2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2016-5636.patch b/meta/recipes-devtools/python/python3/CVE-2016-5636.patch
new file mode 100644
index 0000000000..0d494d20f4
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2016-5636.patch
@@ -0,0 +1,44 @@
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1453357506 28800
+# Node ID 10dad6da1b28ea4af78ad9529e469fdbf4ebbc8f
+# Parent  a3ac2cd93db9d5336dfd7b5b27efde2c568d8794# Parent  01ddd608b85c85952537d95a43bbabf4fb655057
+merge 3.4 (#26171)
+Upstream-Status: Backport
+CVE: CVE-2016-5636
+https://hg.python.org/cpython/raw-rev/10dad6da1b28
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: Python-3.5.1/Misc/NEWS
+===================================================================
+--- Python-3.5.1.orig/Misc/NEWS
+++ Python-3.5.1/Misc/NEWS
+@@ -91,6 +91,9 @@ Core and Builtins
+   Python.h header to fix a compilation error with OpenMP. PyThreadState_GET()
+   becomes an alias to PyThreadState_Get() to avoid ABI incompatibilies.
+ 
+- Issue #26171: Fix possible integer overflow and heap corruption in
+  zipimporter.get_data().
+
+ Library
+ -------
+ 
+Index: Python-3.5.1/Modules/zipimport.c
+===================================================================
+--- Python-3.5.1.orig/Modules/zipimport.c
+++ Python-3.5.1/Modules/zipimport.c
+@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *to
+     }
+     file_offset += l;           /* Start of file data */
+ 
+    if (data_size > LONG_MAX - 1) {
+        fclose(fp);
+        PyErr_NoMemory();
+        return NULL;
+    }
+     bytes_size = compress == 0 ? data_size : data_size + 1;
+     if (bytes_size == 0)
+         bytes_size++;
diff --git a/meta/recipes-devtools/python/python3_3.5.1.bb b/meta/recipes-devtools/python/python3_3.5.1.bb
index 0d667d2ad8..bf29d1252f 100644
--- a/meta/recipes-devtools/python/python3_3.5.1.bb
+++ b/meta/recipes-devtools/python/python3_3.5.1.bb
@@ -37,6 +37,7 @@ SRC_URI += "\
            file://setup.py-find-libraries-in-staging-dirs.patch \
            file://use_packed_importlib.patch \
            file://configure.ac-fix-LIBPL.patch \
+            file://CVE-2016-5636.patch \
           "
 SRC_URI[md5sum] = "e9ea6f2623fffcdd871b7b19113fde80"
 SRC_URI[sha256sum] = "c6d57c0c366d9060ab6c0cdf889ebf3d92711d466cc0119c441dbf2746f725c9"

diff --git a/meta/recipes-devtools/python/python3/CVE-2016-5636.patch b/meta/recipes-devtools/python/python3/CVE-2016-5636.patch new file mode 100644 index 0000000000..0d494d20f4 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2016-5636.patch
@@ -0,0 +1,44 @@
		1
		2	# HG changeset patch
		3	# User Benjamin Peterson <benjamin@python.org>
		4	# Date 1453357506 28800
		5	# Node ID 10dad6da1b28ea4af78ad9529e469fdbf4ebbc8f
		6	# Parent a3ac2cd93db9d5336dfd7b5b27efde2c568d8794# Parent 01ddd608b85c85952537d95a43bbabf4fb655057
		7	merge 3.4 (#26171)
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2016-5636
		11
		12	https://hg.python.org/cpython/raw-rev/10dad6da1b28
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	Index: Python-3.5.1/Misc/NEWS
		16	===================================================================
		17	--- Python-3.5.1.orig/Misc/NEWS
		18	+++ Python-3.5.1/Misc/NEWS
		19	@@ -91,6 +91,9 @@ Core and Builtins
		20	Python.h header to fix a compilation error with OpenMP. PyThreadState_GET()
		21	becomes an alias to PyThreadState_Get() to avoid ABI incompatibilies.
		22
		23	+- Issue #26171: Fix possible integer overflow and heap corruption in
		24	+ zipimporter.get_data().
		25	+
		26	Library
		27	-------
		28
		29	Index: Python-3.5.1/Modules/zipimport.c
		30	===================================================================
		31	--- Python-3.5.1.orig/Modules/zipimport.c
		32	+++ Python-3.5.1/Modules/zipimport.c
		33	@@ -1112,6 +1112,11 @@ get_data(PyObject archive, PyObject to
		34	}
		35	file_offset += l; /* Start of file data */
		36
		37	+ if (data_size > LONG_MAX - 1) {
		38	+ fclose(fp);
		39	+ PyErr_NoMemory();
		40	+ return NULL;
		41	+ }
		42	bytes_size = compress == 0 ? data_size : data_size + 1;
		43	if (bytes_size == 0)
		44	bytes_size++;


diff --git a/meta/recipes-devtools/python/python3_3.5.1.bb b/meta/recipes-devtools/python/python3_3.5.1.bb index 0d667d2ad8..bf29d1252f 100644 --- a/meta/recipes-devtools/python/python3_3.5.1.bb +++ b/meta/recipes-devtools/python/python3_3.5.1.bb
@@ -37,6 +37,7 @@ SRC_URI += "\
37	file://setup.py-find-libraries-in-staging-dirs.patch \	37	file://setup.py-find-libraries-in-staging-dirs.patch \
38	file://use_packed_importlib.patch \	38	file://use_packed_importlib.patch \
39	file://configure.ac-fix-LIBPL.patch \	39	file://configure.ac-fix-LIBPL.patch \
		40	file://CVE-2016-5636.patch \
40	"	41	"
41	SRC_URI[md5sum] = "e9ea6f2623fffcdd871b7b19113fde80"	42	SRC_URI[md5sum] = "e9ea6f2623fffcdd871b7b19113fde80"
42	SRC_URI[sha256sum] = "c6d57c0c366d9060ab6c0cdf889ebf3d92711d466cc0119c441dbf2746f725c9"	43	SRC_URI[sha256sum] = "c6d57c0c366d9060ab6c0cdf889ebf3d92711d466cc0119c441dbf2746f725c9"