[Bug 210324] lang/python35, lang/python34, lang/python27: Possible integer overflow and heap corruption in zipimporter (CVE-2016-5636)

Thu Jun 16 16:16:10 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210324

            Bug ID: 210324
           Summary: lang/python35, lang/python34, lang/python27: Possible
                    integer overflow and heap corruption in zipimporter
                    (CVE-2016-5636)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: http://bugs.python.org/issue26171
                OS: Any
            Status: New
          Keywords: needs-qa, patch, security
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: python at FreeBSD.org
          Reporter: vlad-fbsd at acheronmedia.com
                CC: junovitch at freebsd.org, ports-secteam at FreeBSD.org,
                    python at FreeBSD.org
                CC: python at FreeBSD.org
          Assignee: python at FreeBSD.org
             Flags: maintainer-feedback?(python at FreeBSD.org),
                    maintainer-feedback?(python at FreeBSD.org)

Created attachment 171488
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=171488&action=edit
VuXML entry for Pythons' vuln CVE-2016-5636

Looks like Python 3.5, 3.4 and 2.7 are vulnerable to CVE-2016-5636.

* Upstream issue: http://bugs.python.org/issue26171
* CVE assignment: http://openwall.com/lists/oss-security/2016/06/16/1

Attached is a vuxml entry patch. Please check it, this is my first vuxml
submission.

I also have not checked the status/vulnerability of python32 and python33, I am
listing the hereby given three versions since that's what the upstream reported
and patched.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.