Bug 13052

Summary: python3 new security issue CVE-2013-7338
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cmrisolde, davidwhodgins, geiger.david68210, makowski.mageia, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/591685/
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisory
Source RPM: python3 CVE:
Status comment:

Description David Walser 2014-03-19 19:28:39 CET 
A CVE has been assigned for yet another zipfile issue in Python:
http://openwall.com/lists/oss-security/2014/03/19/3

The upstream bug and commit to fix it are linked in the message above.

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-20 13:13:33 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Philippe Makowski 2014-03-22 12:43:06 CET 
Advisory:
========================

Updated python3 packages fix security vulnerabilities:

 ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips (CVE-2013-7338).

References:
http://bugs.python.org/issue20078
http://openwall.com/lists/oss-security/2014/03/19/3
========================

Updated packages in core/updates_testing:
========================
libpython3-3.3.0-4.7.mga3
libpython3-devel-3.3.0-4.7.mga3
tkinter3-3.3.0-4.7.mga3
tkinter3-apps-3.3.0-4.7.mga3
python3-3.3.0-4.7.mga3
python3-docs-3.3.0-4.7.mga3
libpython3-3.3.2-13.2.mga4
libpython3-devel-3.3.2-13.2.mga4
tkinter3-3.3.2-13.2.mga4
tkinter3-apps-3.3.2-13.2.mga4
python3-3.3.2-13.2.mga4
python3-docs-3.3.2-13.2.mga4

from SRPMS:
python3-3.3.0-4.7.mga3.src.rpm
python3-3.3.2-13.2.mga4.src.rpm


note : the fix is present in Python 3.3.4 so Cauldron is not affected.

Version: Cauldron => 4
Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-03-22 12:59:18 CET 
PoC attached to the bug link: http://bugs.python.org/issue20078

General testing here: https://bugs.mageia.org/show_bug.cgi?id=10391#c15

$ cd test
$ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt
$ idle3 python3programs.py

Choose Run Module in the Run menu. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 and tkinter3 working.

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 David Walser 2014-03-22 14:26:00 CET 
Thanks Philippe!  Just adding the CVE URL and a hard return.

Advisory:
========================

Updated python3 packages fix security vulnerabilities:

ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited
zips (CVE-2013-7338).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7338
http://bugs.python.org/issue20078
http://openwall.com/lists/oss-security/2014/03/19/3

CC: (none) => makowski.mageia

Comment 4 Carolyn Rowse 2014-03-22 19:59:36 CET 
Tested Mga4 64-bit using PySol and running a couple of Anne Dawson's scripts and a couple of mine from Bash and from IDLE.  No problems noticed.

Carolyn

CC: (none) => cmrisolde
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 5 Carolyn Rowse 2014-03-22 21:38:15 CET 
Tested Mga4 32-bit as above - no problems encountered.

Carolyn

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK

Comment 6 Carolyn Rowse 2014-03-22 21:48:19 CET 
In Mga3 32-bit I can't get the necessary packages to appear in the list of update candidates, and I checked that I've got the right media enabled and updated.   Any ideas, anyone?

Mga3 64-bit I'm not able to test at the moment.

Carolyn
Comment 7 David Walser 2014-03-22 22:04:08 CET 
(In reply to Carolyn Rowse from comment #6)
> In Mga3 32-bit I can't get the necessary packages to appear in the list of
> update candidates, and I checked that I've got the right media enabled and
> updated.   Any ideas, anyone?

Try a different mirror.  I see them on this one:
http://mageia.c3sl.ufpr.br/distrib/3/i586/media/core/updates_testing/
Comment 8 Carolyn Rowse 2014-03-23 09:04:38 CET 
Super, thanks David.

Testing complete for Mga3 32-bit, no problems encountered.

Carolyn

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK

Comment 9 David GEIGER 2014-03-23 21:20:52 CET 
Tested mga3_64,

Testing complete for python3-3.3.0-4.7.mga3, nothing to report and seems work fine here.

Using test procedure on comment 2


lib64python3-3.3.0-4.7.mga3
tkinter3-3.3.0-4.7.mga3
tkinter3-apps-3.3.0-4.7.mga3
python3-3.3.0-4.7.mga3
python3-docs-3.3.0-4.7.mga3

CC: (none) => geiger.david68210
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Comment 10 Dave Hodgins 2014-03-23 21:29:39 CET 
Advisory uploaded to svn. Validating the update.

Someone from the sysadmin team please push 13052.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 11 Thomas Backlund 2014-03-24 08:44:14 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0140.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-03-24 19:18:38 CET

URL: (none) => http://lwn.net/Vulnerabilities/591685/