new file mode 100644

@@ -0,0 +1,81 @@

+From 134cb01cda50f02725575808130b05d2d776693f Mon Sep 17 00:00:00 2001

+From: Serhiy Storchaka <storchaka@gmail.com>

+Date: Sun, 18 Mar 2018 09:55:53 +0200

+Subject: [PATCH] bpo-32056: Improve exceptions in aifc, wave and sunau.

+ (GH-5951)

+

+---

+ Lib/aifc.py                                        |  4 ++

+ Lib/sunau.py                                       |  2 +

+ Lib/test/test_aifc.py                              | 35 ++++++++++--

+ Lib/test/test_sunau.py                             | 37 +++++++++++++

+ Lib/test/test_wave.py                              | 62 ++++++++++++++++++++++

+ Lib/wave.py                                        | 14 ++++-

+ .../2018-03-01-17-49-56.bpo-32056.IlpfgE.rst       |  3 ++

+ 7 files changed, 150 insertions(+), 7 deletions(-)

+ create mode 100644 Misc/NEWS.d/next/Library/2018-03-01-17-49-56.bpo-32056.IlpfgE.rst

+

+diff --git a/Lib/aifc.py b/Lib/aifc.py

+index 3d2dc56de198..1916e7ef8e7e 100644

+--- a/Lib/aifc.py

+@@ -467,6 +467,10 @@ def _read_comm_chunk(self, chunk):

+         self._nframes = _read_long(chunk)

+         self._sampwidth = (_read_short(chunk) + 7) // 8

+         self._framerate = int(_read_float(chunk))

++        if self._sampwidth <= 0:

++            raise Error('bad sample width')

++        if self._nchannels <= 0:

++            raise Error('bad # of channels')

+         self._framesize = self._nchannels * self._sampwidth

+         if self._aifc:

+             #DEBUG: SGI's soundeditor produces a bad size :-(

+diff --git a/Lib/sunau.py b/Lib/sunau.py

+index dbad3db8392d..129502b0b417 100644

+--- a/Lib/sunau.py

+@@ -208,6 +208,8 @@ def initfp(self, file):

+             raise Error('unknown encoding')

+         self._framerate = int(_read_u32(file))

+         self._nchannels = int(_read_u32(file))

++        if not self._nchannels:

++            raise Error('bad # of channels')

+         self._framesize = self._framesize * self._nchannels

+         if self._hdr_size > 24:

+             self._info = file.read(self._hdr_size - 24)

+--- a/Lib/wave.py

+@@ -253,12 +253,22 @@ def readframes(self, nframes):

+     #

+ 

+     def _read_fmt_chunk(self, chunk):

+-        wFormatTag, self._nchannels, self._framerate, dwAvgBytesPerSec, wBlockAlign = struct.unpack_from('<HHLLH', chunk.read(14))

++        try:

++            wFormatTag, self._nchannels, self._framerate, dwAvgBytesPerSec, wBlockAlign = struct.unpack_from('<HHLLH', chunk.read(14))

++        except struct.error:

++            raise EOFError from None

+         if wFormatTag == WAVE_FORMAT_PCM:

+-            sampwidth = struct.unpack_from('<H', chunk.read(2))[0]

++            try:

++                sampwidth = struct.unpack_from('<H', chunk.read(2))[0]

++            except struct.error:

++                raise EOFError from None

+             self._sampwidth = (sampwidth + 7) // 8

++            if not self._sampwidth:

++                raise Error('bad sample width')

+         else:

+             raise Error('unknown format: %r' % (wFormatTag,))

++        if not self._nchannels:

++            raise Error('bad # of channels')

+         self._framesize = self._nchannels * self._sampwidth

+         self._comptype = 'NONE'

+         self._compname = 'not compressed'

+diff --git a/Misc/NEWS.d/next/Library/2018-03-01-17-49-56.bpo-32056.IlpfgE.rst b/Misc/NEWS.d/next/Library/2018-03-01-17-49-56.bpo-32056.IlpfgE.rst

+new file mode 100644

+index 000000000000..421aa3767794

+--- /dev/null

+@@ -0,0 +1,3 @@

++Improved exceptions raised for invalid number of channels and sample width

++when read an audio file in modules :mod:`aifc`, :mod:`wave` and

++:mod:`sunau`.

new file mode 100644

@@ -0,0 +1,160 @@

+From baa45079466eda1f5636a6d13f3a60c2c00fdcd3 Mon Sep 17 00:00:00 2001

+From: Steve Dower <steve.dower@microsoft.com>

+Date: Mon, 5 Mar 2018 14:26:28 -0800

+Subject: [PATCH] [3.6] bpo-33001: Prevent buffer overrun in os.symlink

+ (GH-5989) (GH-5990)

+

+---

+ Lib/test/test_os.py                                | 35 ++++++++++++

+ .../2018-03-05-10-09-51.bpo-33001.elj4Aa.rst       |  1 +

+ Modules/posixmodule.c                              | 66 +++++++++++++---------

+ 3 files changed, 74 insertions(+), 28 deletions(-)

+ create mode 100644 Misc/NEWS.d/next/Security/2018-03-05-10-09-51.bpo-33001.elj4Aa.rst

+

+diff --git a/Misc/NEWS.d/next/Security/2018-03-05-10-09-51.bpo-33001.elj4Aa.rst b/Misc/NEWS.d/next/Security/2018-03-05-10-09-51.bpo-33001.elj4Aa.rst

+new file mode 100644

+index 000000000000..2acbac9e1af6

+--- /dev/null

+@@ -0,0 +1 @@

++Minimal fix to prevent buffer overrun in os.symlink on Windows

+diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c

+index 0837a4a4991e..39ba030b5191 100644

+--- a/Modules/posixmodule.c

+@@ -7241,7 +7241,7 @@ win_readlink(PyObject *self, PyObject *args, PyObject *kwargs)

+ #if defined(MS_WINDOWS)

+ 

+ /* Grab CreateSymbolicLinkW dynamically from kernel32 */

+-static DWORD (CALLBACK *Py_CreateSymbolicLinkW)(LPWSTR, LPWSTR, DWORD) = NULL;

++static BOOLEAN (CALLBACK *Py_CreateSymbolicLinkW)(LPCWSTR, LPCWSTR, DWORD) = NULL;

+ static DWORD (CALLBACK *Py_CreateSymbolicLinkA)(LPSTR, LPSTR, DWORD) = NULL;

+ 

+ static int

+@@ -7259,18 +7259,24 @@ check_CreateSymbolicLink(void)

+     return (Py_CreateSymbolicLinkW && Py_CreateSymbolicLinkA);

+ }

+ 

+-/* Remove the last portion of the path */

+-static void

++/* Remove the last portion of the path - return 0 on success */

++static int

+ _dirnameW(WCHAR *path)

+ {

+     WCHAR *ptr;

+ 

++    size_t length = wcsnlen_s(path, MAX_PATH);

++    if (length == MAX_PATH) {

++        return -1;

++    }

+     /* walk the path from the end until a backslash is encountered */

+-    for(ptr = path + wcslen(path); ptr != path; ptr--) {

+-        if (*ptr == L'\\' || *ptr == L'/')

++    for(ptr = path + length; ptr != path; ptr--) {

++        if (*ptr == L'\\' || *ptr == L'/'){

+             break;

++   }

+     }

+     *ptr = 0;

++    return 0;

+ }

+ 

+ /* Remove the last portion of the path */

+@@ -7299,29 +7305,26 @@ _is_absW(const WCHAR *path)

+ static int

+ _is_absA(const char *path)

+ {

+-    return path[0] == '\\' || path[0] == '/' || path[1] == ':';

+-

++    return path[0] == L'\\' || path[0] == L'/' ||

++        (path[0] && path[1] == L':');

+ }

+ 

+-/* join root and rest with a backslash */

+-static void

++/* join root and rest with a backslash - return 0 on success */

++static int

+ _joinW(WCHAR *dest_path, const WCHAR *root, const WCHAR *rest)

+ {

+-    size_t root_len;

+-

+     if (_is_absW(rest)) {

+-        wcscpy(dest_path, rest);

+-        return;

++        return wcscpy_s(dest_path, MAX_PATH, rest);

+     }

+ 

+-    root_len = wcslen(root);

+-

+-    wcscpy(dest_path, root);

+-    if(root_len) {

+-        dest_path[root_len] = L'\\';

+-        root_len++;

++    if (wcscpy_s(dest_path, MAX_PATH, root)) {

++        return -1;

