git: 013edbc0a89f - main - lang/python314: Security update + other fixes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 16 Apr 2026 21:38:39 UTC
The branch main has been updated by diizzy:
URL: https://cgit.FreeBSD.org/ports/commit/?id=013edbc0a89fc65ca15a5a9b49ef9056859f69db
commit 013edbc0a89fc65ca15a5a9b49ef9056859f69db
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2026-04-13 00:10:42 +0000
Commit: Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2026-04-16 21:38:32 +0000
lang/python314: Security update + other fixes
Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines
when reusing decompressor instances after a MemoryError was raised from
one.
While here:
- fix DEBUG build/package (several %%ABI%% were in the wrong place
in pkg-plist that caused failed installs)
- switch to using system textproc/expat2 library
- issue warnings in pre-test that IPV6, PYMALLOC are required and
DEBUG also breaks one self-test
- bump PORTREVISION
- drop LTOFULL again and make LTO use =full
References:
https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3
https://www.cve.org/CVERecord?id=CVE-2026-6100
https://github.com/python/cpython/pull/148396
Obtained from: GitHub repo
https://github.com/python/cpython/commit/c8d8173c4b06d06902c99ec010ad785a30952880
Security: CVE-2026-6100
b8e9f33c-375d-11f1-a119-e36228bfe7d4
---
lang/python314/Makefile | 29 ++++++----
...tch-gh-148395-fix-possible-uaf-in-decompressors | 65 ++++++++++++++++++++++
lang/python314/pkg-plist | 42 +++++++-------
3 files changed, 104 insertions(+), 32 deletions(-)
diff --git a/lang/python314/Makefile b/lang/python314/Makefile
index 6830b8f512e0..ed0a5c6cb643 100644
--- a/lang/python314/Makefile
+++ b/lang/python314/Makefile
@@ -1,5 +1,6 @@
PORTNAME= python
DISTVERSION= ${PYTHON_DISTVERSION} # see Makefile.version
+PORTREVISION= 1
CATEGORIES= lang python
MASTER_SITES= PYTHON/ftp/python/${DISTVERSION:C/[a-z].*//}
PKGNAMESUFFIX= ${PYTHON_SUFFIX}
@@ -12,7 +13,8 @@ WWW= https://www.python.org/
LICENSE= PSFL
-LIB_DEPENDS= libffi.so:devel/libffi \
+LIB_DEPENDS= libexpat.so:textproc/expat2 \
+ libffi.so:devel/libffi \
libzstd.so:archivers/zstd
USES= compiler:c11 cpe ncurses pathfix pkgconfig readline \
@@ -32,7 +34,7 @@ PYTHON_VERSION= python${PYTHON_VER}
PYTHON_SUFFIX= ${PYTHON_VER:S/.//g}
DISABLED_EXTENSIONS= _gdbm _sqlite3 _tkinter
-CONFIGURE_ARGS+= --enable-shared --without-ensurepip
+CONFIGURE_ARGS+= --enable-shared --without-ensurepip --with-system-expat
CONFIGURE_ENV+= OPT="" # Null out OPT to respect user CFLAGS and remove optimizations
INSTALL_TARGET= altinstall # Don't want cloberring of unprefixed files
@@ -54,13 +56,12 @@ PLIST_SUB= ABI=${ABIFLAGS} \
XYZDOT=${DISTVERSION:C/[a-z].*//} \
OSMAJOR=${OSVERSION:C/([0-9]*)[0-9]{5}/\1/} # For plat-freebsd* in pkg-plist. https://bugs.python.org/issue19554
-OPTIONS_DEFINE= DEBUG IPV6 LIBMPDEC NLS PYMALLOC
+OPTIONS_DEFINE= DEBUG IPV6 LIBMPDEC LTO NLS PYMALLOC
OPTIONS_DEFAULT= LIBMPDEC LTO PYMALLOC
-OPTIONS_EXCLUDE_powerpc64= LTO LTOFULL
-OPTIONS_EXCLUDE_riscv64= LTO LTOFULL
-OPTIONS_RADIO= HASH LTO
+OPTIONS_EXCLUDE_powerpc64= LTO
+OPTIONS_EXCLUDE_riscv64= LTO
+OPTIONS_RADIO= HASH
OPTIONS_RADIO_HASH= FNV SIPHASH
-OPTIONS_RADIO_LTO= LTO LTOFULL
OPTIONS_SUB= yes
