Bug 33354

Summary: python-js2py new security issue CVE-2024-28397
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: python-js2py-0.74-1.mga10.src.rpm CVE: CVE-2024-28397
Status comment: Patch available from openSUSE

Description Nicolas Salguero 2024-07-02 15:00:33 CEST 
SUSE has issued an advisory on July 2:
https://lwn.net/Articles/980387/

Mageia 9 is also affected.
Comment 1 Nicolas Salguero 2024-07-02 15:04:17 CEST 
It seems the following link also provides a patch:
https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape

Source RPM: (none) => python-js2py-0.74-1.mga10.src.rpm
Status comment: (none) => Patch available from openSUSE
CVE: (none) => CVE-2024-28397

Nicolas Salguero 2024-07-02 15:04:25 CEST

Whiteboard: (none) => MGA9TOO

Comment 2 Lewis Smith 2024-07-03 21:52:37 CEST 
The patch link above is unclear, but I think this is the patch 'fix.py':
https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/fix.py

Assigning to Python people.

Assignee: bugsquad => python

Comment 3 Nicolas Salguero 2024-07-03 22:50:12 CEST 
According to the fix section of the readme, to patch the source code, the needed file is patch.txt.
Comment 4 David GEIGER 2024-07-04 14:17:28 CEST 
Done for both mga9 and cauldron!

Whiteboard: MGA9TOO => (none)
CC: (none) => geiger.david68210
Version: Cauldron => 9

Comment 5 David GEIGER 2024-07-04 14:18:30 CEST 
Assigning to QA,

Package in 9/Core/Updates_testing:
=====================
python3-js2py-0.70-3.1.mga9.noarch.rpm

From SRPMS:
python-js2py-0.70-3.1.mga9.src.rpm

Assignee: python => qa-bugs

katnatek 2024-07-04 18:32:23 CEST

Keywords: (none) => advisory

Comment 6 katnatek 2024-07-05 01:45:39 CEST 
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing python3-js2py-0.70-3.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-js2py         ##################################################################################################
      1/1: removing python3-js2py-0.70-3.mga9.noarch

Not sure how to test
                                 ##################################################################################################

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2024-07-05 04:58:45 CEST 
According to the description in MCC, this is used to translate javascript to python. Sounds like developer territory to me.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2024-07-05 18:29:16 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0256.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED