZW/aq hQzFw5jKZg8CDM2EQsVXhH1RUEChhXKzOhyS/WMYiBWsmM/Xhn+ur6QNyLORjr97ccbK t1bry9Bh0UnymmDSW0Qp0aPNwmD3sQ6CdL91UgbUK6wNfbaZ448ROBJKSXF07bjOc6Wk qvYiUqkQS815pzqhJK3nHBdsUhyneshJVEu38m8aEAospJS547tKp4ZDBcnwWCk+ZWwt lIBy6rAACeHvwn+6fALo/8mp1fn8oRusxjTwoCWq7PCHqeYtFZEn0MPB/XpS/CAkIne6 bURQ== X-Gm-Message-State: AOAM5304uVeNgdVR6AqvnnOXDys4gIqW1S8KZ3EFKa596rRwHGDb1vH9 enfaZTFeaofuuRccZJAnMq/p66JQTqDC8ZwIXWA= X-Google-Smtp-Source: ABdhPJwbl75u+K4G+gSF7UsarqNDq4XBoH/NoRUaOljOfhk53XDbwxX9HE4Su1c1uOlCgYPZi4QmrzsmXmkVvpf1ez8= X-Received: by 2002:a17:906:4349:: with SMTP id z9mr26274422ejm.471.1614782003426; Wed, 03 Mar 2021 06:33:23 -0800 (PST) MIME-Version: 1.0 References: <20210216152349.30824-1-Rahul.Taya@kpit.com> In-Reply-To: From: "Martin Jansa" Date: Wed, 3 Mar 2021 15:33:12 +0100 Message-ID: Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674 To: Rahul Taya Cc: "openembedded-devel@lists.openembedded.org" Content-Type: multipart/alternative; boundary="000000000000b437fb05bca2bb99" --000000000000b437fb05bca2bb99 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Did you run "devtool modify python" twice? If the first call failed to apply patches you need to go into workspace/sources/python and finish applying it manually. But as said in previous e-mails I've already updated your python patch to apply cleanly (and it's in meta-python2/master-next), so I'm not sure what you're trying to do now. On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya wrote: > Hi Martin, > > Firstlty i run : *devtool modify python* > > this command applied all the patches in the source code. > After this when i run : > > devtool finish --force-patch-refresh > > where recipe =3D python and layer path =3D /workspace/sources/python > > i'm getting message: *workspace/sources/python appears to be in the > middle of 'git am' or 'git apply' - please resolve this first* > > Can you please help why i'm getting this and how to resolve it ? > > Thanks and Regards, > Rahul Taya > ------------------------------ > *From:* openembedded-devel@lists.openembedded.org < > openembedded-devel@lists.openembedded.org> on behalf of Martin Jansa via > lists.openembedded.org > *Sent:* Monday, March 1, 2021 8:16 PM > *To:* Rahul Taya > *Cc:* openembedded-devel > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > > Can you please tell me what i should do if a fuzz is detected while > applying patch or i see some warning message ? > > The QA warning/error message about patch-fuzz shows you how to easily > resolve the fuzz with devtool. > > If it doesn't apply at all (like that nghttp2 patch), then you need to > apply it manually by resolving all conflicts and then refresh the patch > file (I usually create a git repo in ${S} if it isn't there already from > SRC_URI, then manually apply the failing patch and then git format-patch > it). > > On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya wrote: > > Hi Martin, > > Yes i think you are right it can be possible that i overlooked or missed > the warning. > > Can you please tell me what i should do if a fuzz is detected while > applying patch or i see some warning message ? > > > For nghttp patch please check attached screenshot this is the last messag= e > that i saw. > Can you tell me what next to do for that patch ? > > Thanks and Regards, > Rahul Taya > ------------------------------ > *From:* Martin Jansa > *Sent:* Thursday, February 25, 2021 10:33 PM > *To:* Rahul Taya > *Cc:* openembedded-devel > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > Hi Rahul, > > you probably don't have patch-fuzz in ERROR_QA and overlooked the warning > generated by this QA check which is by default only in WARN_QA. > > Or you weren't testing it with master branch as the subject says it's for > dunfell, but it the python version is the same in master and dunfell, so > the warning should be triggered in both. > > On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya wrote: > > Hi Martin, > > I have tested my changes before sending to you or ML i don=E2=80=99t know= why it > is failing now at your side. > > Thanks and Regards, > Rahul > > Get Outlook for iOS > > ------------------------------ > *From:* Martin Jansa > *Sent:* Thursday, February 25, 2021 8:25:50 PM > *To:* Rahul Taya > *Cc:* openembedded-devel > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > Hi, > > normally you should fork meta-python2 and send a link to meta-python2 > change I can cherry-pick, not the blob in otherwise empty repo. > > But as I've said in previous reply, I've already manually applied your > change in meta-python2 master-next where it's now failing: > > ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected: > > Applying patch CVE-2019-9674.patch > patching file Doc/library/zipfile.rst > Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines). > > > The context lines in the patches can be updated with devtool: > > devtool modify python-native > devtool finish --force-patch-refresh python-native > > Don't forget to review changes done by devtool! > > ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates th= at patches do not apply cleanly. [patch-fuzz] > > > so I'll fix this as well, but next time please better test your changes (= nghttp2 patch also didn't apply, see my reply there, not sure if you have f= ixed that in v2) > > > Regards, > > > > > On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya wrote: > > Hi Martin, > > I removed the emoticons and uploaded the patch to my git repo pls access > below link: > > https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch > > > > Thanks and Regards, > Rahul Taya > ------------------------------ > *From:* Martin Jansa > *Sent:* Thursday, February 18, 2021 10:58 PM > *To:* Rahul Taya > *Cc:* openembedded-devel ; > Khem Raj ; Nisha Parrakat ; > Harpritkaur Bhandari > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > "git am" doesn't like those emoticons in the .patch file.. > > git am ~/py2/cur/16136689* > error: cannot convert from 8bit to UTF-8 > fatal: could not parse patch > > either drop them or upload it to some git repo so I can cherry-pick it > from there. > > On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya wrote: > > For python and python-native added patch to fix > CVE-2019-9674 > > Signed-off-by: Rahul Taya > --- > recipes-devtools/python/python.inc | 1 + > .../python/python/CVE-2019-9674.patch | 83 +++++++++++++++++++ > 2 files changed, 84 insertions(+) > create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch > > diff --git a/recipes-devtools/python/python.inc > b/recipes-devtools/python/python.inc > index a4ba0c5..787f23e 100644 > --- a/recipes-devtools/python/python.inc > +++ b/recipes-devtools/python/python.inc > @@ -8,6 +8,7 @@ INC_PR =3D "r1" > LIC_FILES_CHKSUM =3D "file://LICENSE;md5=3D203a6dbc802ee896020a47161e759= 642" > > SRC_URI =3D "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz > > \ > + file://CVE-2019-9674.patch \ > " > > SRC_URI[sha256sum] =3D > "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43" > diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch > b/recipes-devtools/python/python/CVE-2019-9674.patch > new file mode 100644 > index 0000000..647d9da > --- /dev/null > +++ b/recipes-devtools/python/python/CVE-2019-9674.patch > @@ -0,0 +1,83 @@ > +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001 > +From: JunWei Song > +Date: Wed, 11 Sep 2019 23:04:12 +0800 > +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation > + (#13378) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=3DUTF-8 > +Content-Transfer-Encoding: 8bit > + > +* bpo-36260: Add pitfalls to zipfile module documentation > + > +We saw vulnerability warning description (including zip bomb) in > Doc/library/xml.rst file. > +This gave us the idea of documentation improvement. > + > +So, we moved a little bit forward :P > +And the doc patch can be found (pr). > + > +* fix trailing whitespace > + > +* =F0=9F=93=9C=F0=9F=A4=96 Added by blurb_it. > + > +* Reformat text for consistency. > + > +Upstream-Status: Backport[ > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2u= buntu0~16.04.12.debian.tar.xz > > ] > +CVE: CVE-2019-9674 > +Link: > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2u= buntu0~16.04.12.debian.tar.xz > > +Comment: From the original patch skipped changes for file > +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst > +as this file is not present in our source code. > +--- > + Doc/library/zipfile.rst | 41 +++++++++++++++++++ > + 1 files changed, 41 insertions(+) > + > +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst > +index b421ea5..2e0a91d 100644 > +--- a/Doc/library/zipfile.rst > ++++ b/Doc/library/zipfile.rst > +@@ -574,4 +574,45 @@ Instances have the following attributes: > + > + Size of the uncompressed file. > + > ++Decompression pitfalls > ++---------------------- > ++ > ++The extraction in zipfile module might fail due to some pitfalls listed > below. > ++ > ++From file itself > ++~~~~~~~~~~~~~~~~ > ++ > ++Decompression may fail due to incorrect password / CRC checksum / ZIP > format or > ++unsupported compression method / decryption. > ++ > ++File System limitations > ++~~~~~~~~~~~~~~~~~~~~~~~ > ++ > ++Exceeding limitations on different file systems can cause decompression > failed. > ++Such as allowable characters in the directory entries, length of the > file name, > ++length of the pathname, size of a single file, and number of files, etc= . > ++ > ++Resources limitations > ++~~~~~~~~~~~~~~~~~~~~~ > ++ > ++The lack of memory or disk volume would lead to decompression > ++failed. For example, decompression bombs (aka `ZIP bomb`_) > ++apply to zipfile library that can cause disk volume exhaustion. > ++ > ++Interruption > ++~~~~~~~~~~~~ > ++ > ++Interruption during the decompression, such as pressing control-C or > killing the > ++decompression process may result in incomplete decompression of the > archive. > ++ > ++Default behaviors of extraction > ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ++ > ++Not knowing the default extraction behaviors > ++can cause unexpected decompression results. > ++For example, when extracting the same archive twice, > ++it overwrites files without asking. > ++ > ++ > ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb > > + .. _PKZIP Application Note: > https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT > > -- > 2.17.1 > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient= , > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient= , > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient= , > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient= , > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient= , > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > --000000000000b437fb05bca2bb99 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Did you run "devtool modify python" twice? If th= e first call failed to apply patches you need to go into=C2=A0workspace/sou= rces/python and finish applying it manually.

