From 2858326dd0005d1231fb6555a2750a2a46660a3f Mon Sep 17 00:00:00 2001 From: hanxinke Date: Tue, 19 May 2020 11:23:26 +0800 Subject: [PATCH 1/3] CVE-2019-9674:improved the documentation to reflect the risks of zip-bombs --- CVE-2019-9674.patch | 89 +++++++++++++++++++++++++++++++++++++++++++++ python2.spec | 9 ++++- 2 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-9674.patch diff --git a/CVE-2019-9674.patch b/CVE-2019-9674.patch new file mode 100644 index 0000000..a482edc --- /dev/null +++ b/CVE-2019-9674.patch @@ -0,0 +1,89 @@ +From 96b55a2f5a66c0c5ede04428a2dd5e12b4d53c3d Mon Sep 17 00:00:00 2001 +From: JunWei Song +Date: Wed, 11 Sep 2019 23:04:12 +0800 +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation + (#13378) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* bpo-36260: Add pitfalls to zipfile module documentation + +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. +This gave us the idea of documentation improvement. + +So, we moved a little bit forward :P +And the doc patch can be found (pr). + +* fix trailing whitespace + +* 📜 🤖 Added by blurb_it. + +* Reformat text for consistency. + +--- + Doc/library/zipfile.rst | 40 +++++++++++++++++++ + .../2019-06-04-09-29-00.bpo-36260.WrGuc-.rst | 1 + + 2 files changed, 41 insertions(+) + create mode 100644 Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst + +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst +index ba613b3..77a29fb 100644 +--- a/Doc/library/zipfile.rst ++++ b/Doc/library/zipfile.rst +@@ -553,5 +553,45 @@ Command-line options + + Test whether the zipfile is valid or not. + ++Decompression pitfalls ++---------------------- ++ ++The extraction in zipfile module might fail due to some pitfalls listed below. ++ ++From file itself ++~~~~~~~~~~~~~~~~ ++ ++Decompression may fail due to incorrect password / CRC checksum / ZIP format or ++unsupported compression method / decryption. ++ ++File System limitations ++~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Exceeding limitations on different file systems can cause decompression failed. ++Such as allowable characters in the directory entries, length of the file name, ++length of the pathname, size of a single file, and number of files, etc. ++ ++Resources limitations ++~~~~~~~~~~~~~~~~~~~~~ ++ ++The lack of memory or disk volume would lead to decompression ++failed. For example, decompression bombs (aka `ZIP bomb`_) ++apply to zipfile library that can cause disk volume exhaustion. ++ ++Interruption ++~~~~~~~~~~~~ ++ ++Interruption during the decompression, such as pressing control-C or killing the ++decompression process may result in incomplete decompression of the archive. ++ ++Default behaviors of extraction ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Not knowing the default extraction behaviors ++can cause unexpected decompression results. ++For example, when extracting the same archive twice, ++it overwrites files without asking. ++ + ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT +diff --git a/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +new file mode 100644 +index 0000000..9276516 +--- /dev/null ++++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +@@ -0,0 +1 @@ ++Add decompression pitfalls to zipfile module documentation. +\ No newline at end of file +-- +2.23.0 diff --git a/python2.spec b/python2.spec index 460d522..147fc03 100644 --- a/python2.spec +++ b/python2.spec @@ -15,7 +15,7 @@ %undefine _debuginfo_subpackages Name: python2 Version: 2.7.16 -Release: 15 +Release: 16 Summary: Python is an interpreted, interactive object-oriented programming language suitable License: Python URL: https://www.python.org/ @@ -100,6 +100,7 @@ Patch372: CVE-2019-17514.patch Patch373: CVE-2017-18207.patch Patch374: bugfix-excessive-memory-usage-when-using-regular-expressions.patch Patch375: CVE-2020-8492.patch +Patch376: CVE-2019-9674.patch BuildRequires: libdb-devel libffi-devel valgrind-devel ncurses-devel expat-devel readline-devel BuildRequires: openssl-devel libtirpc-devel tcl-devel tk-devel glibc-devel libnsl2-devel @@ -634,6 +635,12 @@ sed -e "s|LIBRARY_PATH|%{_libdir}/%{py_INSTSONAME_debug}|" %{SOURCE1} \ %{dynload_dir}/_testcapimodule_d.so %changelog +* Tue May 19 2020 hanxinke - 2.7.16-16 +- Type:cves +- ID:CVE-2019-9674 +- SUG:NA +- DESC:improved the documentation to reflect the risks of zip-bombs + * Fri Mar 6 2020 hanxinke - 2.7.16-15 - Type:cves - ID:CVE-2020-8492 -- Gitee From 95df8477d9c92687c7675d855e5fe8aa341d0859 Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Thu, 2 Jul 2020 15:38:57 +0800 Subject: [PATCH 2/3] add python2.yaml. --- python2.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 python2.yaml diff --git a/python2.yaml b/python2.yaml new file mode 100644 index 0000000..171dd54 --- /dev/null +++ b/python2.yaml @@ -0,0 +1,5 @@ +version_control: NA +src_repo: +tag_prefix: +seperator: +url: https://www.python.org/downloads/ \ No newline at end of file -- Gitee From a442b8949702f4925054439189a263314f1723e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=A1=90=E5=B0=8F=E5=93=A5?= Date: Wed, 8 Jul 2020 10:36:33 +0800 Subject: [PATCH 3/3] update python2.spec. --- python2.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/python2.spec b/python2.spec index 147fc03..a7d8de6 100644 --- a/python2.spec +++ b/python2.spec @@ -15,7 +15,7 @@ %undefine _debuginfo_subpackages Name: python2 Version: 2.7.16 -Release: 16 +Release: 17 Summary: Python is an interpreted, interactive object-oriented programming language suitable License: Python URL: https://www.python.org/ @@ -635,6 +635,12 @@ sed -e "s|LIBRARY_PATH|%{_libdir}/%{py_INSTSONAME_debug}|" %{SOURCE1} \ %{dynload_dir}/_testcapimodule_d.so %changelog +* Wed Jul 8 2020 shixuantong - 2.7.16-17 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:update release number + * Tue May 19 2020 hanxinke - 2.7.16-16 - Type:cves - ID:CVE-2019-9674 -- Gitee