Bug 11938

Summary: python new security issue CVE-2013-7040
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: makowski.mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA3TOO
Source RPM: python, python3 CVE:
Status comment:

Description David Walser 2013-12-10 01:58:14 CET 
A CVE has been assigned for a security issue in Python:
http://openwall.com/lists/oss-security/2013/12/09/13

The issue is similar to the previous hash table collision DoS CVE-2012-1150 that we fixed in Bug 5843.

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-10 01:58:25 CET

CC: (none) => makowski.mageia
Whiteboard: (none) => MGA3TOO

Comment 1 Philippe Makowski 2013-12-10 11:05:23 CET 
that's a big patch
http://hg.python.org/cpython/rev/adb471b9cba1

it will be in Python 3.4 (3.4.0 final: February 23, 2014),
and I don't think that it will be backported in Python 2

I don't know what to do.
Comment 2 David Walser 2013-12-10 13:56:26 CET 
If I understand from the discussion in that oss-security thread, Python 3.4 is changing to an entirely new implementation for the dictionary backend.  I think the Debian patch and other discussion on the oss-security thread is about how to make the existing implementation better.  For now it might be better to wait and see if upstream tries to do any kind of fix for older Pythons and also to see what other distros ultimately do about this.
Comment 3 Philippe Makowski 2013-12-10 19:15:33 CET 
in upstream I doubt they will back-port something if I read the thread here :
http://bugs.python.org/issue14621 (see last message)
I put here the Redhat tracking :
https://bugzilla.redhat.com/show_bug.cgi?id=1039918
https://bugzilla.redhat.com/show_bug.cgi?id=1039917

I will watch
Comment 4 David Walser 2013-12-10 19:32:37 CET 
I mixed this up with another issue, so there's no proposed solution yet.  I dunno if there will be.  Here's the main RH bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=1039915
Comment 5 Philippe Makowski 2014-03-24 13:39:48 CET 
For the record :
Python 3.4 is not affected (so it will be fixed for us in mga5) (due to PEP 456 http://legacy.python.org/dev/peps/pep-0456/), but 3.3 and 2.7 are still affected.
And Python project declare this as "WONTFIX" for older version than 3.4

cf : http://bugs.python.org/issue14621
Comment 6 David Walser 2014-03-24 13:43:56 CET 
RedHat has marked their bug WONTFIX as well.  I'll do the same.  Thanks Philippe.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX