Date: Thu, 16 Apr 2026 21:38:39 +0000 From: Daniel Engberg <diizzy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Cc: Matthias Andree <mandree@FreeBSD.org> Subject: git: 013edbc0a89f - main - lang/python314: Security update + other fixes Message-ID: <69e156df.27e85.7226c664@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=013edbc0a89fc65ca15a5a9b49ef9056859f69db commit 013edbc0a89fc65ca15a5a9b49ef9056859f69db Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2026-04-13 00:10:42 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2026-04-16 21:38:32 +0000 lang/python314: Security update + other fixes Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines when reusing decompressor instances after a MemoryError was raised from one. While here: - fix DEBUG build/package (several %%ABI%% were in the wrong place in pkg-plist that caused failed installs) - switch to using system textproc/expat2 library - issue warnings in pre-test that IPV6, PYMALLOC are required and DEBUG also breaks one self-test - bump PORTREVISION - drop LTOFULL again and make LTO use =full References: https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3 https://www.cve.org/CVERecord?id=CVE-2026-6100 https://github.com/python/cpython/pull/148396 Obtained from: GitHub repo https://github.com/python/cpython/commit/c8d8173c4b06d06902c99ec010ad785a30952880 Security: CVE-2026-6100 b8e9f33c-375d-11f1-a119-e36228bfe7d4 --- lang/python314/Makefile | 29 ++++++---- ...tch-gh-148395-fix-possible-uaf-in-decompressors | 65 ++++++++++++++++++++++ lang/python314/pkg-plist | 42 +++++++------- 3 files changed, 104 insertions(+), 32 deletions(-) diff --git a/lang/python314/Makefile b/lang/python314/Makefile index 6830b8f512e0..ed0a5c6cb643 100644 --- a/lang/python314/Makefile +++ b/lang/python314/Makefile @@ -1,5 +1,6 @@ PORTNAME= python DISTVERSION= ${PYTHON_DISTVERSION} # see Makefile.version +PORTREVISION= 1 CATEGORIES= lang python MASTER_SITES= PYTHON/ftp/python/${DISTVERSION:C/[a-z].*//} PKGNAMESUFFIX= ${PYTHON_SUFFIX} @@ -12,7 +13,8 @@ WWW= https://www.python.org/ LICENSE= PSFL -LIB_DEPENDS= libffi.so:devel/libffi \ +LIB_DEPENDS= libexpat.so:textproc/expat2 \ + libffi.so:devel/libffi \ libzstd.so:archivers/zstd USES= compiler:c11 cpe ncurses pathfix pkgconfig readline \ @@ -32,7 +34,7 @@ PYTHON_VERSION= python${PYTHON_VER} PYTHON_SUFFIX= ${PYTHON_VER:S/.//g} DISABLED_EXTENSIONS= _gdbm _sqlite3 _tkinter -CONFIGURE_ARGS+= --enable-shared --without-ensurepip +CONFIGURE_ARGS+= --enable-shared --without-ensurepip --with-system-expat CONFIGURE_ENV+= OPT="" # Null out OPT to respect user CFLAGS and remove optimizations INSTALL_TARGET= altinstall # Don't want cloberring of unprefixed files @@ -54,13 +56,12 @@ PLIST_SUB= ABI=${ABIFLAGS} \ XYZDOT=${DISTVERSION:C/[a-z].*//} \ OSMAJOR=${OSVERSION:C/([0-9]*)[0-9]{5}/\1/} # For plat-freebsd* in pkg-plist. https://bugs.python.org/issue19554 -OPTIONS_DEFINE= DEBUG IPV6 LIBMPDEC NLS PYMALLOC +OPTIONS_DEFINE= DEBUG IPV6 LIBMPDEC LTO NLS PYMALLOC OPTIONS_DEFAULT= LIBMPDEC LTO PYMALLOC -OPTIONS_EXCLUDE_powerpc64= LTO LTOFULL -OPTIONS_EXCLUDE_riscv64= LTO LTOFULL -OPTIONS_RADIO= HASH LTO +OPTIONS_EXCLUDE_powerpc64= LTO +OPTIONS_EXCLUDE_riscv64= LTO +OPTIONS_RADIO= HASH OPTIONS_RADIO_HASH= FNV SIPHASH -OPTIONS_RADIO_LTO= LTO LTOFULL OPTIONS_SUB= yes LIBMPDEC_DESC= Use libmpdec from ports instead of bundled version @@ -82,8 +83,7 @@ IPV6_CONFIGURE_ENABLE= ipv6 LIBMPDEC_CONFIGURE_ON= --with-system-libmpdec LIBMPDEC_LIB_DEPENDS= libmpdec.so:math/mpdecimal -LTO_CONFIGURE_ON= --with-lto -LTOFULL_CONFIGURE_ON= --with-lto=full +LTO_CONFIGURE_ON= --with-lto=full # Use CPPFLAGS over CFLAGS due to -I ordering, causing elementtree and pyexpat # to break in Python 2.7, or preprocessor complaints in Python >= 3.3 @@ -133,7 +133,6 @@ post-patch: # disable the detection of includes and library from e2fsprogs-libuuid, # which introduces hidden dependency and breaks build @${REINPLACE_CMD} -e 's|uuid/uuid.h|ignore_&|' ${WRKSRC}/configure - # disable detection of multiarch as it breaks with clang >= 13, which adds a # major.minor version number in -print-multiarch output, confusing Python @${REINPLACE_CMD} -e 's|^\( *MULTIARCH=\).*--print-multiarch.*|\1|' ${WRKSRC}/configure @@ -142,6 +141,8 @@ post-patch: . for _module in ${DISABLED_EXTENSIONS} @${ECHO_CMD} ${_module} >> ${WRKSRC}/Modules/Setup.local . endfor +# Strip Expat module + ${RM} -R ${WRKSRC}/Modules/expat post-install: .if ! ${PORT_OPTIONS:MDEBUG} @@ -185,10 +186,16 @@ pre-test: @${ECHO_CMD} "=== NOTE: the py314-* gdbm, sqlite3, tkinter modules must be rebuilt before the test ===" .if ${PORT_OPTIONS:MDEBUG} @${ECHO_CMD} "=== NOTE: The test_ssl test is known to fail with DEBUG option enabled ===" +.endif +.if empty(PORT_OPTIONS:MIPV6) + @${ECHO_CMD} "=== NOTE: Some asynch tests require IPV6 support enabled, expect some test failures ===" +.endif +.if empty(PORT_OPTIONS:MPYMALLOC) + @${ECHO_CMD} "=== NOTE: Some tests depend on PYMALLOC option enabled, expect some test failures ===" .endif sleep 5 post-clean: - ${RM} ${_sigstorebundle} + @${RM} ${_sigstorebundle} .include <bsd.port.mk> diff --git a/lang/python314/files/patch-gh-148395-fix-possible-uaf-in-decompressors b/lang/python314/files/patch-gh-148395-fix-possible-uaf-in-decompressors new file mode 100644 index 000000000000..d5532033752e --- /dev/null +++ b/lang/python314/files/patch-gh-148395-fix-possible-uaf-in-decompressors @@ -0,0 +1,65 @@ +From c8d8173c4b06d06902c99ec010ad785a30952880 Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych <stan@python.org> +Date: Mon, 13 Apr 2026 02:14:54 +0100 +Subject: [PATCH] gh-148395: Fix a possible UAF in + `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396) + +Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress +(cherry picked from commit 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2) + +Co-authored-by: Stan Ulbrych <stan@python.org> +--- + .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst | 5 +++++ + Modules/_bz2module.c | 1 + + Modules/_lzmamodule.c | 1 + + Modules/zlibmodule.c | 1 + + 4 files changed, 8 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst + +diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst +new file mode 100644 +index 00000000000000..9502189ab199c1 +--- /dev/null ++++ ./Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst +@@ -0,0 +1,5 @@ ++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, ++:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` ++when memory allocation fails with :exc:`MemoryError`, which could let a ++subsequent :meth:`!decompress` call read or write through a stale pointer to ++the already-released caller buffer. +diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c +index 9e85e0de42cd8d..055ce82e7d2863 100644 +--- ./Modules/_bz2module.c ++++ b/Modules/_bz2module.c +@@ -593,6 +593,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length) + return result; + + error: ++ bzs->next_in = NULL; + Py_XDECREF(result); + return NULL; + } +diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c +index 462c2181fa6036..6785dc56730c5c 100644 +--- ./Modules/_lzmamodule.c ++++ b/Modules/_lzmamodule.c +@@ -1120,6 +1120,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length) + return result; + + error: ++ lzs->next_in = NULL; + Py_XDECREF(result); + return NULL; + } +diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c +index 5b6b0c5cac864a..a86aa5fdbb576c 100644 +--- ./Modules/zlibmodule.c ++++ b/Modules/zlibmodule.c +@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data, + return result; + + error: ++ self->zst.next_in = NULL; + Py_XDECREF(result); + return NULL; + } diff --git a/lang/python314/pkg-plist b/lang/python314/pkg-plist index b529fcd0dd41..b5fe9727f492 100644 --- a/lang/python314/pkg-plist +++ b/lang/python314/pkg-plist @@ -363,9 +363,9 @@ lib/python%%XYDOT%%/__pycache__/_sitebuiltins.cpython-%%XY%%.pyc lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.opt-1.pyc lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.opt-2.pyc lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.pyc -lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.opt-1.pyc -lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.opt-2.pyc -lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.pyc +lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.opt-1.pyc +lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.opt-2.pyc +lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.pyc lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.opt-1.pyc lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.opt-2.pyc lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.pyc @@ -882,8 +882,8 @@ lib/python%%XYDOT%%/_pyrepl/windows_console.py lib/python%%XYDOT%%/_pyrepl/windows_eventqueue.py lib/python%%XYDOT%%/_sitebuiltins.py lib/python%%XYDOT%%/_strptime.py -lib/python%%XYDOT%%/_sysconfig_vars__freebsd_.json -lib/python%%XYDOT%%/_sysconfigdata__freebsd_.py +lib/python%%XYDOT%%/_sysconfig_vars_%%ABI%%_freebsd_.json +lib/python%%XYDOT%%/_sysconfigdata_%%ABI%%_freebsd_.py lib/python%%XYDOT%%/_threading_local.py lib/python%%XYDOT%%/_weakrefset.py lib/python%%XYDOT%%/abc.py @@ -1120,18 +1120,18 @@ lib/python%%XYDOT%%/concurrent/interpreters/__pycache__/_queues.cpython-%%XY%%.o lib/python%%XYDOT%%/concurrent/interpreters/__pycache__/_queues.cpython-%%XY%%.pyc lib/python%%XYDOT%%/concurrent/interpreters/_crossinterp.py lib/python%%XYDOT%%/concurrent/interpreters/_queues.py -lib/python%%XYDOT%%/config-%%XYDOT%%/Makefile -lib/python%%XYDOT%%/config-%%XYDOT%%/Setup -lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.bootstrap -lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.local -lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.stdlib -lib/python%%XYDOT%%/config-%%XYDOT%%/config.c -lib/python%%XYDOT%%/config-%%XYDOT%%/config.c.in -lib/python%%XYDOT%%/config-%%XYDOT%%/install-sh -lib/python%%XYDOT%%/config-%%XYDOT%%/libpython%%XYDOT%%%%ABI%%.a -lib/python%%XYDOT%%/config-%%XYDOT%%/makesetup -lib/python%%XYDOT%%/config-%%XYDOT%%/python-config.py -lib/python%%XYDOT%%/config-%%XYDOT%%/python.o +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Makefile +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.bootstrap +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.local +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.stdlib +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/config.c +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/config.c.in +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/install-sh +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/libpython%%XYDOT%%%%ABI%%.a +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/makesetup +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/python-config.py +lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/python.o lib/python%%XYDOT%%/configparser.py lib/python%%XYDOT%%/contextlib.py lib/python%%XYDOT%%/contextvars.py @@ -2581,9 +2581,9 @@ lib/python%%XYDOT%%/lib-dynload/_elementtree.cpython-%%XY%%%%ABI%%.so lib/python%%XYDOT%%/lib-dynload/_hmac.cpython-%%XY%%%%ABI%%.so %%SUPPORTED_OPENSSL%%lib/python%%XYDOT%%/lib-dynload/_hashlib.cpython-%%XY%%%%ABI%%.so lib/python%%XYDOT%%/lib-dynload/_heapq.cpython-%%XY%%%%ABI%%.so -lib/python%%XYDOT%%/lib-dynload/_interpchannels.cpython-%%XY%%.so -lib/python%%XYDOT%%/lib-dynload/_interpqueues.cpython-%%XY%%.so -lib/python%%XYDOT%%/lib-dynload/_interpreters.cpython-%%XY%%.so +lib/python%%XYDOT%%/lib-dynload/_interpchannels.cpython-%%XY%%%%ABI%%.so +lib/python%%XYDOT%%/lib-dynload/_interpqueues.cpython-%%XY%%%%ABI%%.so +lib/python%%XYDOT%%/lib-dynload/_interpreters.cpython-%%XY%%%%ABI%%.so lib/python%%XYDOT%%/lib-dynload/_json.cpython-%%XY%%%%ABI%%.so lib/python%%XYDOT%%/lib-dynload/_lsprof.cpython-%%XY%%%%ABI%%.so lib/python%%XYDOT%%/lib-dynload/_lzma.cpython-%%XY%%%%ABI%%.so @@ -8313,4 +8313,4 @@ lib/python%%XYDOT%%/zoneinfo/_tzpath.py lib/python%%XYDOT%%/zoneinfo/_zoneinfo.py libdata/pkgconfig/python-%%XYDOT%%-embed.pc libdata/pkgconfig/python-%%XYDOT%%.pc -share/man/man1/python%%XYDOT%%%%ABI%%.1.gz +share/man/man1/python%%XYDOT%%.1.gzhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69e156df.27e85.7226c664>