Bug 29042

Summary: python new security issue CVE-2020-27619
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: python-2.7.18-7.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-05-30 04:38:13 CEST 
Fedora has issued an advisory today (May 29):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-30 04:38:30 CEST

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Aurelien Oudelet 2021-05-30 16:13:55 CEST 
Assigning.

Assignee: bugsquad => python
CC: (none) => ouaurelien

Comment 3 David Walser 2021-06-27 22:54:07 CEST 
Advisory:
========================

Updated python packages fix security vulnerability:

In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on
content retrieved via HTTP (CVE-2020-27619).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27619
https://bugzilla.redhat.com/show_bug.cgi?id=1889886
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/
========================

Updated packages in core/updates_testing:
========================
python-2.7.18-1.4.mga7
libpython2.7-2.7.18-1.4.mga7
libpython2.7-stdlib-2.7.18-1.4.mga7
libpython2.7-testsuite-2.7.18-1.4.mga7
libpython-devel-2.7.18-1.4.mga7
python-docs-2.7.18-1.4.mga7
tkinter-2.7.18-1.4.mga7
tkinter-apps-2.7.18-1.4.mga7
python-2.7.18-7.2.mga8
libpython2.7-stdlib-2.7.18-7.2.mga8
libpython-devel-2.7.18-7.2.mga8
tkinter-2.7.18-7.2.mga8
libpython2.7-2.7.18-7.2.mga8
libpython2.7-testsuite-2.7.18-7.2.mga8
tkinter-apps-2.7.18-7.2.mga8
python-docs-2.7.18-7.2.mga8

from SRPMS:
python-2.7.18-1.4.mga7.src.rpm
python-2.7.18-7.2.mga8.src.rpm

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: python => qa-bugs
Severity: normal => major
Status comment: Patch available from Fedora => (none)
Version: Cauldron => 8

Comment 4 Herman Viaene 2021-07-05 17:21:18 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
Used test as per bug 28408 Comment 14
$ python
Python 2.7.18 (default, Jun 27 2021, 20:22:35) 
[GCC 8.4.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urlparse
>>> urlparse.parse_qsl("a=1&b=2&c=3")
[('a', '1'), ('b', '2'), ('c', '3')]
>>> urlparse.parse_qsl("a=1&b=2;c=3")
[('a', '1'), ('b', '2;c=3')]
>>> exit
Use exit() or Ctrl-D (i.e. EOF) to exit
>>> exit()
So OK for this

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 5 David Walser 2021-07-08 23:47:44 CEST 
Affected file for this CVE is in lib64python2.7-testsuite package and just cleans up some dangerous code in one of the tests, which isn't terribly interesting.

I tested a simple Python script I wrote (be careful, you have to call Python as Python2 in Mageia 8 now, due to some nonsense we carried over from Fedora) just to make sure it still generally worked, and did, as expected.  OK for x86_64.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 6 Thomas Andrews 2021-07-09 01:33:17 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-07-10 12:08:22 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-07-10 14:58:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0327.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED