[Bug 294486] lang/python314: needs fix for CVE-2026-6100 use-after-free in decompressors when reusing instances after MemoryError

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 17 Apr 2026 09:04:20 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294486

--- Comment #5 from Matthias Andree <mandree@FreeBSD.org> ---
The branch main has been updated by diizzy:

URL:
https://cgit.FreeBSD.org/ports/commit/?id=013edbc0a89fc65ca15a5a9b49ef9056859f69db

commit 013edbc0a89fc65ca15a5a9b49ef9056859f69db
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2026-04-13 00:10:42 +0000
Commit:     Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2026-04-16 21:38:32 +0000

    lang/python314: Security update + other fixes

    Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines
    when reusing decompressor instances after a MemoryError was raised from
    one.

    While here:

    - fix DEBUG build/package (several %%ABI%% were in the wrong place
      in pkg-plist that caused failed installs)
    - switch to using system textproc/expat2 library
    - issue warnings in pre-test that IPV6, PYMALLOC are required and
      DEBUG also breaks one self-test
    - bump PORTREVISION
    - drop LTOFULL again and make LTO use =full

    References:
   
https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3
    https://www.cve.org/CVERecord?id=CVE-2026-6100
    https://github.com/python/cpython/pull/148396

    Obtained from:  GitHub repo
                   
https://github.com/python/cpython/commit/c8d8173c4b06d06902c99ec010ad785a30952880
    Security:       CVE-2026-6100
                    b8e9f33c-375d-11f1-a119-e36228bfe7d4

-- 
You are receiving this mail because:
You are on the CC list for the bug.