| Summary: | python3 new security issue CVE-2012-2135 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, fundawang, guillomovitch, n54, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/506376/ | ||
| Whiteboard: | MGA2-32-OK MGA2-64-OK | ||
| Source RPM: | python3-3.2.3-1.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | test.py script | ||
|
Description
David Walser
2012-07-11 21:58:14 CEST
David Walser
2012-07-11 21:58:25 CEST
CC:
(none) =>
fundawang
David Walser
2012-07-11 21:58:34 CEST
CC:
(none) =>
guillomovitch
David Walser
2012-07-11 21:58:43 CEST
Whiteboard:
(none) =>
MGA2TOO
David Walser
2012-07-13 21:18:39 CEST
CC:
(none) =>
n54 I found the patch OpenSuSE used to fix this. python-3.2-CVE-2012-2135.patch in python3-3.2.1-5.9.1.src.rpm I also found an upstream patch which added some tests to the built-in testsuite. http://hg.python.org/cpython/raw-rev/118fe0ee6921 Finally, I found some code that's supposed to be a reproducer. k = len(b'\x00\x01\x00\x00'.decode('utf-32be')) for i in range(1000): print(i, ascii((b'\xD8\x00\xDC\x00' * i + b'\xDC\x00' + b'\x00>' * 2).decode('utf-16be', 'ignore')[i * k:])) k = len(b'\x00\x01\x00\x00'.decode('utf-32be')) for i in range(1000): print(i, str((b'\xD8\x00\xDC\x00' * i + b'\xDC\x00' + b'\x00>' * 2).decode('utf-16be', 'ignore')[i * k:])) From the upstream discussion and the Debian bug: http://bugs.python.org/issue14579 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670389 Patched package uploaded for Mageia 2 and Cauldron. Note to QA: there is a built in test suite run during build which was enhanced to check that this is fixed. I also posted what are supposed to be reproducers for the issue (haven't tested them myself) in Comment 1. Advisory: ======================== Updated python3 packages fix security vulnerability: In the utf-16 decoder after calling unicode_decode_call_errorhandler aligned_end is not updated. This may potentially cause data leaks, memory damage, and crash (CVE-2012-2135). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2135 http://lists.opensuse.org/opensuse-updates/2012-07/msg00022.html ======================== Updated packages in core/updates_testing: ======================== python3-3.2.3-1.3.mga2 libpython3.2-3.2.3-1.3.mga2 libpython3-devel-3.2.3-1.3.mga2 python3-docs-3.2.3-1.3.mga2 tkinter3-3.2.3-1.3.mga2 tkinter3-apps-3.2.3-1.3.mga2 from python3-3.2.3-1.3.mga2.src.rpm Version:
Cauldron =>
2
David Walser
2012-08-08 22:38:33 CEST
Severity:
normal =>
major Created attachment 2624 [details]
test.py script
I've put the commands to create the crash in a file.
I've recreated the crash on Mageia 2 i586, and will
now test the update.
Testing complete on Mageia 2 i586. I'll test Mageia 2 x86-64 shortly. CC:
(none) =>
davidwhodgins On x86-64, I get the segfault before and after installing the update. Was the patch applied to the x86-64 version? I notice the platform is set to i586 above.
Dave Hodgins
2012-08-09 01:24:03 CEST
Whiteboard:
MGA2-32-OK =>
MGA2-32-OK feedback (In reply to comment #5) > On x86-64, I get the segfault before and after installing > the update. > > Was the patch applied to the x86-64 version? I notice > the platform is set to i586 above. Bugzilla always sets it to i586, I don't pay any attention to that. The patches are applied unconditionally. It looks like OpenSuSE used an older version of the patch proposed upstream. I'll try the newer version tomorrow. Ignore comment 5. I'd used urpmi to install the update, and missed lib64python3.2. Could someone from the sysadmin team push the srpm python3-3.2.3-1.3.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated python3 packages fix security vulnerability: In the utf-16 decoder after calling unicode_decode_call_errorhandler aligned_end is not updated. This may potentially cause data leaks, memory damage, and crash (CVE-2012-2135). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2135 http://lists.opensuse.org/opensuse-updates/2012-07/msg00022.html https://bugs.mageia.org/show_bug.cgi?id=6759 Keywords:
(none) =>
validated_update Did you try changing ascii to str in the reproducer to see if that works OK too? (In reply to comment #9) > Did you try changing ascii to str in the reproducer to see if that works OK > too? Missed that. Just tested both i586 and x86 with the updated version, and they both work. I think it's safe to skip confirming it segfaults the release version. (In reply to comment #10) > (In reply to comment #9) > > Did you try changing ascii to str in the reproducer to see if that works OK > > too? > > Missed that. Just tested both i586 and x86 with the updated version, and > they both work. I think it's safe to skip confirming it segfaults the > release version. Yes, of course. Thanks Dave! Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0208 Status:
NEW =>
RESOLVED |