lang/python314: Security update + other fixes

mandree · Daniel Engberg · commit 013edbc0a89f · 2026-04-16T23:38:32.000+02:00
Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines when reusing decompressor instances after a MemoryError was raised from one. While here: - fix DEBUG build/package (several %%ABI%% were in the wrong place in pkg-plist that caused failed installs) - switch to using system textproc/expat2 library - issue warnings in pre-test that IPV6, PYMALLOC are required and DEBUG also breaks one self-test - bump PORTREVISION - drop LTOFULL again and make LTO use =full References: https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3 https://www.cve.org/CVERecord?id=CVE-2026-6100 python/cpython#148396 Obtained from: GitHub repo python/cpython@c8d8173 Security: CVE-2026-6100 b8e9f33c-375d-11f1-a119-e36228bfe7d4
diff --git a/lang/python314/Makefile b/lang/python314/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	python
 DISTVERSION=	${PYTHON_DISTVERSION}  # see Makefile.version
+PORTREVISION=	1
 CATEGORIES=	lang python
 MASTER_SITES=	PYTHON/ftp/python/${DISTVERSION:C/[a-z].*//}
 PKGNAMESUFFIX=	${PYTHON_SUFFIX}
@@ -12,7 +13,8 @@ WWW=		https://www.python.org/
 
 LICENSE=	PSFL
 
-LIB_DEPENDS=	libffi.so:devel/libffi \
+LIB_DEPENDS=	libexpat.so:textproc/expat2 \
+		libffi.so:devel/libffi \
 		libzstd.so:archivers/zstd
 
 USES=		compiler:c11 cpe ncurses pathfix pkgconfig readline \
@@ -32,7 +34,7 @@ PYTHON_VERSION=		python${PYTHON_VER}
 PYTHON_SUFFIX=		${PYTHON_VER:S/.//g}
 
 DISABLED_EXTENSIONS=	 _gdbm _sqlite3 _tkinter
-CONFIGURE_ARGS+=	--enable-shared --without-ensurepip
+CONFIGURE_ARGS+=	--enable-shared --without-ensurepip --with-system-expat
 CONFIGURE_ENV+=		OPT="" # Null out OPT to respect user CFLAGS and remove optimizations
 
 INSTALL_TARGET=		altinstall						# Don't want cloberring of unprefixed files
@@ -54,13 +56,12 @@ PLIST_SUB=		ABI=${ABIFLAGS} \
 			XYZDOT=${DISTVERSION:C/[a-z].*//} \
 			OSMAJOR=${OSVERSION:C/([0-9]*)[0-9]{5}/\1/}		# For plat-freebsd* in pkg-plist. https://bugs.python.org/issue19554
 
-OPTIONS_DEFINE=		DEBUG IPV6 LIBMPDEC NLS PYMALLOC
+OPTIONS_DEFINE=		DEBUG IPV6 LIBMPDEC LTO NLS PYMALLOC
 OPTIONS_DEFAULT=	LIBMPDEC LTO PYMALLOC
-OPTIONS_EXCLUDE_powerpc64=	LTO LTOFULL
-OPTIONS_EXCLUDE_riscv64=	LTO LTOFULL
-OPTIONS_RADIO=		HASH LTO
+OPTIONS_EXCLUDE_powerpc64=	LTO
+OPTIONS_EXCLUDE_riscv64=	LTO
+OPTIONS_RADIO=		HASH
 OPTIONS_RADIO_HASH=	FNV SIPHASH
-OPTIONS_RADIO_LTO=	LTO LTOFULL
 OPTIONS_SUB=		yes
 
 LIBMPDEC_DESC=		Use libmpdec from ports instead of bundled version
@@ -82,8 +83,7 @@ IPV6_CONFIGURE_ENABLE=	ipv6
 LIBMPDEC_CONFIGURE_ON=	--with-system-libmpdec
 LIBMPDEC_LIB_DEPENDS=	libmpdec.so:math/mpdecimal
 
-LTO_CONFIGURE_ON=	--with-lto
-LTOFULL_CONFIGURE_ON=	--with-lto=full
+LTO_CONFIGURE_ON=	--with-lto=full
 
 # Use CPPFLAGS over CFLAGS due to -I ordering, causing elementtree and pyexpat
 # to break in Python 2.7, or preprocessor complaints in Python >= 3.3
@@ -133,7 +133,6 @@ post-patch:
 # disable the detection of includes and library from e2fsprogs-libuuid,
 # which introduces hidden dependency and breaks build
 	@${REINPLACE_CMD} -e 's|uuid/uuid.h|ignore_&|' ${WRKSRC}/configure
-
 # disable detection of multiarch as it breaks with clang >= 13, which adds a
 # major.minor version number in -print-multiarch output, confusing Python
 	@${REINPLACE_CMD} -e 's|^\( *MULTIARCH=\).*--print-multiarch.*|\1|' ${WRKSRC}/configure
@@ -142,6 +141,8 @@ post-patch:
 .  for _module in ${DISABLED_EXTENSIONS}
 		@${ECHO_CMD} ${_module} >> ${WRKSRC}/Modules/Setup.local
 .  endfor
+# Strip Expat module
+	${RM} -R ${WRKSRC}/Modules/expat
 
 post-install:
 .if ! ${PORT_OPTIONS:MDEBUG}
@@ -185,10 +186,16 @@ pre-test:
 	@${ECHO_CMD} "=== NOTE: the py314-* gdbm, sqlite3, tkinter modules must be rebuilt before the test ==="
 .if ${PORT_OPTIONS:MDEBUG}
 	@${ECHO_CMD} "=== NOTE: The test_ssl test is known to fail with DEBUG option enabled ==="
+.endif
+.if empty(PORT_OPTIONS:MIPV6)
+	@${ECHO_CMD} "=== NOTE: Some asynch tests require IPV6 support enabled, expect some test failures ==="
+.endif
+.if empty(PORT_OPTIONS:MPYMALLOC)
+	@${ECHO_CMD} "=== NOTE: Some tests depend on PYMALLOC option enabled, expect some test failures ==="
 .endif
 	sleep 5
 
