Bug 30848

Summary: python3 new security issues CVE-2020-10735 and CVE-2021-28861
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, jani.valimaa, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python3-3.10.6-2.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 30572, 30929    

Description David Walser 2022-09-14 00:06:32 CEST 
Fedora has issued an advisory today (September 13):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2VCU6EVQDIXNCEDJUCTFIER2WVNNDTYZ/

The issue is fixed upstream in 3.8.14 and 3.10.7.

Mageia 8 is also affected.
David Walser 2022-09-14 00:07:08 CEST

Blocks: (none) => 30572
Status comment: (none) => Fixed upstream in 3.8.14 and 3.10.7
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-09-14 00:07:33 CEST 
Upstream announcement from September 7:
https://pythoninsider.blogspot.com/2022/09/python-releases-3107-3914-3814-and-3714.html
Comment 2 David Walser 2022-09-21 17:50:57 CEST 
A note about this issue:
https://www.openwall.com/lists/oss-security/2022/09/21/1
Comment 3 David Walser 2022-09-22 14:18:45 CEST 
Fedora has issued an advisory today (September 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/

The issue is fixed upstream in 3.8.14 and 3.10.6.

Summary: python3 new security issue CVE-2020-10735 => python3 new security issues CVE-2020-10735 and CVE-2021-28861

Comment 4 David Walser 2022-09-23 18:11:05 CEST 
(In reply to David Walser from comment #3)
> Fedora has issued an advisory today (September 22):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/OKYE2DOI2X7WZXAWTQJZAXYIWM37HDCY/
> 
> The issue is fixed upstream in 3.8.14 and 3.10.6.

Ubuntu has issued an advisory for this on September 22:
https://ubuntu.com/security/notices/USN-5629-1
Comment 5 David Walser 2022-09-30 20:49:35 CEST 
openSUSE has issued an advisory for this today (September 30):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LSVFIZF6ZYMLK2HRCPTYDPZM3P6NDQKU/
Comment 6 Jani Välimaa 2022-10-03 19:55:11 CEST 
Fixed in cauldron with python 3.10.7.

CC: (none) => jani.valimaa

Comment 7 Jani Välimaa 2022-10-03 20:01:56 CEST Comment hidden (obsolete)

Assignee: python => qa-bugs

Jani Välimaa 2022-10-03 20:09:13 CEST

Blocks: (none) => 30929

Comment 8 David Walser 2022-10-03 22:00:32 CEST 
Does this also fix Bug 30572?

Status comment: Fixed upstream in 3.8.14 and 3.10.7 => (none)

Comment 9 Jani Välimaa 2022-10-04 10:08:29 CEST Comment hidden (obsolete)
Comment 10 Jani Välimaa 2022-10-04 10:09:23 CEST 
(In reply to David Walser from comment #8)
> Does this also fix Bug 30572?

Unfortunately no, but I have now pushed python3-3.8.14-1.1.mga8 to core/udpates_testing to also include fix for bug 30572. python-pip is updated to match bundled pip version in updated python3.

SRPMS:
python-pip-22.0.4-1.mga8
python3-3.8.14-1.1.mga8

RPMS:
lib(64)python3.8-3.8.14-1.1.mga8
lib(64)python3.8-stdlib-3.8.14-1.1.mga8
lib(64)python3.8-testsuite-3.8.14-1.1.mga8
lib(64)python3-devel-3.8.14-1.1.mga8
python3-3.8.14-1.1.mga8
python3-docs-3.8.14-1.1.mga8
python3-pip-22.0.4-1.mga8
python-pip-wheel-22.0.4-1.mga8
tkinter3-3.8.14-1.1.mga8
tkinter3-apps-3.8.14-1.1.mga8
David Walser 2022-10-04 13:19:18 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 11 Herman Viaene 2022-10-05 16:27:04 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Testing according wiki
$ python3 /usr/share/doc/python3-ply/example/calc/calc.py 
WARNING: Couldn't open 'parser.out'. [Errno 13] Permission denied: '/usr/share/doc/python3-ply/example/calc/parser.out'
Generating LALR tables
WARNING: Couldn't create 'parsetab'. [Errno 13] Permission denied: '/usr/share/doc/python3-ply/example/calc/parsetab.py'
calc > a=5
calc > b=6
calc > a*b
30
exit with CTRL-D
On the warnings:
first one: the referenced file does not exist
second: indeed no write-acess on this folder.
The update seems to function OK, but leaving others to judge on this warnings.

CC: (none) => herman.viaene

Comment 12 Len Lawrence 2022-10-05 19:15:59 CEST 
Tried the test as root and as expected it worked without the parsetab error message.  
$ sudo python /usr/share/doc/python3-ply/example/calc/calc.
Generating LALR tables
calc >
....

As it does not seem to need parsetab when run as a user just ignore it and give the OK.

CC: (none) => tarazed25

Herman Viaene 2022-10-06 19:47:16 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 13 Thomas Andrews 2022-10-07 03:13:20 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-08 19:35:21 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 14 Mageia Robot 2022-10-08 22:23:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0359.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED