Date: Thu, 16 Apr 2026 21:38:37 +0000 From: Daniel Engberg <diizzy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Cc: Matthias Andree <mandree@FreeBSD.org> Subject: git: 22584e71f43f - main - security/vuxml: Add entry for Python CVE-2026-6100 Message-ID: <69e156dd.30481.4cc5a50@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=22584e71f43f5a2b074284c2122eda58440080fa commit 22584e71f43f5a2b074284c2122eda58440080fa Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2026-04-13 17:33:16 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2026-04-16 21:38:32 +0000 security/vuxml: Add entry for Python CVE-2026-6100 Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor and gzip.GzipFile Obtained from: GitHub repo Security: b8e9f33c-375d-11f1-a119-e36228bfe7d4 CVE-2026-6100 --- security/vuxml/vuln/2026.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 23234671a2c1..81f347cc62c5 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -220,6 +220,47 @@ </dates> </vuln> + <vuln vid="b8e9f33c-375d-11f1-a119-e36228bfe7d4"> + <topic>Python -- use-after-free vulnerability in decompressors under memory pressure</topic> + <affects> + <package><name>python310</name><range><ge>0</ge></range></package> + <package><name>python311</name><range><ge>0</ge></range></package> + <package><name>python312</name><range><ge>0</ge></range></package> + <package><name>python313</name><range><ge>0</ge></range></package> + <package><name>python314</name><range><lt>3.14.4_1</lt></range></package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Seth Larson reports:</p> + <blockquote cite="https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/">; + <p>There is a CRITICAL severity vulnerability affecting CPython.</p> + <p>Use-after-free (UAF) was possible in the lzma.LZMADecompressor, + bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails + with a MemoryError and the decompression instance is re-used. This + scenario can be triggered if the process is under memory pressure. The fix + cleans up the dangling pointer in this specific error condition.</p> + <p>The vulnerability is only present if the program re-uses decompressor + instances across multiple decompression calls even after a MemoryError is + raised during decompression. Using the helper functions to one-shot + decompress data such as lzma.decompress(), bz2.decompress(), + gzip.decompress(), and zlib.decompress() are not affected as a new + decompressor instance is created for each call. If the decompressor + instance is not re-used after an error condition, this usage is similarly + not vulnerable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-6100</cvename> + <url>https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/</url>; + <url>https://github.com/python/cpython/issues/148395</url>; + </references> + <dates> + <discovery>2026-04-11</discovery> + <entry>2026-04-13</entry> + </dates> + </vuln> + <vuln vid="57f31f61-36a1-11f1-9839-8447094a420f"> <topic>Vaultwarden -- Multiple vulnerabilities</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69e156dd.30481.4cc5a50>