But as said= in previous e-mails I've already updated your python patch to apply cl= eanly (and it's in meta-python2/master-next), so I'm not sure what = you're trying to do now.

On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya= <Rahul.Taya@kpit.com> wro= te:
Hi Martin,

Firstlty i run : devtool modify python

this command applied all the patches in the source code.
After this when i run : 
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0devtool finish --force-patch-refresh=
 <recipe> <layer_path>
where recipe =3D python and layer path =3D /workspace/sources/python

i'm getting message:=C2=A0 workspace/sources/python appears to be in= the middle of 'git am' or 'git apply' - please resolve thi= s first

Can you please help why i'm getting this and how to resolve it ?

Thanks and Re= gards,
Rahul Taya
From= : openembedded-devel@lists.openembedded.org <openembed= ded-devel@lists.openembedded.org> on behalf of Martin Jansa via lists.openembedded.= org <Martin.Jansa=3Dgmail.com@lists.openembedded.org>
Sent: Monday, March 1, 2021 8:16 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded= .org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for= CVE-2019-9674
=C2=A0
>=C2=A0Can you please tell me what = i should do if a fuzz is detected while applying patch or i see some warnin= g message ?

The QA warning/error message about patch-fu= zz shows you how to easily resolve the fuzz with devtool.

If it doesn't apply at all (like that n= ghttp2 patch), then you need to apply it manually by resolving all conflict= s and then refresh the patch file (I usually create a git repo in ${S} if it isn't there already from SRC_URI, then= manually apply the failing patch and then git format-patch it).

On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <Rahul.Taya@kpit.com> wr= ote:
Hi Martin,

Yes i think you are right it can be possible that i overlooked or missed th= e warning.

Can you please tell me what i should do if a fuzz is detected while applyin= g patch or i see some warning message ?


For nghttp patch please check attached screenshot this is the last message = that i saw.
Can you tell me what next to do for that patch ?

Thanks and Re= gards,
Rahul Taya
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, February 25, 2021 10:33 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded= .org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for= CVE-2019-9674
=C2=A0
Hi Rahul,

you probably don't have patch-fuzz in ERROR_QA and overlooked the = warning generated by this QA check which is by default only in WARN_QA.

Or you weren't testing it with master branch as the subject says i= t's for dunfell, but it the python version is the same in master and du= nfell, so the warning should be triggered in both.

On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <Rahul.Taya@kpit.com> w= rote:
Hi Martin,

I have tested my changes before sending to you or ML=C2=A0i don=E2=80=99t know why it is failing now at your side= .

