Python3.4 / CVE-2016-5636

To: debian-lts@lists.debian.org
Subject: Python3.4 / CVE-2016-5636
From: Brian May <bam@debian.org>
Date: Sun, 13 Jan 2019 18:55:29 +1100
Message-id: <[🔎] 871s5hgff2.fsf@silverfish.pri>

Supposedly this should be the patch for the problem:

https://hg.python.org/cpython/rev/fa006d671f41

However all I seem to be able to find is an empty patch. Although the
files listed is correct.

Can anyone here see how to find the correct patch?

There is a good patch here:

https://hg.python.org/cpython/rev/01ddd608b85c

However I think this is an earlier version that was criticised as being
insufficient:

https://bugs.python.org/issue26171#msg258779

The patch does sanitize the data_size value, however it looks like it
might be insufficient - as it catch negative values - not sure I really
understand just yet however - the description doesn't make 100% sense
and suggests that any small value of data_size might be a problem, not
just negative values.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: Python3.4 / CVE-2016-5636
  - From: Brian May <bam@debian.org>
- Re: Python3.4
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Assistance with building symfony for jessie
Next by Date: Re: Assistance with building symfony for jessie
Previous by thread: Re: Assistance with building symfony for jessie
Next by thread: Re: Python3.4 / CVE-2016-5636
Index(es):
- Date
- Thread