| Summary: | python, python3 new security issue CVE-2021-23336 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, jani.valimaa, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK MGA7-32-OK MGA8-32-OK | ||
| Source RPM: | python3-3.8.7-1.mga8.src.rpm python-2.7.18-6.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-02-23 02:14:38 CET
David Walser
2021-02-23 02:14:46 CET
Whiteboard:
(none) =>
MGA8TOO, MGA7TOO Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) Assignee:
bugsquad =>
python python3-3.8.8-1.mga9 uploaded for Cauldron by Jani. CC:
(none) =>
jani.valimaa Jani has also built a python3 update for Mageia 7 and Mageia 8, python update still needed. python3-3.7.10-1.mga7 libpython3.7-3.7.10-1.mga7 libpython3.7-stdlib-3.7.10-1.mga7 libpython3.7-testsuite-3.7.10-1.mga7 libpython3-devel-3.7.10-1.mga7 python3-docs-3.7.10-1.mga7 tkinter3-3.7.10-1.mga7 tkinter3-apps-3.7.10-1.mga7 python3-3.8.8-1.mga8 libpython3.8-stdlib-3.8.8-1.mga8 libpython3.8-3.8.8-1.mga8 libpython3-devel-3.8.8-1.mga8 tkinter3-apps-3.8.8-1.mga8 tkinter3-3.8.8-1.mga8 libpython3.8-testsuite-3.8.8-1.mga8 python3-docs-3.8.8-1.mga8 Fedora has issued an advisory for python3 on February 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/ and on February 24 (previous was 3.7, this is 3.8): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/ Fixed in mga9
Pushed in mga7/8
src:
- python-2.7.18-1.3.mga7
- python-2.7.18-7.1.mga8Assignee:
python =>
qa-bugs
Aurelien Oudelet
2021-03-04 22:14:22 CET
Version:
Cauldron =>
8 Python 2 RPMs (Python 3 in Comment 3): python-2.7.18-1.3.mga7 libpython2.7-2.7.18-1.3.mga7 libpython2.7-stdlib-2.7.18-1.3.mga7 libpython2.7-testsuite-2.7.18-1.3.mga7 libpython-devel-2.7.18-1.3.mga7 python-docs-2.7.18-1.3.mga7 tkinter-2.7.18-1.3.mga7 tkinter-apps-2.7.18-1.3.mga7 python-2.7.18-7.1.mga8 tkinter-apps-2.7.18-7.1.mga8 libpython2.7-testsuite-2.7.18-7.1.mga8 python-docs-2.7.18-7.1.mga8 libpython2.7-2.7.18-7.1.mga8 libpython2.7-stdlib-2.7.18-7.1.mga8 libpython-devel-2.7.18-7.1.mga8 tkinter-2.7.18-7.1.mga8 Whiteboard:
MGA8TOO, MGA7TOO =>
MGA7TOO Advisory: ======================== Updated python and python3 packages fix security vulnerability: The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter (CVE-2021-23336). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 https://blog.python.org/2021/02/python-392-and-388-are-now-available.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/ Using QARepo with the list of Comment 7, I seem to miss the python-2.7.18-1.3.mga7 and lib64python-devel-2.7.18-1.3.mga7 packages. CC:
(none) =>
herman.viaene mga8, x64 CVE-2021-23336 https://bugs.python.org/issue42967 Simple test, before update: $ python >>> import urllib >>> import urllib.parse >>> urllib.parse.parse_qsl("a=1&b=2&c=3") [('a', '1'), ('b', '2'), ('c', '3')] >>> urllib.parse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] >>> exit() Could not figure out how to use urllib in python2: >>> import urllib.parse Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: No module named parse CC:
(none) =>
tarazed25 It is called urlparse in python2. $ python2 >>> import urlparse >>> urlparse.parse_qsl("a=1&b=2&c=3") [('a', '1'), ('b', '2'), ('c', '3')] >>> urlparse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2'), ('c', '3')] So the issue had been fixed in python3 before the update but not in python2. Updating: - lib64python-devel-2.7.18-7.1.mga8.x86_64 - lib64python2.7-2.7.18-7.1.mga8.x86_64 - lib64python2.7-stdlib-2.7.18-7.1.mga8.x86_64 - lib64python2.7-testsuite-2.7.18-7.1.mga8.x86_64 - lib64python3-devel-3.8.8-1.mga8.x86_64 - lib64python3.8-3.8.8-1.mga8.x86_64 - lib64python3.8-stdlib-3.8.8-1.mga8.x86_64 - lib64python3.8-testsuite-3.8.8-1.mga8.x86_64 - python-2.7.18-7.1.mga8.x86_64 - python3-3.8.8-1.mga8.x86_64 - python3-docs-3.8.8-1.mga8.noarch - tkinter-2.7.18-7.1.mga8.x86_64 - tkinter-apps-2.7.18-7.1.mga8.x86_64 - tkinter3-3.8.8-1.mga8.x86_64 - tkinter3-apps-3.8.8-1.mga8.x86_64 Ran tests again: $ python >>> urllib.parse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] $ python2 >>> urlparse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] The issue is fixed in both versions of python for Mageia 8. Going to pass this on the basis of successful bugfix and clean install. Whiteboard:
MGA7TOO =>
MGA7TOO MGA8-64-OK mga7, x64 In Mageia 7 python2.7 is the default so python is used and python3 needs to be used for python3.7. Installed the packages listed, ran the simple interactive session tests to demonstrate the fault. Updated all the packages then ran the tests again. These showed that the vulnerability had been eliminated. $ python Python 2.7.18 (default, Mar 4 2021, 21:08:30) [GCC 8.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import urlparse >>> urlparse.parse_qsl("a=1&b=2&c=3") [('a', '1'), ('b', '2'), ('c', '3')] >>> urlparse.parse_qsl("a=1&b=2;c=3") [('a', '1'), ('b', '2;c=3')] >>> exit() Since python is everywhere and the system functions as normal this should be enough to pass the update. Whiteboard:
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK (In reply to Herman Viaene from comment #9) > Using QARepo with the list of Comment 7, I seem to miss the > python-2.7.18-1.3.mga7 and lib64python-devel-2.7.18-1.3.mga7 packages. 64-bit Plasma mga7 and mga8 systems, on AMD hardware. Using a combination of the lists in Comment 3 and Comment 7, making sure to use only mga7 packages in mga7 and mga8 in mga8, I did not see the problem you saw, Herman. Using the test delineated in the last sentence of Comment 14, this hardware tests out OK on both releases, too. CC:
(none) =>
andrewsfarm As long as Foolishness (Dell Inspiron 5100, P4, Radeon RV200 graphics, Atheros-based wifi, 32-bit Xfce4 systems) had a full head of steam going in order to test other updates, I thought I'd check this one out, too. Tested on both mga7 and mga8, using qarepo and the package lists of Comment 3 and Comment 7. No installation issues. Did a reboot each time, just because it seemed like the best thing to do. Using the test from Comment 15, it looks OK for 32-bit. I'm going to go ahead and validate this one. Advisory in Comment 8. CC:
(none) =>
sysadmin-bugs
Thomas Backlund
2021-04-02 10:47:00 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0165.html Resolution:
(none) =>
FIXED |