+     }

+-    wcscpy(dest_path+root_len, rest);

++

++    if (dest_path[0] && wcscat_s(dest_path, MAX_PATH, L"\\")) {

++        return -1;

++     }

++    return wcscat_s(dest_path, MAX_PATH, rest);

+ }

+ 

+ /* join root and rest with a backslash */

+@@ -7354,10 +7357,14 @@ _check_dirW(WCHAR *src, WCHAR *dest)

+     WCHAR src_resolved[MAX_PATH] = L"";

+ 

+     /* dest_parent = os.path.dirname(dest) */

+-    wcscpy(dest_parent, dest);

+-    _dirnameW(dest_parent);

++    if (wcscpy_s(dest_parent, MAX_PATH, dest) ||

++        _dirnameW(dest_parent)) {

++        return 0;

++    }

+     /* src_resolved = os.path.join(dest_parent, src) */

+-    _joinW(src_resolved, dest_parent, src);

++    if (_joinW(src_resolved, dest_parent, src)) {

++        return 0;

++    }

+     return (

+         GetFileAttributesExW(src_resolved, GetFileExInfoStandard, &src_info)

+         && src_info.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY

+@@ -7432,15 +7439,10 @@ os_symlink_impl(PyObject *module, path_t *src, path_t *dst,

+         }

+ #endif

+ 

+-    if ((src->narrow && dst->wide) || (src->wide && dst->narrow)) {

+-        PyErr_SetString(PyExc_ValueError,

+-            "symlink: src and dst must be the same type");

+-        return NULL;

+-    }

+ 

+ #ifdef MS_WINDOWS

+ 

+-    Py_BEGIN_ALLOW_THREADS

++    _Py_BEGIN_SUPPRESS_IPH

+     if (dst->wide) {

+         /* if src is a directory, ensure target_is_directory==1 */

+         target_is_directory |= _check_dirW(src->wide, dst->wide);

+@@ -7453,13 +7455,19 @@ os_symlink_impl(PyObject *module, path_t *src, path_t *dst,

+         result = Py_CreateSymbolicLinkA(dst->narrow, src->narrow,

+                                         target_is_directory);

+     }

+-    Py_END_ALLOW_THREADS

++    _Py_END_SUPPRESS_IPH

+ 

+     if (!result)

+         return path_error2(src, dst);

+ 

+ #else

+ 

++    if ((src->narrow && dst->wide) || (src->wide && dst->narrow)) {

++        PyErr_SetString(PyExc_ValueError,

++            "symlink: src and dst must be the same type");

++        return NULL;

++    }

++

+     Py_BEGIN_ALLOW_THREADS

+ #if HAVE_SYMLINKAT

+     if (dir_fd != DEFAULT_DIR_FD)

@@ -1,7 +1,7 @@

 Summary:        A high-level scripting language

 Name:           python3

 Version:        3.5.4

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        PSF

 URL:            http://www.python.org/

 Group:          System Environment/Programming

@@ -11,6 +11,8 @@ Source0:        https://www.python.org/ftp/python/%{version}/Python-%{version}.t

 %define         sha1 Python=4aacbd09ca6988255de84a98ab9e4630f584efba

 Patch0:         cgi3.patch

 Patch1:         sockWarning.patch

+Patch3:         python3-CVE-2018-1000117.patch

+Patch4:         python3-CVE-2017-18207.patch

 BuildRequires:  pkg-config >= 0.28

 BuildRequires:  bzip2-devel

 BuildRequires:  ncurses-devel >= 6.0-3

@@ -89,6 +91,8 @@ to build python programs.

 %setup -q -n Python-%{version}

 %patch0 -p1

 %patch1 -p1

+%patch3 -p1

+%patch4 -p1

 %build

 export OPT="${CFLAGS}"

@@ -193,6 +197,8 @@ rm -rf %{buildroot}/*

 %{_bindir}/idle*

 %changelog

+*   Wed Apr 18 2018 Xiaolin Li <xiaolinl@vmware.com> 3.5.4-2

+-   Fix CVE-2018-1000117 and CVE-2017-18207

 *   Mon Dec 04 2017 Kumar Kaushik <kaushikk@vmware.com> 3.5.4-1

 -   Upgrading to 3.5.4

 *   Tue Sep 26 2017 Anish Swaminathan <anishs@vmware.com> 3.5.3-7