From 179f7e291de526023c26176e49a0be1965638e07555678784500c5bdce58ff28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= Date: Fri, 7 Nov 2025 00:46:03 +0100 Subject: [PATCH] Add CVE-2025-8291-consistency-zip64.patch --- CVE-2025-8291-consistency-zip64.patch | 21 +++++++++++++++++++++ python315.changes | 11 +++++++++++ python315.spec | 3 +++ 3 files changed, 35 insertions(+) create mode 100644 CVE-2025-8291-consistency-zip64.patch diff --git a/CVE-2025-8291-consistency-zip64.patch b/CVE-2025-8291-consistency-zip64.patch new file mode 100644 index 0000000..dfb0b51 --- /dev/null +++ b/CVE-2025-8291-consistency-zip64.patch @@ -0,0 +1,21 @@ +From 8e208c6c06a38a008ac0c09781f9dc3cfdc26769 Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Wed, 24 Sep 2025 20:56:01 +0300 +Subject: [PATCH] gh-139700: Check consistency of the zip64 end of central + directory record + +Support records with "zip64 extensible data" if there are no bytes +prepended to the ZIP file. +--- + Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst | 3 +++ + 1 file changed, 3 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst + +Index: Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.15.0a1/Misc/NEWS.d/next/Security/2025-10-07-19-31-34.gh-issue-139700.vNHU1O.rst 2025-11-07 00:32:39.141440720 +0100 +@@ -0,0 +1,3 @@ ++Check consistency of the zip64 end of central directory record. Support ++records with "zip64 extensible data" if there are no bytes prepended to the ++ZIP file. diff --git a/python315.changes b/python315.changes index 6521080..dfed2b4 100644 --- a/python315.changes +++ b/python315.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Nov 6 23:45:56 UTC 2025 - Matej Cepl + +- Add CVE-2025-8291-consistency-zip64.patch which checks + consistency of the zip64 end of central directory record, and + preventing obfuscation of the payload, i.e., you scanning for + malicious content in a ZIP file with one ZIP parser (let's say + a Rust one) then unpack it in production with another (e.g., + the Python one) and get malicious content that the other parser + did not see (CVE-2025-8291, bsc#1251305) + ------------------------------------------------------------------- Fri Oct 24 21:45:47 UTC 2025 - Matej Cepl diff --git a/python315.spec b/python315.spec index 375cd31..2ae46ac 100644 --- a/python315.spec +++ b/python315.spec @@ -224,6 +224,9 @@ Patch40: fix-test-recursion-limit-15.6.patch Patch41: bsc1243155-sphinx-non-determinism.patch # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com Patch42: gh139257-Support-docutils-0.22.patch +# PATCH-FIX-UPSTREAM CVE-2025-8291-consistency-zip64.patch bsc#1251305 mcepl@suse.com +# Check consistency of the zip64 end of central directory record +Patch43: CVE-2025-8291-consistency-zip64.patch #### Python 3.15 DEVELOPMENT PATCHES BuildRequires: autoconf-archive BuildRequires: automake