 post-clean:
-	${RM} ${_sigstorebundle}
+	@${RM} ${_sigstorebundle}
 
 .include <bsd.port.mk>
diff --git a/lang/python314/files/patch-gh-148395-fix-possible-uaf-in-decompressors b/lang/python314/files/patch-gh-148395-fix-possible-uaf-in-decompressors
@@ -0,0 +1,65 @@
+From c8d8173c4b06d06902c99ec010ad785a30952880 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 02:14:54 +0100
+Subject: [PATCH] gh-148395: Fix a possible UAF in
+ `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396)
+
+Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress
+(cherry picked from commit 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2)
+
+Co-authored-by: Stan Ulbrych <stan@python.org>
+---
+ .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
+ Modules/_bz2module.c                                         | 1 +
+ Modules/_lzmamodule.c                                        | 1 +
+ Modules/zlibmodule.c                                         | 1 +
+ 4 files changed, 8 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+new file mode 100644
+index 00000000000000..9502189ab199c1
+--- /dev/null
++++ ./Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+@@ -0,0 +1,5 @@
++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
++:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
++when memory allocation fails with :exc:`MemoryError`, which could let a
++subsequent :meth:`!decompress` call read or write through a stale pointer to
++the already-released caller buffer.
+diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
+index 9e85e0de42cd8d..055ce82e7d2863 100644
+--- ./Modules/_bz2module.c
++++ b/Modules/_bz2module.c
+@@ -593,6 +593,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    bzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
+index 462c2181fa6036..6785dc56730c5c 100644
+--- ./Modules/_lzmamodule.c
++++ b/Modules/_lzmamodule.c
+@@ -1120,6 +1120,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    lzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
+index 5b6b0c5cac864a..a86aa5fdbb576c 100644
+--- ./Modules/zlibmodule.c
++++ b/Modules/zlibmodule.c
+@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
+     return result;
+ 
+ error:
++    self->zst.next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
diff --git a/lang/python314/pkg-plist b/lang/python314/pkg-plist
@@ -363,9 +363,9 @@ lib/python%%XYDOT%%/__pycache__/_sitebuiltins.cpython-%%XY%%.pyc
 lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.opt-1.pyc
 lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.opt-2.pyc
 lib/python%%XYDOT%%/__pycache__/_strptime.cpython-%%XY%%.pyc
-lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.opt-1.pyc
-lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.opt-2.pyc
-lib/python%%XYDOT%%/__pycache__/_sysconfigdata__freebsd_.cpython-%%XY%%.pyc
+lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.opt-1.pyc
+lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.opt-2.pyc
+lib/python%%XYDOT%%/__pycache__/_sysconfigdata_%%ABI%%_freebsd_.cpython-%%XY%%.pyc
 lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.opt-1.pyc
 lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.opt-2.pyc
 lib/python%%XYDOT%%/__pycache__/_threading_local.cpython-%%XY%%.pyc
@@ -882,8 +882,8 @@ lib/python%%XYDOT%%/_pyrepl/windows_console.py
 lib/python%%XYDOT%%/_pyrepl/windows_eventqueue.py
 lib/python%%XYDOT%%/_sitebuiltins.py
 lib/python%%XYDOT%%/_strptime.py
-lib/python%%XYDOT%%/_sysconfig_vars__freebsd_.json
-lib/python%%XYDOT%%/_sysconfigdata__freebsd_.py
+lib/python%%XYDOT%%/_sysconfig_vars_%%ABI%%_freebsd_.json
+lib/python%%XYDOT%%/_sysconfigdata_%%ABI%%_freebsd_.py
 lib/python%%XYDOT%%/_threading_local.py
 lib/python%%XYDOT%%/_weakrefset.py
 lib/python%%XYDOT%%/abc.py
@@ -1120,18 +1120,18 @@ lib/python%%XYDOT%%/concurrent/interpreters/__pycache__/_queues.cpython-%%XY%%.o
 lib/python%%XYDOT%%/concurrent/interpreters/__pycache__/_queues.cpython-%%XY%%.pyc
 lib/python%%XYDOT%%/concurrent/interpreters/_crossinterp.py
 lib/python%%XYDOT%%/concurrent/interpreters/_queues.py
-lib/python%%XYDOT%%/config-%%XYDOT%%/Makefile
-lib/python%%XYDOT%%/config-%%XYDOT%%/Setup
-lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.bootstrap
-lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.local
-lib/python%%XYDOT%%/config-%%XYDOT%%/Setup.stdlib
-lib/python%%XYDOT%%/config-%%XYDOT%%/config.c
-lib/python%%XYDOT%%/config-%%XYDOT%%/config.c.in
-lib/python%%XYDOT%%/config-%%XYDOT%%/install-sh
-lib/python%%XYDOT%%/config-%%XYDOT%%/libpython%%XYDOT%%%%ABI%%.a
-lib/python%%XYDOT%%/config-%%XYDOT%%/makesetup
-lib/python%%XYDOT%%/config-%%XYDOT%%/python-config.py
-lib/python%%XYDOT%%/config-%%XYDOT%%/python.o
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Makefile
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.bootstrap
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.local
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/Setup.stdlib
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/config.c
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/config.c.in
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/install-sh
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/libpython%%XYDOT%%%%ABI%%.a
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/makesetup
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/python-config.py
+lib/python%%XYDOT%%/config-%%XYDOT%%%%ABI%%/python.o
 lib/python%%XYDOT%%/configparser.py
 lib/python%%XYDOT%%/contextlib.py
 lib/python%%XYDOT%%/contextvars.py
@@ -2581,9 +2581,9 @@ lib/python%%XYDOT%%/lib-dynload/_elementtree.cpython-%%XY%%%%ABI%%.so
 lib/python%%XYDOT%%/lib-dynload/_hmac.cpython-%%XY%%%%ABI%%.so
 %%SUPPORTED_OPENSSL%%lib/python%%XYDOT%%/lib-dynload/_hashlib.cpython-%%XY%%%%ABI%%.so
 lib/python%%XYDOT%%/lib-dynload/_heapq.cpython-%%XY%%%%ABI%%.so
-lib/python%%XYDOT%%/lib-dynload/_interpchannels.cpython-%%XY%%.so
-lib/python%%XYDOT%%/lib-dynload/_interpqueues.cpython-%%XY%%.so
-lib/python%%XYDOT%%/lib-dynload/_interpreters.cpython-%%XY%%.so
+lib/python%%XYDOT%%/lib-dynload/_interpchannels.cpython-%%XY%%%%ABI%%.so
+lib/python%%XYDOT%%/lib-dynload/_interpqueues.cpython-%%XY%%%%ABI%%.so
+lib/python%%XYDOT%%/lib-dynload/_interpreters.cpython-%%XY%%%%ABI%%.so
 lib/python%%XYDOT%%/lib-dynload/_json.cpython-%%XY%%%%ABI%%.so
 lib/python%%XYDOT%%/lib-dynload/_lsprof.cpython-%%XY%%%%ABI%%.so
 lib/python%%XYDOT%%/lib-dynload/_lzma.cpython-%%XY%%%%ABI%%.so
@@ -8313,4 +8313,4 @@ lib/python%%XYDOT%%/zoneinfo/_tzpath.py
 lib/python%%XYDOT%%/zoneinfo/_zoneinfo.py
 libdata/pkgconfig/python-%%XYDOT%%-embed.pc
 libdata/pkgconfig/python-%%XYDOT%%.pc
-share/man/man1/python%%XYDOT%%%%ABI%%.1.gz
+share/man/man1/python%%XYDOT%%.1.gz
