Fedora has issued an advisory on February 12: https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128243.html python3 is also affected, and versions on Mageia 3 and Mageia 4 are affected. The RedHat bug has links to the upstream commits to fix this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1062370 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Cauldron updated, 3 and 4 are coming
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
About Python2 in mga3 and mga4, do I take this opportunity to update to 2.7.6, it would solve some of the bugs reported in bug#12127 and CVE-2013-4238 (http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS) ?
Taking the opportunity to update to 2.7.6 would make sense, yes.
Advisory: ======================== Updated Python and Python3 packages fixes security vulnerability: A vulnerability was reported (CVE-2014-1912) in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code. The update of Python 2.7.6 fix also bugs reported in bug#12127 and CVE-2013-4238 References: http://bugs.python.org/issue20246 https://bugzilla.redhat.com/show_bug.cgi?id=1062370 http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS Updated packages in core/updates_testing: ======================== tkinter3-apps-3.3.2-13.1.mga4 libpython3.3-3.3.2-13.1.mga4 python3-docs-3.3.2-13.1.mga4 libpython3-devel-3.3.2-13.1.mga4 python3-3.3.2-13.1.mga4 python3-debuginfo-3.3.2-13.1.mga4 tkinter3-3.3.2-13.1.mga4 from SRPMS: python3-3.3.2-13.1.mga4.src Updated packages in core/updates_testing: ======================== tkinter3-apps-3.3.0-4.6.mga3 libpython3.3-3.3.0-4.6.mga3 python3-docs-3.3.0-4.6.mga3 libpython3-devel-3.3.0-4.6.mga3 python3-3.3.0-4.6.mga3 python3-debuginfo-3.3.0-4.6.mga3 tkinter3-3.3.0-0-4.6.mga3 from SRPMS: python3-3.3.0-4.6.mga3.src Updated packages in core/updates_testing: ======================== libpython2.7-2.7.6-1.mga4 tkinter-apps-2.7.6-1.mga4 tkinter-2.7.6-1.mga4 python-debuginfo-2.7.6-1.mga4 libpython-devel-2.7.6-1.mga4 python-2.7.6-1.mga4 python-docs-2.7.6-1.mga4 from SRPMS: python-2.7.6-1.mga4.src Updated packages in core/updates_testing: ======================== libpython2.7-2.7.6-1.mga3 tkinter-apps-2.7.6-1.mga3 tkinter-2.7.6-1.mga3 python-debuginfo-2.7.6-1.mga3 libpython-devel-2.7.6-1.mga3 python-2.7.6-1.mga3 python-docs-2.7.6-1.mga3 from SRPMS: python-2.7.6-1.mga3.src
Assignee: makowski.mageia => qa-bugs
We actually already fixed CVE-2013-4238 in Bug 10989. Adding some info to the advisory... Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: A vulnerability was reported in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code (CVE-2014-1912). This updates the python package to version 2.7.6, which fixes several other bugs, including denial of service flaws due to unbound readline() calls in the ftplib and nntplib modules (CVE-2013-1752). The python3 package has been patched to fix the CVE-2014-1912 issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912 http://bugs.python.org/issue20246 http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128243.html https://bugzilla.redhat.com/show_bug.cgi?id=1046174 http://openwall.com/lists/oss-security/2013/12/23/10 https://bugs.mageia.org/show_bug.cgi?id=12127 https://bugs.mageia.org/show_bug.cgi?id=12772
Blocks: (none) => 12127
Procedure: python/tkinter/tkinter-apps --------------------------- Use random examples from here, run in idle: http://wiki.python.org/moin/SimplePrograms python3/tkinter3/tkinter3-apps ---------------------------- $ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt $ idle3 python3programs.py
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing mga3 32 & 64
Testing complete mga3 32 & 64 When testing python3 as above, it will eventually get stuck in a loop, interrupt with ctrl-c. It's not meant to be run as a single script but is good enough to show that what we want to work is working.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded. Needs tests on mga4 to validate.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok
Thanks Claire. Since Fedora has now fixed this for python3 as well, I'd like to add it to the references (right below the other Fedora advisory link): https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128361.html
Advisory updated.
Testing mga4 32 and 64
CC: (none) => tmb
Testing complete, validating
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0085.html
Status: NEW => RESOLVEDResolution: (none) => FIXED