Bug 23703

Assigning to the Python stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => python
CC: (none) => marja11, ngompa13

Patched packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated python-marshmallow packages fix security vulnerability:

In the marshmallow library before 2.15.1 for Python, the schema "only" option
treats an empty list as implying no "only" option, which allows a request that
was intended to expose no fields to instead expose all fields (if the schema is
being filtered dynamically using the "only" option, and there is a user role
that produces an empty value for "only") (CVE-2018-17175).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17175
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GCKZAADQI7JJ3ZUN7DSIR2JH3VZEJZDM/
========================

Updated packages in core/updates_testing:
========================
python2-marshmallow-2.2.1-0.5.gitea1def9.mga6
python2-marshmallow-doc-2.2.1-0.5.gitea1def9.mga6
python3-marshmallow-2.2.1-0.5.gitea1def9.mga6
python3-marshmallow-doc-2.2.1-0.5.gitea1def9.mga6

from python-marshmallow-2.2.1-0.5.gitea1def9.mga6.src.rpm

Assignee: python => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Mageia6, x86_64
$ rpm -qa | grep marshmallow
python3-marshmallow-doc-2.2.1-0.4.gitea1def9.mga6
python3-marshmallow-2.2.1-0.4.gitea1def9.mga6
python2-marshmallow-doc-2.2.1-0.4.gitea1def9.mga6
python2-marshmallow-2.2.1-0.4.gitea1def9.mga6

Documentation at 
https://marshmallow.readthedocs.io/en/3.0/

$ cat example.py
from datetime import date
from marshmallow import Schema, fields, pprint

class ArtistSchema(Schema):
    name = fields.Str()

class AlbumSchema(Schema):
    title = fields.Str()
    release_date = fields.Date()
    artist = fields.Nested(ArtistSchema())

bowie = dict(name='David Bowie')
album = dict(artist=bowie, title='Hunky Dory', release_date=date(1971, 12, 17))

schema = AlbumSchema()
result = schema.dump(album)
pprint(result, indent=2)

This works with python2.7 or python3.

$ python3 example.py
MarshalResult(data={'artist': {'name': 'David Bowie'}, 'title': 'Hunky Dory', 'release_date': '1971-12-17'}, errors={})

Quick start for Schemas:
https://marshmallow.readthedocs.io/en/3.0/quickstart.html

CVE-2018-17175
https://github.com/marshmallow-code/marshmallow/issues/772

$ cat test.py
from marshmallow import Schema, fields, pprint

class TestSchema(Schema):
    foo = fields.Field()
sch = TestSchema(only=())
data = dict(foo='bar')
result = sch.dump(data)
assert 'foo' not in result

The snippet above is supposed to return an assertion but returns nothing when run before the update.
$ python test.py
$ python3 test.py
$

Updated packages to version 2.2.1-0.5

Same results from running 'python{,3} {example,test}.py'.

So clean update, expected result from the example script, but do insufficient knowledge of python to interpret the outcomes of running test.py.

Placing None in the argument list shows what a null argument should have produced before the update:
$ cat test1.py
from marshmallow import Schema, fields, pprint

class TestSchema(Schema):
    foo = fields.Field()
sch = TestSchema(only=(None))
data = dict(foo='bar')
result = sch.dump(data)
pprint( result, indent=2 )
assert 'foo' not in result

$ python test1.py
MarshalResult(data={'foo': 'bar'}, errors={})

This seems to suggest that the fault had been repaired in 2.2.0.4.

OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0065.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED