new file mode 100644
@@ -0,0 +1,75 @@
+From c3cf71c3366fe49acb776a639405c0eea6169c20 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 13 Apr 2026 03:35:24 +0200
+Subject: [PATCH] [3.13] gh-148395: Fix a possible UAF in
+ `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396) (#148479)
+
+gh-148395: Fix a possible UAF in `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396)
+
+Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress
+(cherry picked from commit 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2)
+
+Co-authored-by: Stan Ulbrych <stan@python.org>
+
+CVE: CVE-2026-6100
+Upstream-Status: Backport [https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst | 5 +++++
+ Modules/_bz2module.c | 1 +
+ Modules/_lzmamodule.c | 1 +
+ Modules/zlibmodule.c | 1 +
+ 4 files changed, 8 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+new file mode 100644
+index 0000000..9502189
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+@@ -0,0 +1,5 @@
++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
++:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
++when memory allocation fails with :exc:`MemoryError`, which could let a
++subsequent :meth:`!decompress` call read or write through a stale pointer to
++the already-released caller buffer.
+diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
+index 97bd44b..a732e89 100644
+--- a/Modules/_bz2module.c
++++ b/Modules/_bz2module.c
+@@ -587,6 +587,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
+ return result;
+
+ error:
++ bzs->next_in = NULL;
+ Py_XDECREF(result);
+ return NULL;
+ }
+diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
+index 7bbd656..103a6ef 100644
+--- a/Modules/_lzmamodule.c
++++ b/Modules/_lzmamodule.c
+@@ -1114,6 +1114,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
+ return result;
+
+ error:
++ lzs->next_in = NULL;
+ Py_XDECREF(result);
+ return NULL;
+ }
+diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
+index f94c57e..9759593 100644
+--- a/Modules/zlibmodule.c
++++ b/Modules/zlibmodule.c
+@@ -1645,6 +1645,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
+ return result;
+
+ error:
++ self->zst.next_in = NULL;
+ Py_XDECREF(result);
+ return NULL;
+ }
+--
+2.50.1
+
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_active_children-skip-problematic-test.patch \
file://0001-test_readline-skip-limited-history-test.patch \
file://CVE-2026-1502.patch \
+ file://CVE-2026-6100.patch \
"
SRC_URI:append:class-native = " \
Pick patch from [1] also mentioned at NVD report in [2] [1] https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100 [3] https://security-tracker.debian.org/tracker/CVE-2026-6100 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../python/python3/CVE-2026-6100.patch | 75 +++++++++++++++++++ .../python/python3_3.12.13.bb | 1 + 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-6100.patch