Bug 26268

No registered maintainers for these, so assigning globally; CC'ing a couple of packagers who have committed them recently.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, thierry.vignaud

I just remembered there is a Python group.

Assignee: pkg-bugs => python

openSUSE has issued an advisory for this on March 2 (for python3):
https://lists.opensuse.org/opensuse-updates/2020-03/msg00013.html

Ubuntu has issued an advisory for CVE-2020-8492 on April 21:
https://usn.ubuntu.com/4333-1/

Note that we are not vulnerable to CVE-2019-18348 because it was fixed in glibc.

openSUSE advisory for python CVE-2019-9674 from May 23:
https://lists.opensuse.org/opensuse-updates/2020-05/msg00109.html

IIUC there's no real fix for CVE-2019-9674, yet. Only a documentation update. 

Upstream bug report: https://bugs.python.org/issue36260.

CC: (none) => jani.valimaa

Yes sometimes a documentation update is the only fix we get.

Ubuntu has issued an advisory on July 22:
https://ubuntu.com/security/notices/USN-4428-1

It adds some new CVEs and we now see that all of them also affect Python 2.7.

CVE-2019-17514 is only a documentation fix, but that's fine.

According to Ubuntu, CVE-2020-15801 that I mentioned below is Windows-specific:
https://bugs.mageia.org/show_bug.cgi?id=26894#c5

I'm not sure if these affect Python 2.7:
BPO-39603
BPO-41288

I'm also closing Bug 26894 and merging it into this one.

So python3 in Cauldron should have all of these fixed, but python (2.7) still needs fixed, as does Mageia 7.

Summary: python/python3 new security issues CVE-2019-9674 and CVE-2020-8492 => python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422

*** Bug 26894 has been marked as a duplicate of this bug. ***

Blocks: 26894 => (none)

So CVE-2019-9674, CVE-2019-20907 and CVE-2020-8492 are now applied in python-2.7.18-2.mga8.

BPO-39603 and BPO-41288 seems not affect python 2.7

I added the fix for CVE-2019-17514 in python (2.7) and it looks like CVE-2020-14422 actually does not affect it.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Fedora has issued an advisory on October 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/

It fixes a new issue, CVE-2020-26116, in Python 2.  It's already fixed in python3 3.8.5 in Cauldron (but will need to be fixed in python3 in Mageia 7 as well).

Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO
Summary: python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422 => python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422, CVE-2020-26116

Ubuntu has issued an advisory for the new issue today (October 14):
https://ubuntu.com/security/notices/USN-4581-1

RedHat has issued an advisory for python2 today (October 20):
https://access.redhat.com/errata/RHSA-2020:4273

RedHat has issued an advisory for python3 on October 20:
https://access.redhat.com/errata/RHSA-2020:4299

RedHat has issued an advisory for python3 on November 3:
https://access.redhat.com/errata/RHSA-2020:4433

So CVE-2019-9674, CVE-2019-20907, CVE-2020-8492, CVE-2019-17514 and CVE-2020-26116 are now applied in python-2.7.18-1.1.mga7

And also CVE-2020-26116 now applied in python-2.7.18-5.mga8

New python3-3.7.9-1.mga7 should also fix all security issues.

Package list below.  Advisory to come later.

python-2.7.18-1.1.mga7
libpython2.7-2.7.18-1.1.mga7
libpython2.7-stdlib-2.7.18-1.1.mga7
libpython2.7-testsuite-2.7.18-1.1.mga7
libpython-devel-2.7.18-1.1.mga7
python-docs-2.7.18-1.1.mga7
tkinter-2.7.18-1.1.mga7
tkinter-apps-2.7.18-1.1.mga7
python3-3.7.9-1.mga7
libpython3.7-3.7.9-1.mga7
libpython3.7-stdlib-3.7.9-1.mga7
libpython3.7-testsuite-3.7.9-1.mga7
libpython3-devel-3.7.9-1.mga7
python3-docs-3.7.9-1.mga7
tkinter3-3.7.9-1.mga7
tkinter3-apps-3.7.9-1.mga7

from SRPMS:
python-2.7.18-1.1.mga7.src.rpm
python3-3.7.9-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: python => qa-bugs

Advisory:
========================

Updated python and python3 packages fix security vulnerabilities:

It was discovered that incorrectly handled certain ZIP files. An attacker
could possibly use this issue to cause a denial of service (CVE-2019-9674).

It was discovered that Python documentation had a misleading information. A
security issue could be possibly caused by wrong assumptions of this
information (CVE-2019-17514).

It was discovered that Python incorrectly handled certain TAR archives. An
attacker could possibly use this issue to cause a denial of service
(CVE-2019-20907).

It was discovered that Python incorrectly handled certain HTTP requests. An
attacker could possibly use this issue to cause a denial of service
(CVE-2020-8492).

It was discovered that Python incorrectly handled certain IP values. An
attacker could possibly use this issue to cause a denial of service
(CVE-2020-14422).

It was discovered that Python incorrectly handled certain character sequences.
A remote attacker could possibly use this issue to perform CRLF injection
(CVE-2020-26116).

The CVE-2020-14422 issue only affected python3.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116
https://ubuntu.com/security/notices/USN-4428-1
https://ubuntu.com/security/notices/USN-4333-1
https://ubuntu.com/security/notices/USN-4581-1

MGA7-64 MATE on Peaq C1011
Installation: I had to remove python2-numpy-f2py and python3-numpy-f2py, as these where blocking the installation of this lot (probably left-overs from other tests). But that could thus occur in "real life".
Continuing tests later.

CC: (none) => herman.viaene

Looked into the testsuite files and went for:
$ cd /usr/lib64/python2.7/test/
Many of those py-files doe not give any feedback when ruuning at the CLI, but some do:
$ python2 pystone.py
Pystone(1.1) time for 50000 passes = 1.61624
This machine benchmarks at 30936 pystones/second

$ python2 regrtest.py
== CPython 2.7.18 (default, Nov 20 2020, 06:51:30) [GCC 8.4.0]
==   Linux-5.7.19-desktop-3.mga7-x86_64-with-mageia-7-Official little-endian
==   /tmp/test_python_31973
== CPU count: 4
Run tests sequentially
0:00:00 load avg: 0.00 [  1/404] test_grammar
0:00:00 load avg: 0.00 [  2/404] test_opcodes
0:00:00 load avg: 0.00 [  3/404] test_dict
0:00:00 load avg: 0.00 [  4/404] test_builtin
0:00:00 load avg: 0.00 [  5/404] test_exceptions
0:00:01 load avg: 0.00 [  6/404] test_types
and that goes on and on.... Interrupted with CTRL-C and got:
== Tests result: INTERRUPTED ==

Test suite interrupted by signal SIGINT.
294 tests omitted:
    test_dircache test_dis test_distutils test_dl test_docxmlrpc
    test_dumbdbm test_dummy_thread test_dummy_threading test_email
and a long list ...., but finally
97 tests OK.

13 tests skipped:
    test_aepack test_al test_applesingle test_bsddb185 test_bsddb3
    test_cd test_cl test_codecmaps_cn test_codecmaps_hk
    test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_curses
Those skips are all expected on linux2.

Total duration: 1 min 52 sec
Tests result: INTERRUPTED
Did one more
$ python2 sortperf.py
 i    2**i  *sort  \sort  /sort  3sort  +sort  %sort  ~sort  =sort  !sort
15   32768   0.03   0.00   0.00   0.00   0.00   0.01   0.01   0.00   0.01
16   65536   0.07   0.01   0.01   0.01   0.01   0.01   0.03   0.01   0.02
17  131072   0.16   0.02   0.02   0.02   0.02   0.03   0.06   0.02   0.04
18  262144   0.39   0.04   0.04   0.04   0.04   0.07   0.13   0.04   0.09
19  524288   0.88   0.09   0.08   0.09   0.09   0.14   0.27   0.08   0.18
20 1048576   1.96   0.18   0.18   0.18   0.18   0.30   0.56   0.17   0.37

No idea what it means, but at least it colmpletes normally.
Having a look at python3 now.

$ cd /usr/lib64/python3.7/test/

$ python3 final_a.py 
x = a
final_b.x = b
shutil.rmtree = rmtree
len = len
x = a
final_b.x = b
shutil.rmtree = rmtree
len = len
x = b
final_a.x = a
shutil.rmtree = rmtree
len = len
x = b
final_a.x = a
shutil.rmtree = rmtree
len = len
x = a
final_b.x = b
shutil.rmtree = rmtree
len = len
x = a
final_b.x = b
shutil.rmtree = rmtree
len = len

$ python3 regrtest.py 
== CPython 3.7.9 (default, Nov 20 2020, 08:02:31) [GCC 8.4.0]
== Linux-5.7.19-desktop-3.mga7-x86_64-with-mageia-7-Official little-endian
== cwd: /tmp/test_python_960
== CPU count: 4
== encodings: locale=UTF-8, FS=utf-8
0:00:00 load avg: 0.71 Run tests sequentially
0:00:00 load avg: 0.71 [  1/416] test_grammar
0:00:00 load avg: 0.71 [  2/416] test_opcodes
0:00:00 load avg: 0.71 [  3/416] test_dict
0:00:01 load avg: 0.71 [  4/416] test_builtin
0:00:02 load avg: 0.71 [  5/416] test_exceptions
0:00:05 load avg: 0.73 [  6/416] test_types
0:00:05 load avg: 0.73 [  7/416] test_unittest
0:00:14 load avg: 0.85 [  8/416] test_doctest
**********************************************************************
File "/usr/lib64/python3.7/test/test_doctest.py", line 2237, in test.test_doctest.test_DocFileSuite
Failed example:
    suite = doctest.DocFileSuite('test_doctest.txt',
                                 'test_doctest2.txt',
                                 'test_doctest4.txt',
                                 package='test')
and some more, stopped again with CTRL-C and get at the end
8 tests OK.

2 tests failed:
    test_doctest test_support

Total duration: 20.6 sec
Tests result: FAILURE, INTERRUPTED

$ python3 test_abc.py 
................................................
----------------------------------------------------------------------
Ran 48 tests in 0.044s

OK

$ python3 test_abstract_numbers.py
...
----------------------------------------------------------------------
Ran 3 tests in 0.002s

OK

$ python3 sortperf.py 
 i    2**i  *sort  \sort  /sort  3sort  +sort  %sort  ~sort  =sort  !sort
15   32768   0.01   0.00   0.00   0.00   0.00   0.00   0.01   0.00   0.00 
16   65536   0.03   0.01   0.01   0.01   0.01   0.01   0.01   0.00   0.00 
17  131072   0.08   0.01   0.01   0.02   0.01   0.02   0.02   0.00   0.01 
18  262144   0.19   0.03   0.03   0.03   0.03   0.05   0.04   0.01   0.01 
19  524288   0.45   0.06   0.06   0.06   0.06   0.10   0.08   0.01   0.02 
20 1048576   1.05   0.13   0.12   0.13   0.13   0.21   0.16   0.02   0.04 

I guess even with the failures, the thing is working quite well, but I wonder whether  we can let this go as is with the installation issue I found.

Status of this?

CC: (none) => ouaurelien

Well, to me it works quite well, but I am left in the dark with my question on Comment 21, as this is an installation issue, not about the working of the item.

This update is only patched, no packaging regressions, so you can OK it and file a bug for the conflict.

Regarding comment 21,

# urpmi --test python2-scipy python3-scipy
ends with ...
Installation is possible

That's with python-2.7.18-1.1.mga7.x86_64 and python3-3.7.9-1.mga7 already
installed.

Oking and validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update

Thanks for advice.

Advisory pushed to SVN.

Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0451.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED