Bug 13041 - python new security issue CVE-2013-1753
: python new security issue CVE-2013-1753
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/591682/
: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
: validated_update
:
: 12127
  Show dependency treegraph
 
Reported: 2014-03-18 17:58 CET by David Walser
Modified: 2014-03-24 19:18 CET (History)
7 users (show)

See Also:
Source RPM: python
CVE:
Status comment:


Attachments

Description David Walser 2014-03-18 17:58:10 CET
OpenSuSE has issued an advisory on March 15:
http://lists.opensuse.org/opensuse-updates/2014-03/msg00044.html

It mentions that they included a patch to fix CVE-2013-1753, and also one of the bugs associated with this advisory:
https://bugzilla.novell.com/show_bug.cgi?id=856836

indicates that they may have included additional patches for the CVE-2013-1752 issues which were not fixed in 2.7.6.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-19 15:21:55 CET
A CVE has been assigned for yet another zipfile issue in Python:
http://openwall.com/lists/oss-security/2014/03/19/3

The upstream bug and commit to fix it are linked in the message above.
Comment 2 Philippe Makowski 2014-03-19 15:43:50 CET
(In reply to David Walser from comment #1)
> A CVE has been assigned for yet another zipfile issue in Python:
> http://openwall.com/lists/oss-security/2014/03/19/3
> 
> The upstream bug and commit to fix it are linked in the message above.

just when I finished the builds for all Mageia versions :(
seems that I need another push
Comment 3 David Walser 2014-03-19 19:29:17 CET
(In reply to David Walser from comment #1)
> A CVE has been assigned for yet another zipfile issue in Python:
> http://openwall.com/lists/oss-security/2014/03/19/3
> 
> The upstream bug and commit to fix it are linked in the message above.

Philippe has notified me that that one affects python3, not python.  Moved to Bug 13052.
Comment 4 Philippe Makowski 2014-03-19 22:45:02 CET
Suggested advisory:
===================

Updated python packages fix security vulnerabilities:

* upstream fix for CVE-2013-1752 : multiple unbound readline() DoS flaws in python stdlib 
* upstream fixes for CVE-2013-1753 : gzip bomb and unbound read DoS flaw in python XMLRPC library

References:
http://lists.opensuse.org/opensuse-updates/2014-03/msg00044.html

Packages :
libpython2.7-2.7.6-1.1.mga4
libpython-devel-2.7.6-1.1.mga4
tkinter-2.7.6-1.1.mga4
tkinter-apps-2.7.6-1.1.mga4
python-2.7.6-1.1.mga4
python-docs-2.7.6-1.1.mga4

libpython2.7-2.7.6-1.1.mga3
libpython-devel-2.7.6-1.1.mga3
tkinter-2.7.6-1.1.mga3
tkinter-apps-2.7.6-1.1.mga3
python-2.7.6-1.1.mga3
python-docs-2.7.6-1.1.mga3


from :
 python-2.7.6-1.1.mga3.src
 python-2.7.6-1.1.mga4.src
Comment 5 David Walser 2014-03-20 13:12:43 CET
Thanks Philippe!

Advisory:
========================

Updated python packages fix security vulnerabilities:

Denial of service flaws due to unbound readline() calls in the imaplib,
poplib, and smtplib modules (CVE-2013-1752).

A gzip bomb and unbound read denial of service flaw in python XMLRPC library
(CVE-2013-1753).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1753
http://lists.opensuse.org/opensuse-updates/2014-03/msg00044.html
========================

Updated packages in core/updates_testing:
========================
libpython2.7-2.7.6-1.1.mga3
libpython-devel-2.7.6-1.1.mga3
tkinter-2.7.6-1.1.mga3
tkinter-apps-2.7.6-1.1.mga3
python-2.7.6-1.1.mga3
python-docs-2.7.6-1.1.mga3
libpython2.7-2.7.6-1.1.mga4
libpython-devel-2.7.6-1.1.mga4
tkinter-2.7.6-1.1.mga4
tkinter-apps-2.7.6-1.1.mga4
python-2.7.6-1.1.mga4
python-docs-2.7.6-1.1.mga4

from SRPMS:
python-2.7.6-1.1.mga3.src.rpm
python-2.7.6-1.1.mga4.src.rpm
Comment 6 Carolyn Rowse 2014-03-22 11:13:38 CET
Tested on Mga3 32-bit using PySol, IDLE and a few simple scripts of my own with and without Tkinter.  No regressions noticed.

Will now test Mga4 32-bit.

Carolyn
Comment 7 Carolyn Rowse 2014-03-22 11:57:00 CET
Same as above for 64-bit except that I couldn't find IDLE - has it been dropped from Mageia? - so I used Eric instead.  No regressions noticed.

Carolyn
Comment 8 Rémi Verschelde 2014-03-22 12:26:22 CET
It seems that IDLE is included in tkinter-apps (and tkinter3-apps for IDLE3).
Comment 9 Carolyn Rowse 2014-03-22 13:31:56 CET
Tested on Mga4 64-bit, including IDLE.  It seems on Mga3 64-bit IDLE doesn't appear in the applications menu but it does on the others.

My packages listed for update showed the name lib64python2.7..., the "64" seems to be missing in the above list of RPMs.  Ditto for the devel one.

No regressions noted.

At the moment I can't test Mga3 64-bit, so I'll have to leave that one to someone else.

Carolyn
Comment 10 David GEIGER 2014-03-23 15:21:20 CET
Tested mga3_64,

Testing complete for python-2.7.6-1.1.mga3, nothing to report and seems work fine here with some packages who needed python.

lib64python2.7-2.7.6-1.1.mga3
tkinter-2.7.6-1.1.mga3
tkinter-apps-2.7.6-1.1.mga3
python-2.7.6-1.1.mga3
python-docs-2.7.6-1.1.mga3
Comment 11 Dave Hodgins 2014-03-23 21:20:24 CET
Advisory uploaded to svn. Validating the update.

Someone from the sysadmin team please push 13041.adv to updates.
Comment 12 Thomas Backlund 2014-03-24 08:43:47 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0139.html

Note You need to log in before you can comment on or make changes to this bug.