Bug 12772 - python/python3 new security issue CVE-2014-1912
: python/python3 new security issue CVE-2014-1912
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/586327/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
: 12127
  Show dependency treegraph
 
Reported: 2014-02-14 18:48 CET by David Walser
Modified: 2014-02-19 22:55 CET (History)
2 users (show)

See Also:
Source RPM: python-2.7.6-1.mga5.src.rpm, python3-3.3.2-13.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-02-14 18:48:42 CET
Fedora has issued an advisory on February 12:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128243.html

python3 is also affected, and versions on Mageia 3 and Mageia 4 are affected.

The RedHat bug has links to the upstream commits to fix this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1062370

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2014-02-15 17:12:08 CET
Cauldron updated, 3 and 4 are coming
Comment 2 Philippe Makowski 2014-02-15 20:23:45 CET
About Python2 in mga3 and mga4, do I take this opportunity to update to 2.7.6, it would solve some of the bugs reported in bug#12127 and CVE-2013-4238 (http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS)
?
Comment 3 David Walser 2014-02-15 20:27:56 CET
Taking the opportunity to update to 2.7.6 would make sense, yes.
Comment 4 Philippe Makowski 2014-02-16 17:30:42 CET
Advisory:
========================

Updated Python and Python3 packages fixes security vulnerability:

A vulnerability was reported (CVE-2014-1912) in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow.  This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code.

The update of Python 2.7.6 fix also  bugs reported in bug#12127 and CVE-2013-4238  

References:
http://bugs.python.org/issue20246
https://bugzilla.redhat.com/show_bug.cgi?id=1062370
http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS

Updated packages in core/updates_testing:
========================
tkinter3-apps-3.3.2-13.1.mga4
libpython3.3-3.3.2-13.1.mga4
python3-docs-3.3.2-13.1.mga4
libpython3-devel-3.3.2-13.1.mga4
python3-3.3.2-13.1.mga4
python3-debuginfo-3.3.2-13.1.mga4
tkinter3-3.3.2-13.1.mga4

from SRPMS:
python3-3.3.2-13.1.mga4.src

Updated packages in core/updates_testing:
========================
tkinter3-apps-3.3.0-4.6.mga3
libpython3.3-3.3.0-4.6.mga3
python3-docs-3.3.0-4.6.mga3
libpython3-devel-3.3.0-4.6.mga3
python3-3.3.0-4.6.mga3
python3-debuginfo-3.3.0-4.6.mga3
tkinter3-3.3.0-0-4.6.mga3

from SRPMS:
python3-3.3.0-4.6.mga3.src

Updated packages in core/updates_testing:
========================
libpython2.7-2.7.6-1.mga4
tkinter-apps-2.7.6-1.mga4
tkinter-2.7.6-1.mga4
python-debuginfo-2.7.6-1.mga4
libpython-devel-2.7.6-1.mga4
python-2.7.6-1.mga4
python-docs-2.7.6-1.mga4

from SRPMS:
python-2.7.6-1.mga4.src

Updated packages in core/updates_testing:
========================
libpython2.7-2.7.6-1.mga3
tkinter-apps-2.7.6-1.mga3
tkinter-2.7.6-1.mga3
python-debuginfo-2.7.6-1.mga3
libpython-devel-2.7.6-1.mga3
python-2.7.6-1.mga3
python-docs-2.7.6-1.mga3

from SRPMS:
python-2.7.6-1.mga3.src
Comment 5 David Walser 2014-02-16 17:48:27 CET
We actually already fixed CVE-2013-4238 in Bug 10989.

Adding some info to the advisory...

Advisory:
========================

Updated python and python3 packages fix security vulnerabilities:

A vulnerability was reported in Python's socket module, due to a boundary
error within the sock_recvfrom_into() function, which could be exploited to
cause a buffer overflow.  This could be used to crash a Python application
that uses the socket.recvfrom_info() function or, possibly, execute arbitrary
code with the permissions of the user running vulnerable Python code
(CVE-2014-1912).

This updates the python package to version 2.7.6, which fixes several other
bugs, including denial of service flaws due to unbound readline() calls in
the ftplib and nntplib modules (CVE-2013-1752).

The python3 package has been patched to fix the CVE-2014-1912 issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912
http://bugs.python.org/issue20246
http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128243.html
https://bugzilla.redhat.com/show_bug.cgi?id=1046174
http://openwall.com/lists/oss-security/2013/12/23/10
https://bugs.mageia.org/show_bug.cgi?id=12127
https://bugs.mageia.org/show_bug.cgi?id=12772
Comment 6 claire robinson 2014-02-18 13:55:54 CET
Procedure:

python/tkinter/tkinter-apps
---------------------------
Use random examples from here, run in idle: 
http://wiki.python.org/moin/SimplePrograms

python3/tkinter3/tkinter3-apps
----------------------------
$ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt
$ idle3 python3programs.py
Comment 7 claire robinson 2014-02-18 13:57:46 CET
Testing mga3 32 & 64
Comment 8 claire robinson 2014-02-18 14:26:12 CET
Testing complete mga3 32 & 64

When testing python3 as above, it will eventually get stuck in a loop, interrupt with ctrl-c. It's not meant to be run as a single script but is good enough to show that what we want to work is working.
Comment 9 claire robinson 2014-02-18 16:45:22 CET
Advisory uploaded.

Needs tests on mga4 to validate.
Comment 10 David Walser 2014-02-18 19:42:42 CET
Thanks Claire.  Since Fedora has now fixed this for python3 as well, I'd like to add it to the references (right below the other Fedora advisory link):
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128361.html
Comment 11 claire robinson 2014-02-18 19:50:30 CET
Advisory updated.
Comment 12 Thomas Backlund 2014-02-19 18:07:10 CET
Testing mga4 32 and 64
Comment 13 Thomas Backlund 2014-02-19 19:10:59 CET
Testing complete, validating
Comment 14 Thomas Backlund 2014-02-19 22:55:32 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0085.html

Note You need to log in before you can comment on or make changes to this bug.