| Summary: | python-simplejson security issue fixed upstream in 3.5.3 (CVE-2014-4616) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | geiger.david68210, makowski.mageia, pterjan, rverschelde, sysadmin-bugs, wilcal.int |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/603975/ | ||
| Whiteboard: | MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | python-simplejson-3.4.0-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 13588 | ||
|
Description
David Walser
2014-06-27 14:13:48 CEST
David Walser
2014-06-27 14:14:03 CEST
Whiteboard:
(none) =>
MGA4TOO
David Walser
2014-06-27 18:29:20 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/603750/ Updated packages : python-simplejson-2.6.0-2.1.mga3 python-simplejson-3.3.0-3.1.mga4 python-simplejson-3.5.3-1.mga5 need to write the advisory
Philippe Makowski
2014-06-28 17:27:58 CEST
Whiteboard:
MGA4TOO =>
MGA4TOO MGA3TOO Thanks Philippe! I think this should suffice as an advisory. Advisory: ======================== Updated python-simplejson package fixes security vulnerability: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access. References: https://hackerone.com/reports/12297 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html ======================== Updated packages in core/updates_testing: ======================== python-simplejson-2.6.0-2.1.mga3 python-simplejson-3.3.0-3.1.mga4 from SRPMS: python-simplejson-2.6.0-2.1.mga3.src.rpm python-simplejson-3.3.0-3.1.mga4.src.rpm CC:
(none) =>
makowski.mageia and python3-simplejson-3.3.0-3.1.mga4 Oh wait, this is CVE-2014-4616, so it actually does affect python's bundled module (in fact that's what the advisory blurb says). The upstream Python bug has links to commits to fix it in Python itself: http://bugs.python.org/issue21529 We should actually fix this in python/python3 as well before pushing to QA. There's also CVE-2014-4650, which I also reported in Bug 13588, for python/python3 which I imagine we'll fix at the same time. CC:
(none) =>
qa-bugs The python and python3 packages have been patched. Handling that in Bug 13588. Advisory: ======================== Updated python-simplejson package fixes security vulnerability: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). This issue also affected the python-simplejson package, which has been patched to fix the bug. References: http://bugs.python.org/issue21529 http://openwall.com/lists/oss-security/2014/06/24/7 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html ======================== Updated packages in core/updates_testing: ======================== python-simplejson-2.6.0-2.1.mga3 python-simplejson-3.3.0-3.1.mga4 python3-simplejson-3.3.0-3.1.mga4 from SRPMS: python-simplejson-2.6.0-2.1.mga3.src.rpm python-simplejson-3.3.0-3.1.mga4.src.rpm CC:
qa-bugs =>
(none) Forgot the CVE URL in the advisory. Advisory: ======================== Updated python-simplejson package fixes security vulnerability: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). This issue also affected the python-simplejson package, which has been patched to fix the bug. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616 http://bugs.python.org/issue21529 http://openwall.com/lists/oss-security/2014/06/24/7 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html Correct me if I'm wrong JSON depends on python-simplejson and JSON is built into Firefox. So is there a website I can go to that exercises JSON, or something, that I can test if this update works? Lets make a simple procedure that we can use now and in the future. Thanks. CC:
(none) =>
wilcal.int Python has its own built in JSON implementation, and if Firefox uses that it would as well. You can see what depends on this package with "urpmi --whatrequires python-simplejson" David it is rather this: :-) urpmq --whatrequires python-simplejson CC:
(none) =>
geiger.david68210 Thanks guys back soon. you have simple tests on the first documentation page : http://simplejson.readthedocs.org/en/latest/ and the package itself run tests during the build, including one for the CVE fix In VirtualBox, M3, KDE, 32-bit Package(s) under test: python-simplejson zim zim has only one package dependency and that is python-simplejson default install of python-simplejson zim [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-2.6.0-2.mga3.i586 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-1.mga3.noarch is already installed zim creates and saves a desktop Wiki install python-simplejson from updates_testing [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-2.6.0-2.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-1.mga3.noarch is already installed zim creates and saves a new desktop Wiki zim loads and reads previously created Wiki Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 Whiteboard:
MGA3TOO =>
MGA3TOO MGA3-32-OK (In reply to Philippe Makowski from comment #11) > you have simple tests on the first documentation page : > http://simplejson.readthedocs.org/en/latest/ Is what I did in Comment #13 OK? In VirtualBox, M3, KDE, 64-bit Package(s) under test: python-simplejson zim zim has only one package dependency and that is python-simplejson default install of python-simplejson zim [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-2.6.0-2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-1.mga3.noarch is already installed zim creates and saves a desktop Wiki install python-simplejson from updates_testing [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-2.6.0-2.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-1.mga3.noarch is already installed zim creates and saves a new desktop Wiki zim loads and reads previously created Wiki Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 Whiteboard:
MGA3TOO MGA3-32-OK =>
MGA3TOO MGA3-32-OK MGA3-64-OK In VirtualBox, M4, KDE, 32-bit Package(s) under test: python-simplejson zim zim has only one package dependency and that is python-simplejson default install of python-simplejson zim [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-3.3.0-3.mga4.i586 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-3.mga4.noarch is already installed zim creates and saves a desktop Wiki install python-simplejson from updates_testing [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-3.3.0-3.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-3.mga4.noarch is already installed zim creates and saves a new desktop Wiki zim loads and reads previously created Wiki Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 Whiteboard:
MGA3TOO MGA3-32-OK MGA3-64-OK =>
MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK In VirtualBox, M4, KDE, 64-bit Package(s) under test: python-simplejson zim zim has only one package dependency and that is python-simplejson default install of python-simplejson zim [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-3.3.0-3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-3.mga4.noarch is already installed zim creates and saves a desktop Wiki install python-simplejson from updates_testing [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-3.3.0-3.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-3.mga4.noarch is already installed zim creates and saves a new Wiki zim loads and reads previously created Wiki Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 Whiteboard:
MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK =>
MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK This testing seems to indicate that the update is good to go. What say ye all? I uploaded the advisory, I'll let you confirm whether the update is good to go :-) CC:
(none) =>
remi (In reply to Rémi Verschelde from comment #19) > I uploaded the advisory, I'll let you confirm whether the update is good to > go :-) Thanks Rémi. If David's comfortable with this then I'll turn it loose. I am. Let's ship it :o) Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks Keywords:
(none) =>
validated_update http://advisories.mageia.org/MGASA-2014-0286.html Status:
NEW =>
RESOLVED
David Walser
2014-07-24 16:07:00 CEST
URL:
http://lwn.net/Vulnerabilities/603750/ =>
http://lwn.net/Vulnerabilities/603975/ |