Thanks and Regards,
Rahul

From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, February 25, 2021 8:25:50 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded= .org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for= CVE-2019-9674
=C2=A0
Hi,

normally you should fork meta-python2 and send a link to meta-python2 = change I can cherry-pick, not the blob in otherwise empty repo.

But as I've said in previous reply, I've already manually appl= ied your change in meta-python2 master-next where it's now failing: 

ERROR: python-native-2.7.18-r0 do_patch: F=
uzz detected:

Applying patch CVE-2019-9674.patch
patching file Doc/library/zipfile.rst
Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).


The context lines in the patches can be updated with devtool:

    devtool modify python-native
    devtool finish --force-patch-refresh python-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that=
 patches do not apply cleanly. [patch-fuzz]

so I'll fix this as well, but next tim=
e please better test your changes (nghttp2 patch also didn't apply, see=
 my reply there, not sure if you have fixed that in v2)

Regards,



On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com> w= rote:
Hi Martin,

I removed the emoticons and uploaded the patch to my git repo pls access be= low link:



Thanks and Re= gards,
Rahul Taya
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, February 18, 2021 10:58 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded= .org>; Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for= CVE-2019-9674
=C2=A0
"git am" doesn't like those emoticons in the= .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick it= from there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com> w= rote:
For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
---
=C2=A0recipes-devtools/python/python.inc=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 |=C2=A0 1 +
=C2=A0.../python/python/CVE-2019-9674.patch=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0| 83 +++++++++++++++++++
=C2=A02 files changed, 84 insertions(+)
=C2=A0create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch=

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/p= ython.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR =3D "r1"
=C2=A0LIC_FILES_CHKSUM =3D "file://LICENSE;md5=3D203a6dbc802ee896020a4= 7161e759642"

=C2=A0SRC_URI =3D "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0file://CVE-2019-9674.patch \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "

=C2=A0SRC_URI[sha256sum] =3D "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc= 9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-d= evtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation + (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=3DUTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/libra= ry/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* =F0=9F=93=9C=F0=9F=A4=96 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport[http://archive.ubuntu.com/ubuntu= /pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz]=
+CVE: CVE-2019-9674
+Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubu= ntu0~16.04.12.debian.tar.xz
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+=C2=A0 =C2=A0 Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed b= elow.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP for= mat or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression f= ailed.
++Such as allowable characters in the directory entries, length of the file= name,
++length of the pathname, size of a single file, and number of files, etc.<= br> ++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or kill= ing the
++decompression process may result in incomplete decompression of the archi= ve.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
--
2.17.1

This message contains information that may be privileged or confidential an= d is the property of the KPIT Technologies Ltd. It is intended only for the= person to whom it is addressed. If you are not the intended recipient, you= are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part ther= eof. If you receive this message in error, please notify the sender immedia= tely and delete all copies of this message. KPIT Technologies Ltd. does not= accept any liability for virus infected mails.



This message contains information that may be privileged or confidential an= d is the property of the KPIT Technologies Ltd. It is intended only for the= person to whom it is addressed. If you are not the intended recipient, you= are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part ther= eof. If you receive this message in error, please notify the sender immedia= tely and delete all copies of this message. KPIT Technologies Ltd. does not= accept any liability for virus infected mails.
This message contains information that may be privileged or confidential an= d is the property of the KPIT Technologies Ltd. It is intended only for the= person to whom it is addressed. If you are not the intended recipient, you= are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part ther= eof. If you receive this message in error, please notify the sender immedia= tely and delete all copies of this message. KPIT Technologies Ltd. does not= accept any liability for virus infected mails.
This message contains information that may be privileged or confidential an= d is the property of the KPIT Technologies Ltd. It is intended only for the= person to whom it is addressed. If you are not the intended recipient, you= are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part ther= eof. If you receive this message in error, please notify the sender immedia= tely and delete all copies of this message. KPIT Technologies Ltd. does not= accept any liability for virus infected mails.
This message contains information that may be privileged or confidential an= d is the property of the KPIT Technologies Ltd. It is intended only for the= person to whom it is addressed. If you are not the intended recipient, you= are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part ther= eof. If you receive this message in error, please notify the sender immedia= tely and delete all copies of this message. KPIT Technologies Ltd. does not= accept any liability for virus infected mails.
--000000000000b437fb05bca2bb99--