| Summary: | Update request: python3 3.8.11 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Jani Välimaa <jani.valimaa> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | luigiwalser, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python3-3.8.9-1.mga8.src.rpm | CVE: | CVE-2021-29921 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 29084 | ||
|
Description
Jani Välimaa
2021-07-25 18:41:42 CEST
Per https://bugs.mageia.org/show_bug.cgi?id=29010 [python-pip new security issue fixed upstream in 21.1 (CVE-2021-3572)], python-pip update was already pushed today with patches for 3 CVE. Packages come from new python-pip-20.3.3-3.3.mga8.src.rpm Assigning to python group. Assignee:
bugsquad =>
python SRPM(S): python-pip-21.1.3-1.mga8 python-setuptools-56.2.0-1.mga8 python3-3.8.11-1.mga8 RPM(S): lib(64)python3.8-3.8.11-1.mga8 lib(64)python3.8-stdlib-3.8.11-1.mga8 lib(64)python3.8-testsuite-3.8.11-1.mga8 lib(64)python3-devel-3.8.11-1.mga8 python3-3.8.11-1.mga8 python3-docs-3.8.11-1.mga8 python3-pip-21.1.3-1.mga8 python3-pkg-resources-56.2.0-1.mga8 python3-setuptools-56.2.0-1.mga8 python-pip-wheel-21.1.3-1.mga8 python-setuptools-wheel-56.2.0-1.mga8 tkinter3-3.8.11-1.mga8 tkinter3-apps-3.8.11-1.mga8 Assignee:
python =>
qa-bugs CVE-2021-29921 patched in python3-3.8.11.1.1.mga8: https://ubuntu.com/security/notices/USN-4973-1 https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html This would be a good time to fix Bug 29041 (python-urllib3) too... Severity:
normal =>
major mga8, x64
$ rpm -q python
python-2.7.18-7.2.mga8
CVE-2021-29921
No specific PoC found in spite of extensive discussion on the web.
If I run perl
$ GET 142.250.187.206
it returns lots of HTML code from google.com.
So does this python snippet:
import urllib3
http = urllib3.PoolManager()
resp = http.request( "GET", "google.com" )
print( resp.status )
print( resp.data )
Replacing google.com by the octal equivalent 0216.372.273.316 results in
"urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='0216.372.273.316', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f38b0b5cbe0>: Failed to establish a new connection: [Errno -2] Name or service not known'))"
Reverting to decimal in python results in the full index file being returned.
That seems to demonstrate that octal notation was already forbidden which the web discussions indicate has been the case for some time - unless the refusal is applied at the Google server. The lack of a status code implies that the connection is rejected at Google. If a leading zero is used in the decimal string the call simply hangs. So, I do not know how to test this.
Shall update and continue from there.CC:
(none) =>
tarazed25 $ rpm -q python3 python3-3.8.9-1.mga8 $ rpm -q python3-pip python3-pip-20.3.3-3.3.mga8 After two days effort I could not get qarepo to work with this update and reverted to urpmi. Everything installed properly. Ran the crude poc tests with the same results - command hangs. Impossible to draw any conclusions from this other than there is no error response to the leading zero. It is surprising that the leading zero causes trouble with a valid decimal address. If it is not parsed out then maybe it is the lower level software objecting to a triplet which has 4 characters - no idea what goes on under the hood. Some 90 applications and libraries depend on python. Tried units under strace but could find no sign of python in the trace. $ urpmq --requires-recursive units ... lib64python3.8 lib64python3.8-stdlib ... python-pip-wheel python-rpm-macros python-setuptools-wheel python-srpm-macros python3 python3-chardet python3-idna python3-pkg-resources python3-requests python3-rpm-macros python3-setuptools python3-six python3-urllib3 It must depend on usage. Better results from isodumper. Wrote an mga8 iso to USB storage and found a host of python references in the trace file. Leaving it there. python is ubiquitous so any regressions should show up in due course. Meanwhile it looks good. Whiteboard:
(none) =>
MGA8-64-OK type: security
subject: Updated python3 packages fix security vulnerabilities
CVE:
- CVE-2021-29921
src:
8:
core:
- python-pip-21.1.3-1.mga8
- python-setuptools-56.2.0-1.mga8
- python3-3.8.11-1.1.mga8
description: |
Update python3 to 3.8.11 to fix several security issues. Fixes in 3.8.10 are
also included.
Bundled pip and setuptools were updated in 3.8.11 so python-pip needs to be
updated to 21.1.3 and python-setuptools to 56.2.0 at the same time.
Also, we fix the following issue:
In Python before 3.9.5, the ipaddress library mishandles leading zero
characters in the octets of an IP address string. This (in some situations)
allows attackers to bypass access control that is based on IP addresses
(CVE-2021-29921).
references:
- https://bugs.mageia.org/show_bug.cgi?id=29288
- https://docs.python.org/release/3.8.11/whatsnew/changelog.html#changelog
- https://docs.python.org/release/3.8.10/whatsnew/changelog.html#changelog
- https://ubuntu.com/security/notices/USN-4973-1
- https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.htmlCVE:
(none) =>
CVE-2021-29921 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0386.html Resolution:
(none) =>
FIXED This update also fixed CVE-2021-3733 and CVE-2021-3737: https://ubuntu.com/security/notices/USN-5083-1 This update also fixed CVE-2022-0391: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VIX3AYNDHW6FHW27K63MW4NHDAPUJGKS/ CC:
(none) =>
luigiwalser |