Bug 10989 - python new security issue CVE-2013-4238
: python new security issue CVE-2013-4238
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/564820/
: MGA2TOO has_procedure mga3-64-ok mga2...
: validated_update
: 10391
: 10102
  Show dependency treegraph
 
Reported: 2013-08-13 03:15 CEST by David Walser
Modified: 2013-08-26 21:12 CEST (History)
6 users (show)

See Also:
Source RPM: python
CVE:
Status comment:


Attachments

Description David Walser 2013-08-13 03:15:45 CEST
A CVE has been assigned to Python upstream issue 18709:
http://bugs.python.org/issue18709

Proposed patches to fix it have been attached to the upstream issue report.

Oden has added these patches in Cauldron, as well as Mageia 2 and Mageia 3.

Note that there is also a PoC attached to the upstream issue report.

Given the mention of ssl.match_hostname on the upstream issue report, I wonder if this is related to CVE-2013-2099 (Bug 10391).

I'm not assigning this to QA just yet, as discussion of this is continuing as we speak on the upstream issue report.

If it's decided to go ahead with these patches, we'll fix CVE-2013-2099 for python3 in the process, as the patch for that was already in SVN.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-13 07:40:42 CEST
A CVE was assigned as CVE-2013-4073 was for ruby.

New CVE is CVE-2013-4238 as of:

http://www.openwall.com/lists/oss-security/2013/08/13/2
Comment 2 Philippe Makowski 2013-08-13 12:12:42 CEST
so we should release an update for python and python3 for mga 3 with the patch included ?
if yes, I can take care of and at the same time fix mga 10102 for Python 3
Comment 3 David Walser 2013-08-13 13:19:37 CEST
Oden, thanks for updating the correct CVE number.

Philippe, the patch(es) for this are already committed, so if there are any further fixes you want to commit, go ahead, and we can fix this one with the same update.
Comment 4 Philippe Makowski 2013-08-13 13:52:31 CEST
done for mga3 rev 466128, this should fix MGA#10102
Comment 5 Philippe Makowski 2013-08-14 21:25:05 CEST
python3-3.3.0-4.3.mga3 is update testing 
I guess that Oden did all the others builds need
Comment 6 David Walser 2013-08-14 22:09:52 CEST
Philippe, do you have some information to add to the advisory describing what else you've fixed?
Comment 7 Philippe Makowski 2013-08-14 22:20:05 CEST
This fix MGA#10102  : "Unable to install Python packages with C extensions via pip and virtualenv" :
Before the fix installing Python packages via pip inside a virtualenv fails if the Python package uses a C extension.
Comment 8 David Walser 2013-08-15 17:08:25 CEST
OK, let's use this bug for the python update and Bug 10391 for the python3 update.

Advisory:
========================

Updated python packages fix security vulnerability:

Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL
module doesn't handle NULL bytes inside subjectAltNames general names. This
could lead to a breach when an application uses ssl.match_hostname() to match
the hostname againt the certificate's subjectAltName's dNSName general names.
(CVE-2013-4328).

Additionally, an issue with installing Python packages with C extensions via
pip and virtualenv has been fixed in Mageia 3 (mga#10102).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4328
http://bugs.python.org/issue18709
https://bugs.mageia.org/show_bug.cgi?id=10102
https://bugs.mageia.org/show_bug.cgi?id=10989
========================

Updated packages in core/updates_testing:
========================
python-2.7.3-2.4.mga2
python-docs-2.7.3-2.4.mga2
libpython2.7-2.7.3-2.4.mga2
libpython-devel-2.7.3-2.4.mga2
tkinter-2.7.3-2.4.mga2
tkinter-apps-2.7.3-2.4.mga2
python-2.7.5-1.2.mga3
python-docs-2.7.5-1.2.mga3
libpython2.7-2.7.5-1.2.mga3
libpython-devel-2.7.5-1.2.mga3
tkinter-2.7.5-1.2.mga3
tkinter-apps-2.7.5-1.2.mga3

from SRPMS:
python-2.7.3-2.4.mga2.src.rpm
python-2.7.5-1.2.mga3.src.rpm
Comment 9 David Walser 2013-08-15 19:23:38 CEST
The bug title (with python3) was correct, as this CVE affects both python and python3.  I used the other bug (Bug 10391) to handle the python3 update to separate these and make it easier for QA, but we are fixing this CVE for python3 as well.
Comment 10 claire robinson 2013-08-16 13:33:34 CEST
No PoC so just testing python & tkinter using random examples from here, run in idle: http://wiki.python.org/moin/SimplePrograms
Comment 11 claire robinson 2013-08-16 13:44:43 CEST
Testing complete mga3 64
Comment 12 claire robinson 2013-08-16 14:01:31 CEST
Testing complete mga2 64
Comment 13 David Walser 2013-08-16 14:15:47 CEST
There's a PoC attached here:
http://bugs.python.org/issue18709
Comment 14 claire robinson 2013-08-16 14:18:41 CEST
Advisory uploaded.
Comment 15 claire robinson 2013-08-16 16:25:55 CEST
No idea how to use the certificate on the link David. If you can point us in the right direction I'm happy to check it again.

Testing complete mga2-32 for now.
Comment 16 David Walser 2013-08-16 17:17:24 CEST
Yeah, sorry.  I just looked at the ssl module and I don't even see match_hostname(), so I don't know how to use it either.
Comment 17 David GEIGER 2013-08-17 08:53:52 CEST
Testing complete mag3_32, ok for me nothing to report python works fine.
Comment 18 claire robinson 2013-08-17 09:56:32 CEST
Validating.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!
Comment 19 Thomas Backlund 2013-08-17 10:45:16 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0250.html
Comment 20 David Walser 2013-08-26 18:56:30 CEST
Looks like I screwed up on this one...the correct CVE is 4238, as it says in the bug title.  The advisory has it typoed as 4328.  This also happened in the Bug 10391 update.
Comment 21 Dave Hodgins 2013-08-26 21:12:41 CEST
Advisory 10989.adv corrected in svn.

Note You need to log in before you can comment on or make changes to this bug.