| Summary: | python/python3 new security issues CVE-2014-4616 and CVE-2014-4650 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | makowski.mageia, marc.lattemann, pterjan, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/603975/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK | ||
| Source RPM: | python, python3 | CVE: | |
| Status comment: | |||
| Bug Depends on: | 13601 | ||
| Bug Blocks: | |||
|
Description
David Walser
2014-06-24 13:55:38 CEST
David Walser
2014-06-24 13:55:45 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO A security issue in the CGIHTTPServer class in Python was reported: http://openwall.com/lists/oss-security/2014/06/23/5 and assigned a CVE: http://openwall.com/lists/oss-security/2014/06/26/3 Summary:
python/python3 new security issue CVE-2014-4616 =>
python/python3 new security issues CVE-2014-4616 and CVE-2014-4650 note : Python 3.4.1 is not affected by CVE-2014-4616, but is by CVE-2014-4650
David Walser
2014-06-28 19:39:15 CEST
Depends on:
(none) =>
13601 Updated packages (with upstream patches) : python3-3.4.1-3.mga5 python-2.7.6-7.mga5 python-2.7.6-1.2.mga4 python3-3.3.2-13.4.mga4 python3-3.3.0-4.9.mga3 python-2.7.6-1.2.mga3 need to write the advisory Thanks Philippe! CVE-2014-4616 for python-simplejson is being handled in Bug 13601. I think this should suffice as an advisory. Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root (CVE-2014-4650). References: http://bugs.python.org/issue21529 http://bugs.python.org/issue21766 http://openwall.com/lists/oss-security/2014/06/24/7 http://openwall.com/lists/oss-security/2014/06/26/3 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html ======================== Updated packages in core/updates_testing: ======================== python-2.7.6-1.2.mga3 libpython2.7-2.7.6-1.2.mga3 libpython-devel-2.7.6-1.2.mga3 python-docs-2.7.6-1.2.mga3 tkinter-2.7.6-1.2.mga3 tkinter-apps-2.7.6-1.2.mga3 python3-3.3.0-4.9.mga3 libpython3.3-3.3.0-4.9.mga3 libpython3-devel-3.3.0-4.9.mga3 python3-docs-3.3.0-4.9.mga3 tkinter3-3.3.0-4.9.mga3 tkinter3-apps-3.3.0-4.9.mga3 python-2.7.6-1.2.mga4 libpython2.7-2.7.6-1.2.mga4 libpython-devel-2.7.6-1.2.mga4 python-docs-2.7.6-1.2.mga4 tkinter-2.7.6-1.2.mga4 tkinter-apps-2.7.6-1.2.mga4 python3-3.3.2-13.4.mga4 libpython3.3-3.3.2-13.4.mga4 libpython3-devel-3.3.2-13.4.mga4 python3-docs-3.3.2-13.4.mga4 tkinter3-3.3.2-13.4.mga4 tkinter3-apps-3.3.2-13.4.mga4 from SRPMS: python-2.7.6-1.2.mga3.src.rpm python3-3.3.0-4.9.mga3.src.rpm python-2.7.6-1.2.mga4.src.rpm python3-3.3.2-13.4.mga4.src.rpm Whiteboard:
MGA4TOO, MGA3TOO =>
MGA3TOO Fedora has issued an advisory for CVE-2014-4616 for the python package: https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134903.html It'd be a better reference for the advisory than the other one. Reposting... Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root (CVE-2014-4650). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650 http://bugs.python.org/issue21766 http://openwall.com/lists/oss-security/2014/06/26/3 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134903.html URL:
(none) =>
http://lwn.net/Vulnerabilities/603975/ trying to reproduce this method: http://bugs.python.org/issue21766 before update: [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir/test.py <head> <title>Error response</title> </head> <body> <h1>Error response</h1> <p>Error code 403. <p>Message: CGI script is not a plain file ('/cgi-bin/subdir'). <p>Error code explanation: 403 = Request forbidden -- authorization will not help. </body> and: [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir%2ftest.py {"text": "This is a Test"} this seems to be the explained behaviour- After update: [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir%2ftest.py <head> <title>Error response</title> </head> <body> <h1>Error response</h1> <p>Error code 403. <p>Message: CGI script is not a plain file ('/cgi-bin/subdir'). <p>Error code explanation: 403 = Request forbidden -- authorization will not help. </body> the code will not be executed anymore? This seems to be the corrected behaviour? Or am I wrong? used python: python-2.7.6-1.2.mga4.i586 CC:
(none) =>
marc.lattemann Sorry, having very bad connection here, but I guess you can find a test here : hg.python.org/cpython/rev/b4bab0788768 (In reply to Marc Lattemann from comment #6) > the code will not be executed anymore? This seems to be the corrected > behaviour? > yes so your test is ok, thanks Specific procedure in comment 6 General Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=12772#c6 onwards Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure (In reply to Philippe Makowski from comment #8) > yes so your test is ok, thanks Thanks for confirmation. I will proceed then with this specific test for the other versions and archs (maybe I will not finished today, because of a silly football game, which seems to be important for Germans :) ) CC:
marc.lattemann =>
(none) tested for python3 for mga4 32 bit (as in comment #6): [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir%2ftest.py will be prevented for execution as well. So adding tag mga4-32-OK Will now continue with 64bit and mga3 testing CC:
(none) =>
marc.lattemann tested for MGA4 64bit, MGA3 32 and 64 bit: [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir%2ftest.py will be prevented for execution for all variants... tested the installation of the related packages as well. So for me everything works fine. Please upload advisories, validate the update and push the packages to updates. Thanks. Whiteboard:
MGA3TOO has_procedure MGA4-32-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK Well done Marc, keep going! Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update http://advisories.mageia.org/MGASA-2014-0285.html Status:
NEW =>
RESOLVED LWN reference for CVE-2014-4650: http://lwn.net/Vulnerabilities/604859/ |