bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732)

author: Steve Dower <steve.dower@python.org> 2022-03-07 19:15:04 (GMT)
committer: GitHub <noreply@github.com> 2022-03-07 19:15:04 (GMT)
commit: 58d576a43cb1800dd68f06a429d7d41f746a8c01 (patch)
tree: 2d21d34c0994c19e542160eed675e22490ca61da
parent: 136842c91b5783e205e217c4855baa9dadd4ad41 (diff)
download: cpython-58d576a43cb1800dd68f06a429d7d41f746a8c01.zip
cpython-58d576a43cb1800dd68f06a429d7d41f746a8c01.tar.gz
cpython-58d576a43cb1800dd68f06a429d7d41f746a8c01.tar.bz2
4 files changed, 5 insertions, 3 deletions
diff --git a/Misc/NEWS.d/next/Windows/2022-03-07-17-46-40.bpo-44549.SPrGS9.rst b/Misc/NEWS.d/next/Windows/2022-03-07-17-46-40.bpo-44549.SPrGS9.rst
new file mode 100644
index 0000000..0f1ef9a
--- /dev/null
+++ b/Misc/NEWS.d/next/Windows/2022-03-07-17-46-40.bpo-44549.SPrGS9.rst
@@ -0,0 +1,2 @@
+Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and
+CVE-2019-12900
diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index accc464..462e0db 100644
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -51,7 +51,7 @@ if NOT DEFINED PYTHON (
 echo.Fetching external libraries...
 
 set libraries=
-set libraries=%libraries%                                       bzip2-1.0.6
+set libraries=%libraries%                                       bzip2-1.0.8
 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries%  libffi-3.3.0
 if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-1.1.1m
 set libraries=%libraries%                                       sqlite-3.37.2.0
diff --git a/PCbuild/python.props b/PCbuild/python.props
index 99d448f..eddb658 100644
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -58,7 +58,7 @@
     <ExternalsDir Condition="$(ExternalsDir) == ''">$([System.IO.Path]::GetFullPath(`$(PySourcePath)externals`))</ExternalsDir>
     <ExternalsDir Condition="!HasTrailingSlash($(ExternalsDir))">$(ExternalsDir)\</ExternalsDir>
     <sqlite3Dir>$(ExternalsDir)sqlite-3.37.2.0\</sqlite3Dir>
-    <bz2Dir>$(ExternalsDir)bzip2-1.0.6\</bz2Dir>
+    <bz2Dir>$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
     <lzmaDir>$(ExternalsDir)xz-5.2.2\</lzmaDir>
     <libffiDir>$(ExternalsDir)libffi-3.3.0\</libffiDir>
     <libffiOutDir>$(ExternalsDir)libffi-3.3.0\$(ArchName)\</libffiOutDir>
diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index 477f286..1ea8beb 100644
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -161,7 +161,7 @@ interpreter, but they do implement several major features.  See the
 about getting the source for building these libraries.  The sub-projects
 are:
 _bz2
-    Python wrapper for version 1.0.6 of the libbzip2 compression library
+    Python wrapper for version 1.0.8 of the libbzip2 compression library
     Homepage:
         http://www.bzip.org/
 _lzma
author	Steve Dower <steve.dower@python.org>	2022-03-07 19:15:04 (GMT)
committer	GitHub <noreply@github.com>	2022-03-07 19:15:04 (GMT)
commit	58d576a43cb1800dd68f06a429d7d41f746a8c01 (patch)
tree	2d21d34c0994c19e542160eed675e22490ca61da
parent	136842c91b5783e205e217c4855baa9dadd4ad41 (diff)
download	cpython-58d576a43cb1800dd68f06a429d7d41f746a8c01.zip cpython-58d576a43cb1800dd68f06a429d7d41f746a8c01.tar.gz cpython-58d576a43cb1800dd68f06a429d7d41f746a8c01.tar.bz2