python3: patch CVE-2025-13837

Pick patch from 3.12 branch per NVD report. (From OE-Core rev: 37936e0e93ab5c236d8cc8e709ba1faf8380577c) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2026-01-18 22:17:49 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-16 09:52:35 +0000
commit: 534b2c966a7f9f326beecd0756cf0daccb49add9 (patch)
tree: c33e38024385c05ccde76a11093aa77c68365554 /meta/recipes-devtools/python/python3
parent: 8d61eb390a75aee4e93e8952b3903e12fc64ce8d (diff)
download: poky-534b2c966a7f9f326beecd0756cf0daccb49add9.tar.gz
1 files changed, 162 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13837.patch b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch
new file mode 100644
index 0000000000..0f2e06a491
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch
@@ -0,0 +1,162 @@
+From 5a8b19677d818fb41ee55f310233772e15aa1a2b Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Mon, 22 Dec 2025 15:49:44 +0200
+Subject: [PATCH] [3.12] gh-119342: Fix a potential denial of service in
+ plistlib (GH-119343) (#142149)
+Reading a specially prepared small Plist file could cause OOM because file's
+read(n) preallocates a bytes object for reading the specified amount of
+data. Now plistlib reads large data by chunks, therefore the upper limit of
+consumed memory is proportional to the size of the input file.
+(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)
+CVE: CVE-2025-13837
+Upstream-Status: Backport [https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Lib/plistlib.py                               | 31 ++++++++++------
+ Lib/test/test_plistlib.py                     | 37 +++++++++++++++++--
+ ...-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst |  5 +++
+ 3 files changed, 59 insertions(+), 14 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+diff --git a/Lib/plistlib.py b/Lib/plistlib.py
+index 3292c30d5f..c5554ea1f7 100644
+--- a/Lib/plistlib.py
+++ b/Lib/plistlib.py
+@@ -73,6 +73,9 @@ from xml.parsers.expat import ParserCreate
+ PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__)
+ globals().update(PlistFormat.__members__)
+ 
+# Data larger than this will be read in chunks, to prevent extreme
+# overallocation.
+_MIN_READ_BUF_SIZE = 1 << 20
+ 
+ class UID:
+     def __init__(self, data):
+@@ -499,12 +502,24 @@ class _BinaryPlistParser:
+ 
+         return tokenL
+ 
+    def _read(self, size):
+        cursize = min(size, _MIN_READ_BUF_SIZE)
+        data = self._fp.read(cursize)
+        while True:
+            if len(data) != cursize:
+                raise InvalidFileException
+            if cursize == size:
+                return data
+            delta = min(cursize, size - cursize)
+            data += self._fp.read(delta)
+            cursize += delta
+
+     def _read_ints(self, n, size):
+-        data = self._fp.read(size * n)
+        data = self._read(size * n)
+         if size in _BINARY_FORMAT:
+             return struct.unpack(f'>{n}{_BINARY_FORMAT[size]}', data)
+         else:
+-            if not size or len(data) != size * n:
+            if not size:
+                 raise InvalidFileException()
+             return tuple(int.from_bytes(data[i: i + size], 'big')
+                          for i in range(0, size * n, size))
+@@ -561,22 +576,16 @@ class _BinaryPlistParser:
+ 
+         elif tokenH == 0x40:  # data
+             s = self._get_size(tokenL)
+-            result = self._fp.read(s)
+-            if len(result) != s:
+-                raise InvalidFileException()
+            result = self._read(s)
+ 
+         elif tokenH == 0x50:  # ascii string
+             s = self._get_size(tokenL)
+-            data = self._fp.read(s)
+-            if len(data) != s:
+-                raise InvalidFileException()
+            data = self._read(s)
+             result = data.decode('ascii')
+ 
+         elif tokenH == 0x60:  # unicode string
+             s = self._get_size(tokenL) * 2
+-            data = self._fp.read(s)
+-            if len(data) != s:
+-                raise InvalidFileException()
+            data = self._read(s)
+             result = data.decode('utf-16be')
+ 
+         elif tokenH == 0x80:  # UID
+diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
+index fa46050658..229a5a242e 100644
+--- a/Lib/test/test_plistlib.py
+++ b/Lib/test/test_plistlib.py
+@@ -841,8 +841,7 @@ class TestPlistlib(unittest.TestCase):
+ 
+ class TestBinaryPlistlib(unittest.TestCase):
+ 
+-    @staticmethod
+-    def decode(*objects, offset_size=1, ref_size=1):
+    def build(self, *objects, offset_size=1, ref_size=1):
+         data = [b'bplist00']
+         offset = 8
+         offsets = []
+@@ -854,7 +853,11 @@ class TestBinaryPlistlib(unittest.TestCase):
+                            len(objects), 0, offset)
+         data.extend(offsets)
+         data.append(tail)
+-        return plistlib.loads(b''.join(data), fmt=plistlib.FMT_BINARY)
+        return b''.join(data)
+
+    def decode(self, *objects, offset_size=1, ref_size=1):
+        data = self.build(*objects, offset_size=offset_size, ref_size=ref_size)
+        return plistlib.loads(data, fmt=plistlib.FMT_BINARY)
+ 
+     def test_nonstandard_refs_size(self):
+         # Issue #21538: Refs and offsets are 24-bit integers
+@@ -963,6 +966,34 @@ class TestBinaryPlistlib(unittest.TestCase):
+                 with self.assertRaises(plistlib.InvalidFileException):
+                     plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY)
+ 
+    def test_truncated_large_data(self):
+        self.addCleanup(os_helper.unlink, os_helper.TESTFN)
+        def check(data):
+            with open(os_helper.TESTFN, 'wb') as f:
+                f.write(data)
+            # buffered file
+            with open(os_helper.TESTFN, 'rb') as f:
+                with self.assertRaises(plistlib.InvalidFileException):
+                    plistlib.load(f, fmt=plistlib.FMT_BINARY)
+            # unbuffered file
+            with open(os_helper.TESTFN, 'rb', buffering=0) as f:
+                with self.assertRaises(plistlib.InvalidFileException):
+                    plistlib.load(f, fmt=plistlib.FMT_BINARY)
+        for w in range(20, 64):
+            s = 1 << w
+            # data
+            check(self.build(b'\x4f\x13' + s.to_bytes(8, 'big')))
+            # ascii string
+            check(self.build(b'\x5f\x13' + s.to_bytes(8, 'big')))
+            # unicode string
+            check(self.build(b'\x6f\x13' + s.to_bytes(8, 'big')))
+            # array
+            check(self.build(b'\xaf\x13' + s.to_bytes(8, 'big')))
+            # dict
+            check(self.build(b'\xdf\x13' + s.to_bytes(8, 'big')))
+            # number of objects
+            check(b'bplist00' + struct.pack('>6xBBQQQ', 1, 1, s, 0, 8))
+
+ 
+ class TestKeyedArchive(unittest.TestCase):
+     def test_keyed_archive_data(self):
+diff --git a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+new file mode 100644
+index 0000000000..04fd8faca4
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
+@@ -0,0 +1,5 @@
+Fix a potential memory denial of service in the :mod:`plistlib` module.
+When reading a Plist file received from untrusted source, it could cause
+an arbitrary amount of memory to be allocated.
+This could have led to symptoms including a :exc:`MemoryError`, swapping, out
+of memory (OOM) killed processes or containers, or even system crashes.
author	Peter Marko <peter.marko@siemens.com>	2026-01-18 22:17:49 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-02-16 09:52:35 +0000
commit	534b2c966a7f9f326beecd0756cf0daccb49add9 (patch)
tree	c33e38024385c05ccde76a11093aa77c68365554 /meta/recipes-devtools/python/python3
parent	8d61eb390a75aee4e93e8952b3903e12fc64ce8d (diff)
download	poky-534b2c966a7f9f326beecd0756cf0daccb49add9.tar.gz

diff --git a/meta/recipes-devtools/python/python3/CVE-2025-13837.patch b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch new file mode 100644 index 0000000000..0f2e06a491 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2025-13837.patch
@@ -0,0 +1,162 @@
	1	From 5a8b19677d818fb41ee55f310233772e15aa1a2b Mon Sep 17 00:00:00 2001
	2	From: Serhiy Storchaka <storchaka@gmail.com>
	3	Date: Mon, 22 Dec 2025 15:49:44 +0200
	4	Subject: [PATCH] [3.12] gh-119342: Fix a potential denial of service in
	5	plistlib (GH-119343) (#142149)
	6
	7	Reading a specially prepared small Plist file could cause OOM because file's
	8	read(n) preallocates a bytes object for reading the specified amount of
	9	data. Now plistlib reads large data by chunks, therefore the upper limit of
	10	consumed memory is proportional to the size of the input file.
	11	(cherry picked from commit 694922cf40aa3a28f898b5f5ee08b71b4922df70)
	12
	13	CVE: CVE-2025-13837
	14	Upstream-Status: Backport [https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b]
	15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	16	---
	17	Lib/plistlib.py \| 31 ++++++++++------
	18	Lib/test/test_plistlib.py \| 37 +++++++++++++++++--
	19	...-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst \| 5 +++
	20	3 files changed, 59 insertions(+), 14 deletions(-)
	21	create mode 100644 Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
	22
	23	diff --git a/Lib/plistlib.py b/Lib/plistlib.py
	24	index 3292c30d5f..c5554ea1f7 100644
	25	--- a/Lib/plistlib.py
	26	+++ b/Lib/plistlib.py
	27	@@ -73,6 +73,9 @@ from xml.parsers.expat import ParserCreate
	28	PlistFormat = enum.Enum('PlistFormat', 'FMT_XML FMT_BINARY', module=__name__)
	29	globals().update(PlistFormat.__members__)
	30
	31	+# Data larger than this will be read in chunks, to prevent extreme
	32	+# overallocation.
	33	+_MIN_READ_BUF_SIZE = 1 << 20
	34
	35	class UID:
	36	def __init__(self, data):
	37	@@ -499,12 +502,24 @@ class _BinaryPlistParser:
	38
	39	return tokenL
	40
	41	+ def _read(self, size):
	42	+ cursize = min(size, _MIN_READ_BUF_SIZE)
	43	+ data = self._fp.read(cursize)
	44	+ while True:
	45	+ if len(data) != cursize:
	46	+ raise InvalidFileException
	47	+ if cursize == size:
	48	+ return data
	49	+ delta = min(cursize, size - cursize)
	50	+ data += self._fp.read(delta)
	51	+ cursize += delta
	52	+
	53	def _read_ints(self, n, size):
	54	- data = self._fp.read(size * n)
	55	+ data = self._read(size * n)
	56	if size in _BINARY_FORMAT:
	57	return struct.unpack(f'>{n}{_BINARY_FORMAT[size]}', data)
	58	else:
	59	- if not size or len(data) != size * n:
	60	+ if not size:
	61	raise InvalidFileException()
	62	return tuple(int.from_bytes(data[i: i + size], 'big')
	63	for i in range(0, size * n, size))
	64	@@ -561,22 +576,16 @@ class _BinaryPlistParser:
	65
	66	elif tokenH == 0x40: # data
	67	s = self._get_size(tokenL)
	68	- result = self._fp.read(s)
	69	- if len(result) != s:
	70	- raise InvalidFileException()
	71	+ result = self._read(s)
	72
	73	elif tokenH == 0x50: # ascii string
	74	s = self._get_size(tokenL)
	75	- data = self._fp.read(s)
