On Wed Apr 29, 2026 at 2:29 PM CEST, Hitendra Prajapati via lists.openembedded.org wrote: > Pick patch from [1] also mentioned at NVD report in [2] > > [1] > https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20 > [2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100 > [3] https://security-tracker.debian.org/tracker/CVE-2026-6100 > > Signed-off-by: Hitendra Prajapati <[email protected]>
Hello, As fas as I can tell, this patch is also needed on master and wrynose. I can't merge here until this is fixed on those branches. Can you send a patch to fix this on these branches and then, ping back here? Thanks! > --- > .../python/python3/CVE-2026-6100.patch | 75 +++++++++++++++++++ > .../python/python3_3.12.13.bb | 1 + > 2 files changed, 76 insertions(+) > create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6100.patch > > diff --git a/meta/recipes-devtools/python/python3/CVE-2026-6100.patch > b/meta/recipes-devtools/python/python3/CVE-2026-6100.patch > new file mode 100644 > index 0000000000..9084101434 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3/CVE-2026-6100.patch > @@ -0,0 +1,75 @@ > +From c3cf71c3366fe49acb776a639405c0eea6169c20 Mon Sep 17 00:00:00 2001 > +From: "Miss Islington (bot)" > + <[email protected]> > +Date: Mon, 13 Apr 2026 03:35:24 +0200 > +Subject: [PATCH] [3.13] gh-148395: Fix a possible UAF in > + `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396) (#148479) > + > +gh-148395: Fix a possible UAF in `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396) > + > +Fix dangling input pointer after `MemoryError` in > _lzma/_bz2/_ZlibDecompressor.decompress > +(cherry picked from commit 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2) > + > +Co-authored-by: Stan Ulbrych <[email protected]> > + > +CVE: CVE-2026-6100 > +Upstream-Status: Backport > [https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20] > +Signed-off-by: Hitendra Prajapati <[email protected]> > +--- > + .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst | 5 +++++ > + Modules/_bz2module.c | 1 + > + Modules/_lzmamodule.c | 1 + > + Modules/zlibmodule.c | 1 + > + 4 files changed, 8 insertions(+) > + create mode 100644 > Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst > + > +diff --git > a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst > b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst > +new file mode 100644 > +index 0000000..9502189 > +--- /dev/null > ++++ > b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst > +@@ -0,0 +1,5 @@ > ++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, > ++:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` > ++when memory allocation fails with :exc:`MemoryError`, which could let a > ++subsequent :meth:`!decompress` call read or write through a stale pointer to > ++the already-released caller buffer. > +diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c > +index 97bd44b..a732e89 100644 > +--- a/Modules/_bz2module.c > ++++ b/Modules/_bz2module.c > +@@ -587,6 +587,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, > Py_ssize_t max_length) > + return result; > + > + error: > ++ bzs->next_in = NULL; > + Py_XDECREF(result); > + return NULL; > + } > +diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c > +index 7bbd656..103a6ef 100644 > +--- a/Modules/_lzmamodule.c > ++++ b/Modules/_lzmamodule.c > +@@ -1114,6 +1114,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, > Py_ssize_t max_length) > + return result; > + > + error: > ++ lzs->next_in = NULL; > + Py_XDECREF(result); > + return NULL; > + } > +diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c > +index f94c57e..9759593 100644 > +--- a/Modules/zlibmodule.c > ++++ b/Modules/zlibmodule.c > +@@ -1645,6 +1645,7 @@ decompress(ZlibDecompressor *self, uint8_t *data, > + return result; > + > + error: > ++ self->zst.next_in = NULL; > + Py_XDECREF(result); > + return NULL; > + } > +-- > +2.50.1 > + > diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb > b/meta/recipes-devtools/python/python3_3.12.13.bb > index da7e3c604e..4865178572 100644 > --- a/meta/recipes-devtools/python/python3_3.12.13.bb > +++ b/meta/recipes-devtools/python/python3_3.12.13.bb > @@ -35,6 +35,7 @@ SRC_URI = > "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ > file://0001-test_active_children-skip-problematic-test.patch \ > file://0001-test_readline-skip-limited-history-test.patch \ > file://CVE-2026-1502.patch \ > + file://CVE-2026-6100.patch \ > " > > SRC_URI:append:class-native = " \ -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236623): https://lists.openembedded.org/g/openembedded-core/message/236623 Mute This Topic: https://lists.openembedded.org/mt/119063102/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
