From ${URL} : A heap-based buffer overflow vulnerability was found in zipimporter module. Vulnerable code: 1116 bytes_size = compress == 0 ? data_size : data_size + 1; 1117 if (bytes_size == 0) 1118 bytes_size++; 1119 raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size); data_size is not sanitized, so if comepress != 0 and data_size = -1, then it overflows and becomes 0. Right after then it's incremented and becomes 1. In that case, python allocates small portion of heap, which is later overflowed using fread. Upstream bug: https://bugs.python.org/issue26171 Upstream patches: https://hg.python.org/cpython/rev/01ddd608b85c (3.4) https://hg.python.org/cpython/rev/985fc64c60d6 (2.7) https://hg.python.org/cpython/rev/10dad6da1b28 (3.5) https://hg.python.org/cpython/rev/2df462852464 (default) CVE request: http://seclists.org/oss-sec/2016/q2/524 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
We should probably backport these onto the currently stable ebuilds with a revbump.
Fix is in v2.7.12: $ hg log -r "985fc64c60d6:: and tag()" changeset: 101898:13912cd1e7e8 branch: 2.7 tag: v2.7.12rc1 user: Benjamin Peterson <benjamin@python.org> date: Sat Jun 11 14:46:26 2016 -0700 summary: 2.7.12 release candidate 1 changeset: 102173:d33e0cf91556 branch: 2.7 tag: v2.7.12 parent: 102122:45d4cea97b04 user: Benjamin Peterson <benjamin@python.org> date: Sat Jun 25 14:03:21 2016 -0700 summary: 2.7.12 final Fix for 3.4 branch was: https://hg.python.org/cpython/rev/5ae8756a1ae0 which is not yet released, see $ hg log -r "5ae8756a1ae0:: and tag()" changeset: 104442:b9fadc7d1c3f branch: 3.6 tag: v3.6.0b2 user: Ned Deily <nad@python.org> date: Mon Oct 10 16:09:08 2016 -0400 summary: Version bump for 3.6.0b2 changeset: 104860:8345e066c0ed branch: 3.6 tag: v3.6.0b3 user: Ned Deily <nad@python.org> date: Mon Oct 31 20:43:30 2016 -0400 summary: Version bump for 3.6.0b3 changeset: 105327:18496abdb3d5 branch: 3.6 tag: v3.6.0b4 user: Ned Deily <nad@python.org> date: Mon Nov 21 23:30:55 2016 -0500 summary: Version bump for 3.6.0b4
Wait, 3.4er changeset fixing the problem was 01ddd608b85c which was changeset: 102200:619b61e505d0 branch: 3.4 tag: v3.4.5 user: Larry Hastings <larry@hastings.org> date: Sat Jun 25 14:44:30 2016 -0700 summary: Version bump for 3.4.5 final.
CVE-2016-5636 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5636): Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.
This issue was resolved and addressed in GLSA 201701-18 at https://security.gentoo.org/glsa/201701-18 by GLSA coordinator Thomas Deutschmann (whissi).
