| Summary: | python/python3 new security issue CVE-2014-1912 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/586327/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | python-2.7.6-1.mga5.src.rpm, python3-3.3.2-13.mga4.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 12127 | ||
|
Description
David Walser
2014-02-14 18:48:42 CET
David Walser
2014-02-14 18:48:58 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Cauldron updated, 3 and 4 are coming
David Walser
2014-02-15 17:24:57 CET
Version:
Cauldron =>
4 About Python2 in mga3 and mga4, do I take this opportunity to update to 2.7.6, it would solve some of the bugs reported in bug#12127 and CVE-2013-4238 (http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS) ? Taking the opportunity to update to 2.7.6 would make sense, yes. Advisory: ======================== Updated Python and Python3 packages fixes security vulnerability: A vulnerability was reported (CVE-2014-1912) in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code. The update of Python 2.7.6 fix also bugs reported in bug#12127 and CVE-2013-4238 References: http://bugs.python.org/issue20246 https://bugzilla.redhat.com/show_bug.cgi?id=1062370 http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS Updated packages in core/updates_testing: ======================== tkinter3-apps-3.3.2-13.1.mga4 libpython3.3-3.3.2-13.1.mga4 python3-docs-3.3.2-13.1.mga4 libpython3-devel-3.3.2-13.1.mga4 python3-3.3.2-13.1.mga4 python3-debuginfo-3.3.2-13.1.mga4 tkinter3-3.3.2-13.1.mga4 from SRPMS: python3-3.3.2-13.1.mga4.src Updated packages in core/updates_testing: ======================== tkinter3-apps-3.3.0-4.6.mga3 libpython3.3-3.3.0-4.6.mga3 python3-docs-3.3.0-4.6.mga3 libpython3-devel-3.3.0-4.6.mga3 python3-3.3.0-4.6.mga3 python3-debuginfo-3.3.0-4.6.mga3 tkinter3-3.3.0-0-4.6.mga3 from SRPMS: python3-3.3.0-4.6.mga3.src Updated packages in core/updates_testing: ======================== libpython2.7-2.7.6-1.mga4 tkinter-apps-2.7.6-1.mga4 tkinter-2.7.6-1.mga4 python-debuginfo-2.7.6-1.mga4 libpython-devel-2.7.6-1.mga4 python-2.7.6-1.mga4 python-docs-2.7.6-1.mga4 from SRPMS: python-2.7.6-1.mga4.src Updated packages in core/updates_testing: ======================== libpython2.7-2.7.6-1.mga3 tkinter-apps-2.7.6-1.mga3 tkinter-2.7.6-1.mga3 python-debuginfo-2.7.6-1.mga3 libpython-devel-2.7.6-1.mga3 python-2.7.6-1.mga3 python-docs-2.7.6-1.mga3 from SRPMS: python-2.7.6-1.mga3.src Assignee:
makowski.mageia =>
qa-bugs We actually already fixed CVE-2013-4238 in Bug 10989. Adding some info to the advisory... Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: A vulnerability was reported in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code (CVE-2014-1912). This updates the python package to version 2.7.6, which fixes several other bugs, including denial of service flaws due to unbound readline() calls in the ftplib and nntplib modules (CVE-2013-1752). The python3 package has been patched to fix the CVE-2014-1912 issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912 http://bugs.python.org/issue20246 http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128243.html https://bugzilla.redhat.com/show_bug.cgi?id=1046174 http://openwall.com/lists/oss-security/2013/12/23/10 https://bugs.mageia.org/show_bug.cgi?id=12127 https://bugs.mageia.org/show_bug.cgi?id=12772
David Walser
2014-02-16 17:50:36 CET
Blocks:
(none) =>
12127 Procedure: python/tkinter/tkinter-apps --------------------------- Use random examples from here, run in idle: http://wiki.python.org/moin/SimplePrograms python3/tkinter3/tkinter3-apps ---------------------------- $ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt $ idle3 python3programs.py Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Testing mga3 32 & 64 Testing complete mga3 32 & 64 When testing python3 as above, it will eventually get stuck in a loop, interrupt with ctrl-c. It's not meant to be run as a single script but is good enough to show that what we want to work is working. Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok Advisory uploaded. Needs tests on mga4 to validate. Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok =>
MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok Thanks Claire. Since Fedora has now fixed this for python3 as well, I'd like to add it to the references (right below the other Fedora advisory link): https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128361.html Advisory updated. Testing complete, validating Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0085.html Status:
NEW =>
RESOLVED |