Bug 29494

Summary: python new security issues CVE-2021-373[37]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-2.7.18-7.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-09-26 19:59:24 CEST 
Fedora has issued an advisory on September 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P42EPKPLOWC5QVIWT7H7BICKHXWJ3MUN/

Mageia 8 is also affected.
David Walser 2021-09-26 19:59:35 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Fedora

Comment 1 Nicolas Lécureuil 2021-09-27 17:32:00 CEST 
Already fixed in our mga8 3.8.12.

Whiteboard: MGA8TOO => (none)
CC: (none) => mageia

Comment 2 David Walser 2021-09-27 18:38:50 CEST 
This is for python, not python3.

Whiteboard: (none) => MGA8TOO

Comment 3 Nicolas Lécureuil 2021-09-28 09:23:59 CEST 
oh well seen :-) sorry
Comment 4 Nicolas Lécureuil 2021-09-29 17:25:17 CEST 
fixed in cauldron and mga8:

src:
    - python-2.7.18-7.3.mga8

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: python => qa-bugs
Status comment: Patches available from Fedora => (none)

Comment 5 David Walser 2021-09-29 17:47:18 CEST 
Build failed in Cauldron.

RPMS list for Mageia 8:
python-2.7.18-7.3.mga8
tkinter-apps-2.7.18-7.3.mga8
libpython2.7-2.7.18-7.3.mga8
tkinter-2.7.18-7.3.mga8
libpython-devel-2.7.18-7.3.mga8
libpython2.7-stdlib-2.7.18-7.3.mga8
libpython2.7-testsuite-2.7.18-7.3.mga8
python-docs-2.7.18-7.3.mga8

from python-2.7.18-7.3.mga8.src.rpm
Comment 6 Herman Viaene 2021-09-30 14:56:36 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues. There was no python before on this laptop.
ref bug28408 Comment 14 for testing, but something seems to be missing:
$ python
Python 3.8.12 (default, Sep 12 2021, 19:57:22) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import urlparse
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'urlparse'

CC: (none) => herman.viaene

Comment 7 David Walser 2021-09-30 15:54:19 CEST 
That's python3 that you just ran.  Try python2.
Comment 8 Herman Viaene 2021-09-30 16:04:13 CEST 
I  stand corrected
$ python2
Python 2.7.18 (default, Sep 29 2021, 15:24:05) 
[GCC 10.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urlparse
>>> urlparse.parse_qsl("a=1&b=2&c=3")
[('a', '1'), ('b', '2'), ('c', '3')]
>>> urlparse.parse_qsl("a=1&b=2;c=3")
[('a', '1'), ('b', '2;c=3')]
>>> exit()

Seems OK now.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Len Lawrence 2021-09-30 17:02:29 CEST 
As a matter of interest I tried the PoC for CVE-2021-3737.
https://bugs.python.org/issue44022

Copied the client.py and evil_server.py scripts.  Had to edit them in a couple of places tp obtain the urllib module.

Before updating:
Ran the evil_server in a terminal and the client in another and the client locked up without any output.

After updating:
Set evil_server running then the client.
$ python2 client.py
Traceback (most recent call last):
  File "client.py", line 4, in <module>
    response = urllib2.urlopen( req, timeout=1 )
  File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib64/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.7/urllib2.py", line 1228, in http_open
    return self.do_open(httplib.HTTPConnection, req)
  File "/usr/lib64/python2.7/urllib2.py", line 1201, in do_open
    r = h.getresponse(buffering=True)
  File "/usr/lib64/python2.7/httplib.py", line 1191, in getresponse
    response.begin()
  File "/usr/lib64/python2.7/httplib.py", line 475, in begin
    skipped_headers = _read_headers(self.fp)
  File "/usr/lib64/python2.7/httplib.py", line 381, in _read_headers
    raise HTTPException("got more than %d headers" % _MAXHEADERS)
httplib.HTTPException: got more than 100 headers

evil_server.py reported:
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/lib64/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "evil_server.py", line 12, in dealWithClient
    newSocket.send( b"""x:a\n""" )
error: [Errno 104] Connection reset by peer

The result was instantaneous.  Looks like the attack was frustrated.

CC: (none) => tarazed25

Comment 10 Thomas Andrews 2021-10-02 05:45:34 CEST 
And so once again, Good triumphs over Evil, and all is Right with the World.

By all means, this must be validated.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-02 19:44:51 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Mageia Robot 2021-10-02 20:59:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0457.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED