diff --git a/CVE-2019-9674.patch b/CVE-2019-9674.patch new file mode 100644 index 0000000000000000000000000000000000000000..2b752cae5f34e0f0e996cac2e6521148df358c03 --- /dev/null +++ b/CVE-2019-9674.patch @@ -0,0 +1,89 @@ +From 7c1b25f7c1e9381fa4b96b4fc489e4bbbe065f02 Mon Sep 17 00:00:00 2001 +From: JunWei Song +Date: Wed, 11 Sep 2019 23:04:12 +0800 +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation + (#13378) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* bpo-36260: Add pitfalls to zipfile module documentation + +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. +This gave us the idea of documentation improvement. + +So, we moved a little bit forward :P +And the doc patch can be found (pr). + +* fix trailing whitespace + +* 📜 🤖 Added by blurb_it. + +* Reformat text for consistency. + +--- + Doc/library/zipfile.rst | 40 +++++++++++++++++++ + .../2019-06-04-09-29-00.bpo-36260.WrGuc-.rst | 1 + + 2 files changed, 41 insertions(+) + create mode 100644 Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst + +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst +index 6fb03a0..6fa0a28 100644 +--- a/Doc/library/zipfile.rst ++++ b/Doc/library/zipfile.rst +@@ -730,5 +730,45 @@ Command-line options + + Test whether the zipfile is valid or not. + ++Decompression pitfalls ++---------------------- ++ ++The extraction in zipfile module might fail due to some pitfalls listed below. ++ ++From file itself ++~~~~~~~~~~~~~~~~ ++ ++Decompression may fail due to incorrect password / CRC checksum / ZIP format or ++unsupported compression method / decryption. ++ ++File System limitations ++~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Exceeding limitations on different file systems can cause decompression failed. ++Such as allowable characters in the directory entries, length of the file name, ++length of the pathname, size of a single file, and number of files, etc. ++ ++Resources limitations ++~~~~~~~~~~~~~~~~~~~~~ ++ ++The lack of memory or disk volume would lead to decompression ++failed. For example, decompression bombs (aka `ZIP bomb`_) ++apply to zipfile library that can cause disk volume exhaustion. ++ ++Interruption ++~~~~~~~~~~~~ ++ ++Interruption during the decompression, such as pressing control-C or killing the ++decompression process may result in incomplete decompression of the archive. ++ ++Default behaviors of extraction ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Not knowing the default extraction behaviors ++can cause unexpected decompression results. ++For example, when extracting the same archive twice, ++it overwrites files without asking. ++ + ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT +diff --git a/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +new file mode 100644 +index 0000000..9276516 +--- /dev/null ++++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +@@ -0,0 +1 @@ ++Add decompression pitfalls to zipfile module documentation. +\ No newline at end of file +-- +2.23.0 diff --git a/python3.spec b/python3.spec index fa3263c7a3a9272fa86f4a99556f30cfd8567df0..f33eeb3b4b83a333eecbfaa92306a4af9dfefa06 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.7.4 -Release: 8 +Release: 9 License: Python %global branchversion 3.7 @@ -104,6 +104,7 @@ Patch316: 00316-mark-bdist_wininst-unsupported.patch Patch6000: CVE-2019-16056.patch Patch6001: CVE-2019-16935.patch Patch6002: CVE-2019-17514.patch +Patch6003: CVE-2019-9674.patch Provides: python%{branchversion} = %{version}-%{release} Provides: python(abi) = %{branchversion} @@ -194,6 +195,7 @@ rm Lib/ensurepip/_bundled/*.whl %patch6000 -p1 %patch6001 -p1 %patch6002 -p1 +%patch6003 -p1 rm configure pyconfig.h.in @@ -794,6 +796,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Tue Apr 21 2020 hanxinke - 3.7.4-9 +- Type:cves +- ID:CVE-2019-9674 +- SUG:NA +- DESC:fix CVE-2019-9674 + * Tue Mar 17 2020 hanxinke - 3.7.4-8 - Type:bugfix - ID:NA