Security fix for CVE-2024-6232 (rhbz#2310092)

2024-09-05 12:19:31 +02:00 · 2024-09-05 12:19:31 +02:00 · d55a5b69cb
commit d55a5b69cb
parent d25952110e
2 changed files with 261 additions and 1 deletions
--- a/python3.6.spec
+++ b/python3.6.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 36%{?dist}
+Release: 37%{?dist}
 # Python is Python
 # pip MIT is and bundles:
 #   appdirs: MIT
@ -764,6 +764,14 @@ Patch431: 00431-cve-2024-4032.patch
 # with Python 3.6 where we backported only one change.
 Patch435: 00435-gh-121650-encode-newlines-in-headers-and-verify.patch

+# 00437 # c1618bd3b415d9df1a2d050332220300d394ac5f
+# CVE-2024-6232 Remove backtracking when parsing tarfile headers
+#
+# * Remove backtracking when parsing tarfile headers
+# * Rewrite PAX header parsing to be stricter
+# * Optimize parsing of GNU extended sparse headers v0.0
+Patch437: 00437-cve-2024-6232-remove-backtracking-when-parsing-tarfile-headers.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -2033,6 +2041,9 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Thu Sep 05 2024 Lumír Balhar <lbalhar@redhat.com> - 3.6.15-37
+- Security fix for CVE-2024-6232 (rhbz#2310092)
+
 * Wed Sep 04 2024 Miroslav Suchý <msuchy@redhat.com> - 3.6.15-36
 - convert license to SPDX