	76	- if len(data) != s:
	77	- raise InvalidFileException()
	78	+ data = self._read(s)
	79	result = data.decode('ascii')
	80
	81	elif tokenH == 0x60: # unicode string
	82	s = self._get_size(tokenL) * 2
	83	- data = self._fp.read(s)
	84	- if len(data) != s:
	85	- raise InvalidFileException()
	86	+ data = self._read(s)
	87	result = data.decode('utf-16be')
	88
	89	elif tokenH == 0x80: # UID
	90	diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
	91	index fa46050658..229a5a242e 100644
	92	--- a/Lib/test/test_plistlib.py
	93	+++ b/Lib/test/test_plistlib.py
	94	@@ -841,8 +841,7 @@ class TestPlistlib(unittest.TestCase):
	95
	96	class TestBinaryPlistlib(unittest.TestCase):
	97
	98	- @staticmethod
	99	- def decode(*objects, offset_size=1, ref_size=1):
	100	+ def build(self, *objects, offset_size=1, ref_size=1):
	101	data = [b'bplist00']
	102	offset = 8
	103	offsets = []
	104	@@ -854,7 +853,11 @@ class TestBinaryPlistlib(unittest.TestCase):
	105	len(objects), 0, offset)
	106	data.extend(offsets)
	107	data.append(tail)
	108	- return plistlib.loads(b''.join(data), fmt=plistlib.FMT_BINARY)
	109	+ return b''.join(data)
	110	+
	111	+ def decode(self, *objects, offset_size=1, ref_size=1):
	112	+ data = self.build(*objects, offset_size=offset_size, ref_size=ref_size)
	113	+ return plistlib.loads(data, fmt=plistlib.FMT_BINARY)
	114
	115	def test_nonstandard_refs_size(self):
	116	# Issue #21538: Refs and offsets are 24-bit integers
	117	@@ -963,6 +966,34 @@ class TestBinaryPlistlib(unittest.TestCase):
	118	with self.assertRaises(plistlib.InvalidFileException):
	119	plistlib.loads(b'bplist00' + data, fmt=plistlib.FMT_BINARY)
	120
	121	+ def test_truncated_large_data(self):
	122	+ self.addCleanup(os_helper.unlink, os_helper.TESTFN)
	123	+ def check(data):
	124	+ with open(os_helper.TESTFN, 'wb') as f:
	125	+ f.write(data)
	126	+ # buffered file
	127	+ with open(os_helper.TESTFN, 'rb') as f:
	128	+ with self.assertRaises(plistlib.InvalidFileException):
	129	+ plistlib.load(f, fmt=plistlib.FMT_BINARY)
	130	+ # unbuffered file
	131	+ with open(os_helper.TESTFN, 'rb', buffering=0) as f:
	132	+ with self.assertRaises(plistlib.InvalidFileException):
	133	+ plistlib.load(f, fmt=plistlib.FMT_BINARY)
	134	+ for w in range(20, 64):
	135	+ s = 1 << w
	136	+ # data
	137	+ check(self.build(b'\x4f\x13' + s.to_bytes(8, 'big')))
	138	+ # ascii string
	139	+ check(self.build(b'\x5f\x13' + s.to_bytes(8, 'big')))
	140	+ # unicode string
	141	+ check(self.build(b'\x6f\x13' + s.to_bytes(8, 'big')))
	142	+ # array
	143	+ check(self.build(b'\xaf\x13' + s.to_bytes(8, 'big')))
	144	+ # dict
	145	+ check(self.build(b'\xdf\x13' + s.to_bytes(8, 'big')))
	146	+ # number of objects
	147	+ check(b'bplist00' + struct.pack('>6xBBQQQ', 1, 1, s, 0, 8))
	148	+
	149
	150	class TestKeyedArchive(unittest.TestCase):
	151	def test_keyed_archive_data(self):
	152	diff --git a/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
	153	new file mode 100644
	154	index 0000000000..04fd8faca4
	155	--- /dev/null
	156	+++ b/Misc/NEWS.d/next/Security/2024-05-21-22-11-31.gh-issue-119342.BTFj4Z.rst
	157	@@ -0,0 +1,5 @@
	158	+Fix a potential memory denial of service in the :mod:`plistlib` module.
	159	+When reading a Plist file received from untrusted source, it could cause
	160	+an arbitrary amount of memory to be allocated.
	161	+This could have led to symptoms including a :exc:`MemoryError`, swapping, out
	162	+of memory (OOM) killed processes or containers, or even system crashes.