Bug 30051

Summary: python-rencode new security issue CVE-2021-40839
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-rencode-1.0.6-4.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-02-15 14:34:43 CET 
Fedora has issued an advisory today (February 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/

Mageia 8 is also affected.
David Walser 2022-02-15 14:36:00 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Fedora

Comment 1 Nicolas Lécureuil 2022-05-03 09:13:50 CEST 
pushed by papoteur in mga8:


src.rpm:
        - python-rencode-1.0.6-2.1.mga8

Status comment: Patch available from Fedora => (none)
Assignee: python => qa-bugs
CC: (none) => mageia

Nicolas Lécureuil 2022-05-03 09:14:01 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 papoteur 2022-05-03 09:37:35 CEST 
I don't know how to test it.
This package is used by deluge, a bittorrent client.

CC: (none) => yves.brungard_mageia

Comment 3 David Walser 2022-05-03 15:06:03 CEST 
RPM:
python3-rencode-1.0.6-2.1.mga8
Comment 4 Herman Viaene 2022-05-11 14:04:57 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
Took hint from papoteur, put a trace on deluge and used this one to access a torrent download file from LibreOffice.org.
$ strace -o ptyhrencodetxt deluge

That worked OK and in thetrace file I found multiple references to the python3-rencode files.
OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2022-05-11 14:16:57 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Dave Hodgins 2022-05-11 23:09:05 CEST 
Advisory committed to svn as ...
type: security
subject: Updated python-rencode packages fix security vulnerability
CVE:
 - CVE-2021-40839
src:
  8:
   core:
     - python-rencode-1.0.6-2.1.mga8
description: |
  The rencode package through 1.0.6 for Python allows an infinite loop in
  typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that
  consumes CPU and memory. (CVE-2021-40839)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30051
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-05-12 12:25:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0167.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED