python-interpreters/python315
SHA256
7
0
Fork 0
forked from pool/python315
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add CVE-2025-8291-consistency-zip64.patch

Browse Source
This commit is contained in:
Matej Cepl
2025-11-07 00:46:03 +01:00
parent d1ba494eb6
commit 179f7e291d
3 changed files with 35 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
CVE-2025-8291-consistency-zip64.patch Normal file
View File

@@ -0,0 +1,21 @@
From 8e208c6c06a38a008ac0c09781f9dc3cfdc26769 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Wed, 24 Sep 2025 20:56:01 +0300
Subject: [PATCH] gh-139700: Check consistency of the zip64 end of central
directory record
Support records with "zip64 extensible data" if there are no bytes
prepended to the ZIP file.
---
Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst | 3 +++
1 file changed, 3 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
Index: Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst 2025-11-07 00:32:39.141440720 +0100
@@ -0,0 +1,3 @@
+Check consistency of the zip64 end of central directory record. Support
+records with "zip64 extensible data" if there are no bytes prepended to the
+ZIP file.

11
python315.changes
View File

@@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Nov 6 23:45:56 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Add CVE-2025-8291-consistency-zip64.patch which checks
consistency of the zip64 end of central directory record, and
preventing obfuscation of the payload, i.e., you scanning for
malicious content in a ZIP file with one ZIP parser (let's say
a Rust one) then unpack it in production with another (e.g.,
the Python one) and get malicious content that the other parser
did not see (CVE-2025-8291, bsc#1251305)
-------------------------------------------------------------------
Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl <mcepl@cepl.eu>

3
python315.spec
View File

@@ -224,6 +224,9 @@ Patch40: fix-test-recursion-limit-15.6.patch
Patch41: bsc1243155-sphinx-non-determinism.patch
# PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
Patch42: gh139257-Support-docutils-0.22.patch
# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com
# Check consistency of the zip64 end of central directory record
Patch43: CVE-2025-8291-consistency-zip64.patch
#### Python 3.15 DEVELOPMENT PATCHES
BuildRequires: autoconf-archive
BuildRequires: automake