openeuler-ci-bot
Gitee
commit
b1a0bf8ffe
89
CVE-2019-9674.patch
Normal file
89
CVE-2019-9674.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From 7c1b25f7c1e9381fa4b96b4fc489e4bbbe065f02 Mon Sep 17 00:00:00 2001
|
||||
From: JunWei Song <sungboss2004@gmail.com>
|
||||
Date: Wed, 11 Sep 2019 23:04:12 +0800
|
||||
Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
|
||||
(#13378)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
* bpo-36260: Add pitfalls to zipfile module documentation
|
||||
|
||||
We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
|
||||
This gave us the idea of documentation improvement.
|
||||
|
||||
So, we moved a little bit forward :P
|
||||
And the doc patch can be found (pr).
|
||||
|
||||
* fix trailing whitespace
|
||||
|
||||
* 📜 🤖 Added by blurb_it.
|
||||
|
||||
* Reformat text for consistency.
|
||||
|
||||
---
|
||||
Doc/library/zipfile.rst | 40 +++++++++++++++++++
|
||||
.../2019-06-04-09-29-00.bpo-36260.WrGuc-.rst | 1 +
|
||||
2 files changed, 41 insertions(+)
|
||||
create mode 100644 Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
|
||||
|
||||
diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
|
||||
index 6fb03a0..6fa0a28 100644
|
||||
--- a/Doc/library/zipfile.rst
|
||||
+++ b/Doc/library/zipfile.rst
|
||||
@@ -730,5 +730,45 @@ Command-line options
|
||||
|
||||
Test whether the zipfile is valid or not.
|
||||
|
||||
+Decompression pitfalls
|
||||
+----------------------
|
||||
+
|
||||
+The extraction in zipfile module might fail due to some pitfalls listed below.
|
||||
+
|
||||
+From file itself
|
||||
+~~~~~~~~~~~~~~~~
|
||||
+
|
||||
+Decompression may fail due to incorrect password / CRC checksum / ZIP format or
|
||||
+unsupported compression method / decryption.
|
||||
+
|
||||
+File System limitations
|
||||
+~~~~~~~~~~~~~~~~~~~~~~~
|
||||
+
|
||||
+Exceeding limitations on different file systems can cause decompression failed.
|
||||
+Such as allowable characters in the directory entries, length of the file name,
|
||||
+length of the pathname, size of a single file, and number of files, etc.
|
||||
+
|
||||
+Resources limitations
|
||||
+~~~~~~~~~~~~~~~~~~~~~
|
||||
+
|
||||
+The lack of memory or disk volume would lead to decompression
|
||||
+failed. For example, decompression bombs (aka `ZIP bomb`_)
|
||||
+apply to zipfile library that can cause disk volume exhaustion.
|
||||
+
|
||||
+Interruption
|
||||
+~~~~~~~~~~~~
|
||||
+
|
||||
+Interruption during the decompression, such as pressing control-C or killing the
|
||||
+decompression process may result in incomplete decompression of the archive.
|
||||
+
|
||||
+Default behaviors of extraction
|
||||
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
+
|
||||
+Not knowing the default extraction behaviors
|
||||
+can cause unexpected decompression results.
|
||||
+For example, when extracting the same archive twice,
|
||||
+it overwrites files without asking.
|
||||
+
|
||||
|
||||
+.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
|
||||
.. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
|
||||
diff --git a/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
|
||||
new file mode 100644
|
||||
index 0000000..9276516
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
|
||||
@@ -0,0 +1 @@
|
||||
+Add decompression pitfalls to zipfile module documentation.
|
||||
\ No newline at end of file
|
||||
--
|
||||
2.23.0
|
||||
10
python3.spec
10
python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
|
||||
URL: https://www.python.org/
|
||||
|
||||
Version: 3.7.4
|
||||
Release: 8
|
||||
Release: 9
|
||||
License: Python
|
||||
|
||||
%global branchversion 3.7
|
||||
@ -104,6 +104,7 @@ Patch316: 00316-mark-bdist_wininst-unsupported.patch
|
||||
Patch6000: CVE-2019-16056.patch
|
||||
Patch6001: CVE-2019-16935.patch
|
||||
Patch6002: CVE-2019-17514.patch
|
||||
Patch6003: CVE-2019-9674.patch
|
||||
|
||||
Provides: python%{branchversion} = %{version}-%{release}
|
||||
Provides: python(abi) = %{branchversion}
|
||||
@ -194,6 +195,7 @@ rm Lib/ensurepip/_bundled/*.whl
|
||||
%patch6000 -p1
|
||||
%patch6001 -p1
|
||||
%patch6002 -p1
|
||||
%patch6003 -p1
|
||||
|
||||
rm configure pyconfig.h.in
|
||||
|
||||
@ -794,6 +796,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
|
||||
%{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Tue Apr 21 2020 hanxinke<hanxinke@huawei.com> - 3.7.4-9
|
||||
- Type:cves
|
||||
- ID:CVE-2019-9674
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2019-9674
|
||||
|
||||
* Tue Mar 17 2020 hanxinke<hanxinke@huawei.com> - 3.7.4-8
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user