gh-148395: Fix a possible UAF in `{LZMA,BZ2,_Zlib}Decompressor` by StanFromIreland · Pull Request #148396 · python/cpython

StanFromIreland · 2026-04-11T17:36:41Z

Issue: [CVE-2026-6100] Possible UAF in {LZMA,BZ2,_Zlib}Decompressor #148395

…ompressor.decompress

emmatyping

Thank you for fixing this!

Lib/test/test_bz2.py

miss-islington-app · 2026-04-13T01:15:06Z

Thanks @StanFromIreland for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

miss-islington-app · 2026-04-13T01:15:06Z

Thanks @StanFromIreland for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

…pythonGH-148396) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae) Co-authored-by: Stan Ulbrych <stan@python.org>

bedevere-app · 2026-04-13T01:15:13Z

GH-148479 is a backport of this pull request to the 3.13 branch.

…pythonGH-148396) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae) Co-authored-by: Stan Ulbrych <stan@python.org>

bedevere-app · 2026-04-13T01:15:19Z

GH-148480 is a backport of this pull request to the 3.14 branch.

GH-148396) (#148479) gh-148395: Fix a possible UAF in `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae) Co-authored-by: Stan Ulbrych <stan@python.org>

GH-148396) (#148480) gh-148395: Fix a possible UAF in `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae) Co-authored-by: Stan Ulbrych <stan@python.org>

miss-islington-app · 2026-04-13T16:00:44Z

Thanks @StanFromIreland for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

miss-islington-app · 2026-04-13T16:00:44Z

Thanks @StanFromIreland for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

miss-islington-app · 2026-04-13T16:00:44Z

Thanks @StanFromIreland for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

miss-islington-app · 2026-04-13T16:00:46Z

Sorry, @StanFromIreland and @gpshead, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2 3.10

…pythonGH-148396) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae) Co-authored-by: Stan Ulbrych <stan@python.org>

bedevere-app · 2026-04-13T16:00:56Z

GH-148503 is a backport of this pull request to the 3.12 branch.

miss-islington-app · 2026-04-13T16:00:56Z

Sorry, @StanFromIreland and @gpshead, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2 3.11

…ressor` (pythonGH-148396) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae) Co-authored-by: Stan Ulbrych <stan@python.org>

bedevere-app · 2026-04-13T16:10:29Z

GH-148504 is a backport of this pull request to the 3.11 branch.

…pythonGH-148396) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae)

bedevere-app · 2026-04-13T16:24:29Z

GH-148505 is a backport of this pull request to the 3.10 branch.

miss-islington-app · 2026-04-13T17:17:11Z

Thanks @StanFromIreland for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

miss-islington-app · 2026-04-13T17:17:11Z

Thanks @StanFromIreland for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

miss-islington-app · 2026-04-13T17:17:13Z

Sorry, @StanFromIreland and @gpshead, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2 3.11

miss-islington-app · 2026-04-13T17:17:18Z

Sorry, @StanFromIreland and @gpshead, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2 3.10

sethmlarson · 2026-04-13T17:17:50Z

Apologies, I was working on an old version of the page without the 3.11/3.10 backports. Ignore the noise.

Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines when reusing decompressor instances after a MemoryError was raised from one. See <https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/> <https://www.cve.org/CVERecord?id=CVE-2026-6100> <python/cpython#148396> Obtained from: python/cpython@c8d8173 Security: CVE-2026-6100 Security: b8e9f33c-375d-11f1-a119-e36228bfe7d4 While here: - fix DEBUG build/package (several %%ABI%% were in the wrong place in pkg-plist that caused failed installs) - switch to using system textproc/expat2 library - issue warnings in pre-test that IPV6, PYMALLOC are required and DEBUG also breaks one self-test - bump PORTREVISION - drop LTOFULL again and make LTO use =full

…148396) (#148505) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae)

…148396) (#148504) Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae)

StanFromIreland added 3 commits April 10, 2026 15:31

Fix dangling input pointer after MemoryError in _lzma/_bz2/_ZlibDec…

b9bcc95

…ompressor.decompress

tests + news

ef544fa

Add issue num to news

a07683d

StanFromIreland requested a review from emmatyping April 11, 2026 17:36

bedevere-app bot added the awaiting core review label Apr 11, 2026

bedevere-app bot mentioned this pull request Apr 11, 2026

[CVE-2026-6100] Possible UAF in {LZMA,BZ2,_Zlib}Decompressor #148395

Open

emmatyping approved these changes Apr 11, 2026

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting core review labels Apr 11, 2026

picnixz changed the title ~~gh-148395: Fix a possible UAF in {LZMA, BZ2, _Zlib}Decompressor~~ gh-148395: Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor Apr 11, 2026

picnixz reviewed Apr 11, 2026

View reviewed changes

Lib/test/test_bz2.py Outdated Show resolved Hide resolved

Remove test

93adea3

StanFromIreland requested review from gpshead and picnixz April 12, 2026 08:08

gpshead approved these changes Apr 13, 2026

View reviewed changes

gpshead merged commit 8fc66ae into python:main Apr 13, 2026
54 checks passed

bedevere-app bot removed the awaiting merge label Apr 13, 2026

gpshead added awaiting merge needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Apr 13, 2026

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Apr 13, 2026

bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Apr 13, 2026

StanFromIreland added the needs backport to 3.12 only security fixes label Apr 13, 2026

miss-islington-app bot assigned gpshead Apr 13, 2026

bedevere-app bot removed the needs backport to 3.12 only security fixes label Apr 13, 2026

bedevere-app bot removed the needs backport to 3.11 only security fixes label Apr 13, 2026

bedevere-app bot removed the needs backport to 3.10 only security fixes label Apr 13, 2026

sethmlarson added type-security A security issue needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Apr 13, 2026

StanFromIreland removed needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Apr 13, 2026

xint-public-bug-mirror bot mentioned this pull request Apr 13, 2026

[CRITICAL] UAF in cpython affecting multiple decompressors theori-io/xint-public-bug-tracker#49

Open

Uh oh!

Conversation

StanFromIreland commented Apr 11, 2026 • edited by bedevere-app bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

emmatyping left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

bedevere-app bot commented Apr 13, 2026

Uh oh!

bedevere-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

bedevere-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

bedevere-app bot commented Apr 13, 2026

Uh oh!

bedevere-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

miss-islington-app bot commented Apr 13, 2026

Uh oh!

sethmlarson commented Apr 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

StanFromIreland commented Apr 11, 2026 •

edited by bedevere-app bot

Loading