| Summary: | python new security issue CVE-2019-9948 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, marja11, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | python-2.7.16-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-05-03 20:50:13 CEST
David Walser
2019-05-03 20:50:18 CEST
Whiteboard:
(none) =>
MGA6TOO
Marja Van Waes
2019-05-03 21:28:47 CEST
Assignee:
bugsquad =>
python Fixed both mga6 and Cauldron! CC:
(none) =>
geiger.david68210 Advisory: ======================== Updated python packages fix security vulnerability: A 'file:' blacklist bypass in URIs by using the 'local-file:' scheme instead (CVE-2019-9948). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948 https://lists.opensuse.org/opensuse-updates/2019-04/msg00187.html ======================== Updated packages in core/updates_testing: ======================== python-2.7.15-1.4.mga6 libpython2.7-2.7.15-1.4.mga6 libpython2.7-stdlib-2.7.15-1.4.mga6 libpython2.7-testsuite-2.7.15-1.4.mga6 libpython-devel-2.7.15-1.4.mga6 python-docs-2.7.15-1.4.mga6 tkinter-2.7.15-1.4.mga6 tkinter-apps-2.7.15-1.4.mga6 from python-2.7.15-1.4.mga6.src.rpm Assignee:
python =>
qa-bugs mga6, x86_64 Investigated the CVE before updating. CVE-2019-9948 https://bugs.python.org/issue35907 Running this python snippet: ---------------------------------- import urllib print( urllib.urlopen('local_file:///etc/passwd').read()[:30] ) ---------------------------------- returned: root:x:0:0:root:/root:/bin/bas which I think demonstrated the vulnerability. As indicated upstream running modified POC code with urllib2 or python3 shows that only urllib is vulnerable. *After updating* $ python poc.py Traceback (most recent call last): File "poc.py", line 3, in <module> print( urllib.urlopen('local_file:///etc/passwd').read()[:30] ) File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen return opener.open(url) File "/usr/lib64/python2.7/urllib.py", line 213, in open return self.open_unknown(fullurl, data) File "/usr/lib64/python2.7/urllib.py", line 225, in open_unknown raise IOError, ('url error', 'unknown url type', type) IOError: [Errno url error] unknown url type: 'local_file' This agrees with the report upstream and demonstrates that the issue has been correctly handled. Checks: $ cat fib.py def fibo( ): ''' Unbounded generator for Fibonacci numbers ''' x, y = 0, 1 while True: yield x x, y = y, x + y if __name__ == "__main__": import itertools print list( itertools.islice( fibo( ), 10 ) ) $ python fib.py [0, 1, 1, 2, 3, 5, 8, 13, 21, 34] Ran calibre under strace - added five PDF books to the library, opened one and scrolled through it. Found numerous references to /usr/lib/python2.7 and /lib64/libpython2.7.so.1.0. Tried displaycal without really knowing what to do - profiling, calibration curves and tone response. The trace showed libpython2.7 and /usr/lib64/python2.7/site*. OK for 64-bits. CC:
(none) =>
tarazed25 Should be OK for 32-bit, too. Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-05-12 10:04:44 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0165.html Resolution:
(none) =>
FIXED |