{
  "threat_severity" : "Low",
  "public_date" : "2016-01-21T00:00:00Z",
  "bugzilla" : {
    "description" : "python: Heap overflow in zipimporter module",
    "id" : "1345856",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1345856"
  },
  "cvss" : {
    "cvss_base_score" : "4.4",
    "cvss_scoring_vector" : "AV:L/AC:M/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-20->CWE-190->CWE-122",
  "details" : [ "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", "A vulnerability was discovered in Python, in the built-in zipimporter. A specially crafted zip file placed in a module path such that it would be loaded by a later \"import\" statement could cause a heap overflow, leading to arbitrary code execution." ],
  "statement" : "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-11-03T00:00:00Z",
    "advisory" : "RHSA-2016:2586",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "python-0:2.7.5-48.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "jython",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "python27-python",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "python33-python",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-python34-python",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-python35-python",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-5636\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5636" ],
  "name" : "CVE-2016-5636",
  "csaw" : false
}