CVE-2016-5636

Priority
Description
Integer overflow in the get_data function in zipimport.c in CPython (aka
Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows
remote attackers to have unspecified impact via a negative data size value,
which triggers a heap-based buffer overflow.
Notes
 sbeattie> issue is fixed for xenial/python3.5 and xenial/python2.7
  for packages in xenial-updates, but not xenial-security
 sbeattie> may also need https://hg.python.org/cpython/rev/2edbdb79cd6d
  (see comment on python bug above) for pre-2.7.8 code and possibly 3.x
  code.
Package
Upstream:released (2.7.12~rc1-1)
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.3-0ubuntu3.9)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.7.6-8ubuntu0.3)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.7.12-1ubuntu0~16.04.1)
Patches:
Upstream:https://hg.python.org/cpython/rev/985fc64c60d6
Upstream:https://hg.python.org/cpython/rev/2edbdb79cd6d
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was released [3.2.3-0ubuntu3.8])
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (3.4.3-1ubuntu1~14.04.5)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://hg.python.org/cpython/rev/01ddd608b85c
Upstream:https://hg.python.org/cpython/rev/8b58c9328f5c
Package
Upstream:released (3.5.2~rc1-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.2-2ubuntu0~16.04.1)
Patches:
Upstream:https://hg.python.org/cpython/rev/10dad6da1b28
More Information

Updated: 2018-10-31 21:24:05 UTC (commit cfa7cf69d76449ccff972ac22f40976a08d908c2)