[Bug 294486] lang/python314: needs fix for CVE-2026-6100 use-after-free in decompressors when reusing instances after MemoryError

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 13 Apr 2026 17:53:18 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294486

Matthias Andree <mandree@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #269731|                            |maintainer-approval+
              Flags|                            |

--- Comment #2 from Matthias Andree <mandree@FreeBSD.org> ---
Created attachment 269731
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=269731&action=edit
update to 3.14.4_1 fixing CVE-2600-6100, DEBUG install + misc

    lang/python314: Security update + other fixes

    Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines
    when reusing decompressor instances after a MemoryError was raised from
    one. See
   
<https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/>
    <https://www.cve.org/CVERecord?id=CVE-2026-6100>
    <https://github.com/python/cpython/pull/148396>

    Obtained from: 
https://github.com/python/cpython/commit/c8d8173c4b06d06902c99ec010ad785a30952880
    Security:       CVE-2026-6100
    Security:       b8e9f33c-375d-11f1-a119-e36228bfe7d4

    While here:

    - fix DEBUG build/package (several %%ABI%% were in the wrong place
      in pkg-plist that caused failed installs)
    - switch to using system textproc/expat2 library
    - issue warnings in pre-test that IPV6, PYMALLOC are required and
      DEBUG also breaks one self-test
    - bump PORTREVISION
    - drop LTOFULL again and make LTO use =full

-- 
You are receiving this mail because:
You are on the CC list for the bug.