.. _zipimporter-overflow:

zipimporter overflow
====================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2016-5636>`_.

Heap overflow in ``zipimporter`` module.

Dates:

* Disclosure date: **2016-01-21** (Python issue bpo-26171 reported)

Fixed In
--------

* Python **2.7.12** (2016-06-25) fixed by `commit 64ea192 (branch 2.7) <https://github.com/python/cpython/commit/64ea192b73e39e877d8b39ce6584fa580eb0e9b4>`_ (2016-01-21)
* Python **3.3.7** (2017-09-19) fixed by `commit d751040 (branch 3.3) <https://github.com/python/cpython/commit/d751040b1a4e35fd3b01fc919cd8f9374ed714fd>`_ (2016-09-14)
* Python **3.4.5** (2016-06-25) fixed by `commit c4032da (branch 3.4) <https://github.com/python/cpython/commit/c4032da2012d75c6c358f74d8bf9ee98a7fe8ecf>`_ (2016-01-21)
* Python **3.5.2** (2016-06-25) fixed by `commit c4032da (branch 3.4) <https://github.com/python/cpython/commit/c4032da2012d75c6c358f74d8bf9ee98a7fe8ecf>`_ (2016-01-21)
* Python **3.6.0** (2016-12-22) fixed by `commit d751040 (branch 3.3) <https://github.com/python/cpython/commit/d751040b1a4e35fd3b01fc919cd8f9374ed714fd>`_ (2016-09-14)

Python issue
------------

heap overflow in zipimporter module.

* Python issue: `bpo-26171 <https://bugs.python.org/issue26171>`_
* Creation date: 2016-01-21
* Reporter: Insu Yun

CVE-2016-5636
-------------

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.

* CVE ID: `CVE-2016-5636 <https://nvd.nist.gov/vuln/detail/CVE-2016-5636/>`_
* Published: 2016-09-02
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 10.0

Timeline
--------

Timeline using the disclosure date **2016-01-21** as reference:

* 2016-01-21: `Python issue bpo-26171 <https://bugs.python.org/issue26171>`_ reported by Insu Yun
* 2016-01-21: `commit 64ea192 (branch 2.7) <https://github.com/python/cpython/commit/64ea192b73e39e877d8b39ce6584fa580eb0e9b4>`_
* 2016-01-21: `commit c4032da (branch 3.4) <https://github.com/python/cpython/commit/c4032da2012d75c6c358f74d8bf9ee98a7fe8ecf>`_
* 2016-06-25 (**+156 days**): Python 2.7.12 released
* 2016-06-25 (**+156 days**): Python 3.4.5 released
* 2016-06-25 (**+156 days**): Python 3.5.2 released
* 2016-09-02 (**+225 days**): CVE-2016-5636 published
* 2016-09-14 (**+237 days**): `commit d751040 (branch 3.3) <https://github.com/python/cpython/commit/d751040b1a4e35fd3b01fc919cd8f9374ed714fd>`_
* 2016-12-22: Python 3.6.0 released
* 2017-09-19 (**+607 days**): Python 3.3.7 released