LIBMPDEC_DESC= Use libmpdec from ports instead of bundled version
@@ -82,8 +83,7 @@ IPV6_CONFIGURE_ENABLE= ipv6
LIBMPDEC_CONFIGURE_ON= --with-system-libmpdec
LIBMPDEC_LIB_DEPENDS= libmpdec.so:math/mpdecimal
-LTO_CONFIGURE_ON= --with-lto
-LTOFULL_CONFIGURE_ON= --with-lto=full
+LTO_CONFIGURE_ON= --with-lto=full
# Use CPPFLAGS over CFLAGS due to -I ordering, causing elementtree and pyexpat
# to break in Python 2.7, or preprocessor complaints in Python >= 3.3
@@ -133,7 +133,6 @@ post-patch:
# disable the detection of includes and library from e2fsprogs-libuuid,
# which introduces hidden dependency and breaks build
@${REINPLACE_CMD} -e 's|uuid/uuid.h|ignore_&|' ${WRKSRC}/configure
-
# disable detection of multiarch as it breaks with clang >= 13, which adds a
# major.minor version number in -print-multiarch output, confusing Python
@${REINPLACE_CMD} -e 's|^\( *MULTIARCH=\).*--print-multiarch.*|\1|' ${WRKSRC}/configure
@@ -142,6 +141,8 @@ post-patch:
. for _module in ${DISABLED_EXTENSIONS}
@${ECHO_CMD} ${_module} >> ${WRKSRC}/Modules/Setup.local
. endfor
+# Strip Expat module
+ ${RM} -R ${WRKSRC}/Modules/expat
post-install:
.if ! ${PORT_OPTIONS:MDEBUG}
@@ -185,10 +186,16 @@ pre-test:
@${ECHO_CMD} "=== NOTE: the py314-* gdbm, sqlite3, tkinter modules must be rebuilt before the test ==="
.if ${PORT_OPTIONS:MDEBUG}
@${ECHO_CMD} "=== NOTE: The test_ssl test is known to fail with DEBUG option enabled ==="
+.endif
+.if empty(PORT_OPTIONS:MIPV6)
+ @${ECHO_CMD} "=== NOTE: Some asynch tests require IPV6 support enabled, expect some test failures ==="
+.endif
+.if empty(PORT_OPTIONS:MPYMALLOC)
+ @${ECHO_CMD} "=== NOTE: Some tests depend on PYMALLOC option enabled, expect some test failures ==="
.endif
sleep 5
post-clean:
- ${RM} ${_sigstorebundle}
+ @${RM} ${_sigstorebundle}
.include <bsd.port.mk>
diff --git a/lang/python314/files/patch-gh-148395-fix-possible-uaf-in-decompressors b/lang/python314/files/patch-gh-148395-fix-possible-uaf-in-decompressors
new file mode 100644
index 000000000000..d5532033752e
--- /dev/null
+++ b/lang/python314/files/patch-gh-148395-fix-possible-uaf-in-decompressors
@@ -0,0 +1,65 @@
+From c8d8173c4b06d06902c99ec010ad785a30952880 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 02:14:54 +0100
+Subject: [PATCH] gh-148395: Fix a possible UAF in
+ `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396)
+
+Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress
+(cherry picked from commit 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2)
+
+Co-authored-by: Stan Ulbrych <stan@python.org>
+---
+ .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst | 5 +++++
+ Modules/_bz2module.c | 1 +
+ Modules/_lzmamodule.c | 1 +
+ Modules/zlibmodule.c | 1 +
+ 4 files changed, 8 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+new file mode 100644
+index 00000000000000..9502189ab199c1
+--- /dev/null
++++ ./Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+@@ -0,0 +1,5 @@
++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
++:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
++when memory allocation fails with :exc:`MemoryError`, which could let a
++subsequent :meth:`!decompress` call read or write through a stale pointer to
++the already-released caller buffer.
+diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
+index 9e85e0de42cd8d..055ce82e7d2863 100644
+--- ./Modules/_bz2module.c
++++ b/Modules/_bz2module.c
+@@ -593,6 +593,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
+ return result;
+
+ error:
++ bzs->next_in = NULL;
+ Py_XDECREF(result);
+ return NULL;
+ }
+diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
+index 462c2181fa6036..6785dc56730c5c 100644
+--- ./Modules/_lzmamodule.c
++++ b/Modules/_lzmamodule.c
+@@ -1120,6 +1120,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
+ return result;
+
+ error:
++ lzs->next_in = NULL;
+ Py_XDECREF(result);
+ return NULL;
+ }
+diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
+index 5b6b0c5cac864a..a86aa5fdbb576c 100644
+--- ./Modules/zlibmodule.c
++++ b/Modules/zlibmodule.c
+@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
+ return result;
+
+ error:
++ self->zst.next_in = NULL;
+ Py_XDECREF(result);
+ return NULL;
+ }
diff --git a/lang/python314/pkg-plist b/lang/python314/pkg-plist
index b529fcd0dd41..b5fe9727f492 100644
--- a/lang/python314/pkg-plist
+++ b/lang/python314/pkg-plist
@@ -363,9 +363,9 @@ lib/python%%XYDOT%%/__pycache__/_sitebuiltins.cpython-%%XY%%.pyc
lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.opt-1.pyc
lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.opt-2.pyc
lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.pyc
-lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.opt-1.pyc
-lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.opt-2.pyc
-lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.pyc
+lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.opt-1.pyc
+lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.opt-2.pyc
+lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.pyc
lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.opt-1.pyc
lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.opt-2.pyc
lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.pyc
@@ -882,8 +882,8 @@ lib/python%%XYDOT%%/_pyrepl/windows_console.py
lib/python%%XYDOT%%/_pyrepl/windows_eventqueue.py
lib/python%%XYDOT%%/_sitebuiltins.py
lib/python%%XYDOT%%/_strptime.py
-lib/python%%XYDOT%%/_sysconfig_vars__freebsd_.json
-lib/python%%XYDOT%%/_sysconfigdata__freebsd_.py
+lib/python%%XYDOT%%/_sysconfig_vars_%%ABI%%_freebsd_.json
+lib/python%%XYDOT%%/_sysconfigdata_%%ABI%%_freebsd_.py
lib/python%%XYDOT%%/_threading_local.py
lib/python%%XYDOT%%/_weakrefset.py
lib/python%%XYDOT%%/abc.py
@@ -1120,18 +1120,18 @@ lib/python%%XYDOT%%/concurrent/interpreters/__pycache__/_queues.cpython-%%XY%%.o
lib/python%%XYDOT%%/concurrent/interpreters/__pycache__/_queues.cpython-%%XY%%.pyc
lib/python%%XYDOT%%/concurrent/interpreters/_crossinterp.py
lib/python%%XYDOT%%/concurrent/interpreters/_queues.py
-lib/python%%XYDOT%%/config-%%XYDOT%%/Makefile
-lib/python%%XYDOT%%/config-%%XYDOT%%/Setup
-lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.bootstrap
-lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.local
-lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.stdlib
-lib/python%%XYDOT%%/config-%%XYDOT%%/config.c
-lib/python%%XYDOT%%/config-%%XYDOT%%/config.c.in
-lib/python%%XYDOT%%/config-%%XYDOT%%/install-sh
-lib/python%%XYDOT%%/config-%%XYDOT%%/libpython%%XYDOT%%%%ABI%%.a
-lib/python%%XYDOT%%/config-%%XYDOT%%/makesetup
-lib/python%%XYDOT%%/config-%%XYDOT%%/python-config.py
-lib/python%%XYDOT%%/config-%%XYDOT%%/python.o
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Makefile
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.bootstrap
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.local
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.stdlib
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/config.c
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/config.c.in
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/install-sh
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/libpython%%XYDOT%%%%ABI%%.a
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/makesetup
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/python-config.py
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/python.o
lib/python%%XYDOT%%/configparser.py
lib/python%%XYDOT%%/contextlib.py
lib/python%%XYDOT%%/contextvars.py
@@ -2581,9 +2581,9 @@ lib/python%%XYDOT%%/lib-dynload/_elementtree.cpython-%%XY%%%%ABI%%.so
lib/python%%XYDOT%%/lib-dynload/_hmac.cpython-%%XY%%%%ABI%%.so
%%SUPPORTED_OPENSSL%%lib/python%%XYDOT%%/lib-dynload/_hashlib.cpython-%%XY%%%%ABI%%.so
lib/python%%XYDOT%%/lib-dynload/_heapq.cpython-%%XY%%%%ABI%%.so
-lib/python%%XYDOT%%/lib-dynload/_interpchannels.cpython-%%XY%%.so
-lib/python%%XYDOT%%/lib-dynload/_interpqueues.cpython-%%XY%%.so
-lib/python%%XYDOT%%/lib-dynload/_interpreters.cpython-%%XY%%.so
+lib/python%%XYDOT%%/lib-dynload/_interpchannels.cpython-%%XY%%%%ABI%%.so
+lib/python%%XYDOT%%/lib-dynload/_interpqueues.cpython-%%XY%%%%ABI%%.so
+lib/python%%XYDOT%%/lib-dynload/_interpreters.cpython-%%XY%%%%ABI%%.so
lib/python%%XYDOT%%/lib-dynload/_json.cpython-%%XY%%%%ABI%%.so
lib/python%%XYDOT%%/lib-dynload/_lsprof.cpython-%%XY%%%%ABI%%.so
lib/python%%XYDOT%%/lib-dynload/_lzma.cpython-%%XY%%%%ABI%%.so
@@ -8313,4 +8313,4 @@ lib/python%%XYDOT%%/zoneinfo/_tzpath.py
lib/python%%XYDOT%%/zoneinfo/_zoneinfo.py
libdata/pkgconfig/python-%%XYDOT%%-embed.pc
libdata/pkgconfig/python-%%XYDOT%%.pc
-share/man/man1/python%%XYDOT%%%%ABI%%.1.gz
+share/man/man1/python%%XYDOT%%.1.gz