| Summary: | python, python3 new security issue CVE-2017-1000158 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, jackal.j, makowski.mageia, marja11, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA6-64-OK MGA5-64-OK | ||
| Source RPM: | python-2.7.13-3.mga7.src.rpm, python3-3.6.2-3.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Basic hello world script for tkinter
Hello World type script for tkinter with python 3 Hello World script for tkinter with python 3 |
||
|
Description
David Walser
2017-11-30 21:25:58 CET
David Walser
2017-11-30 21:26:04 CET
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO CC'ing all packagers collectively, in case philippem's still unavailable. CC:
(none) =>
marja11, pkg-bugs Helpful links regarding this : Link to discussion regarding this bug, contains the patches as well: https://bugs.python.org/issue30657 CC:
(none) =>
jackal.j
David Walser
2017-12-31 00:47:27 CET
QA Contact:
(none) =>
security Advisory: ======================== Updated python, python3 packages fix security vulnerability: It was discovered that Python incorrectly handled decoding certain strings. An attacker could possibly use this issue to execute arbitrary code (CVE-2017-1000158). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158 https://usn.ubuntu.com/usn/usn-3496-1/ https://usn.ubuntu.com/usn/usn-3496-3/ ======================== Updated packages in core/updates_testing: ======================== python-2.7.9-2.5.mga5 libpython2.7-2.7.9-2.5.mga5 libpython-devel-2.7.9-2.5.mga5 python-docs-2.7.9-2.5.mga5 tkinter-2.7.9-2.5.mga5 tkinter-apps-2.7.9-2.5.mga5 python3-3.4.3-1.6.mga5 libpython3.4-3.4.3-1.6.mga5 libpython3-devel-3.4.3-1.6.mga5 python3-docs-3.4.3-1.6.mga5 tkinter3-3.4.3-1.6.mga5 tkinter3-apps-3.4.3-1.6.mga5 python-2.7.13-1.1.mga6 libpython2.7-2.7.13-1.1.mga6 libpython2.7-stdlib-2.7.13-1.1.mga6 libpython2.7-testsuite-2.7.13-1.1.mga6 libpython-devel-2.7.13-1.1.mga6 python-docs-2.7.13-1.1.mga6 tkinter-2.7.13-1.1.mga6 tkinter-apps-2.7.13-1.1.mga6 python3-3.5.3-1.1.mga6 libpython3.5-3.5.3-1.1.mga6 libpython3.5-stdlib-3.5.3-1.1.mga6 libpython3.5-testsuite-3.5.3-1.1.mga6 libpython3-devel-3.5.3-1.1.mga6 python3-docs-3.5.3-1.1.mga6 tkinter3-3.5.3-1.1.mga6 tkinter3-apps-3.5.3-1.1.mga6 from SRPMS: python-2.7.9-2.5.mga5.src.rpm python3-3.4.3-1.6.mga5.src.rpm python-2.7.13-1.1.mga6.src.rpm python3-3.5.3-1.1.mga6.src.rpm Version:
Cauldron =>
6
Dave Hodgins
2017-12-31 06:30:42 CET
CC:
(none) =>
davidwhodgins Mageia 6 :: x86-64 Updated python packages. Installed python-ply. As root: # python /usr/share/doc/python-ply/example/calc/calc.py Generating LALR tables calc > a=2 calc > b=47 calc > a*b 94 As user: $ cd /usr/share/doc/python-ply/test $ python testlex.py .F..FFFE.................................. ---------------------------------------------------------------------- Ran 42 tests in 0.179s FAILED (failures=4, errors=1) If run under root all 42 tests succeed. The user failures are to do with access permissions. # python testlex.py .......................................... ---------------------------------------------------------------------- Ran 42 tests in 0.365s OK # python testyacc.py .......................................... ---------------------------------------------------------------------- Ran 42 tests in 0.077s OK Installed python3-ply. As root: # cd /usr/share/doc/python3-ply/test # python3 testlex.py .......................................... ---------------------------------------------------------------------- Ran 42 tests in 0.476s OK # python3 testyacc.py .......................................... ---------------------------------------------------------------------- Ran 42 tests in 0.097s OK Hoping this is sufficient for an OK in our straitened circumstances. CC:
(none) =>
tarazed25
Len Lawrence
2017-12-31 15:58:38 CET
Whiteboard:
MGA5TOO exit =>
MGA5TOO MGA6-64-OK Withdrawing the OK because tkinter has not been tested. Whiteboard:
MGA5TOO MGA6-64-OK =>
MGA5TOO There are web guides for tkinter programmers at file:///usr/share/doc/python3-docs/library/tkinter.html and file:///usr/share/doc/python-docs/library/tkinter.html and also for tkinter.ttk (Tk themed widgets - an unfinished project). Have not been able to track down the tkinter(3)-apps. python-ply/example has several python scripts but none of them use tk. I downloaded a graphical tkinter example but foundered on the imported modules. matplotlib can be installed from an rpm but I have no recent experience with using pip or python-pip (aka so long ago it has been forgotten). For python as a whole the library/test.html document indicates that regression tests can be executed using the built in test suite. $ python -m test.regrtest 357 tests OK This runs through a series of 401 tests, which take a while and keeps a running total of the failures. 4 tests failed and 39 were skipped for various reasons like 'for BSD only' or 'requires loads of disk space and a long time to run'. Note that this test is quoted in python3 documentation. It does not work for python3. Continuing the search for tkinter-apps. Note that this update doesn't affect tkinter. Re comment 7: Good to know - I should have realized that. Thanks. Anyway I found a helloworld script on another machine that works with tkinter. Reinstating the 64-bit OK.
Len Lawrence
2017-12-31 18:53:36 CET
Whiteboard:
MGA5TOO =>
MGA5TOO MGA6-64-OK Mageia 5 :: x86_64
Updated all packages and installed {python,python3}-ply.
$ cd /usr/share/doc/python-ply/example
As root:
# python calc/calc.py
Generating LALR tables
calc > a = 71
calc > b = 44
calc > a*b
3124
calc > x = a*b
calc > x/2
1562
calc > x/22
142
Ran calc.py in python3-ply to perform similar calculations.
# cd ../test
# python testlex.py
..........................................
----------------------------------------------------------------------
Ran 42 tests in 0.292s
OK
# python testyacc.py
................................
----------------------------------------------------------------------
Ran 32 tests in 0.045s
OK
Running python3 against the test scripts in python3-ply returned similar results.
Installed python-imaging-tk.
Back to user. Ran a helloworld script with a two button gui.
That worked fine, buttons responded and a dummy gui window was launched with entry fields and checkbuttons but no callbacks. Converted a local JPEG file to a photoimage. Still in development but it works with python.
Calling time on this one. OK.Whiteboard:
MGA5TOO MGA6-64-OK =>
MGA5TOO MGA6-64-OK MGA5-64-OK Super work, Len. This bug can be a reference for future Python testing. Do you want to attach the "Hello World" script for tkinter - which pops up from time to time? Validating. Keywords:
(none) =>
validated_update Re comment 10: The original script was childishly simple but I can attach it - maybe next year ;-) Created attachment 9871 [details]
Basic hello world script for tkinter
Just hello goodbye for python 2
Created attachment 9872 [details]
Hello World type script for tkinter with python 3
Main differences from 2.7 are:
#!/bin/env python -> #!/bin/env python3
Tkinter -> tkinter
print "string" => print( "string" )
Created attachment 9873 [details]
Hello World script for tkinter with python 3
Added a few comments for complete beginners.
Attachment 9872 is obsolete:
0 =>
1 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0004.html Resolution:
(none) =>
FIXED |