Bug 13052 - python3 new security issue CVE-2013-7338
: python3 new security issue CVE-2013-7338
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/591685/
: MGA3TOO has_procedure MGA4-64-OK MGA4...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-19 19:28 CET by David Walser
Modified: 2014-03-24 19:18 CET (History)
6 users (show)

See Also:
Source RPM: python3
CVE:


Attachments

Description David Walser 2014-03-19 19:28:39 CET
A CVE has been assigned for yet another zipfile issue in Python:
http://openwall.com/lists/oss-security/2014/03/19/3

The upstream bug and commit to fix it are linked in the message above.

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2014-03-22 12:43:06 CET
Advisory:
========================

Updated python3 packages fix security vulnerabilities:

 ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips (CVE-2013-7338).

References:
http://bugs.python.org/issue20078
http://openwall.com/lists/oss-security/2014/03/19/3
========================

Updated packages in core/updates_testing:
========================
libpython3-3.3.0-4.7.mga3
libpython3-devel-3.3.0-4.7.mga3
tkinter3-3.3.0-4.7.mga3
tkinter3-apps-3.3.0-4.7.mga3
python3-3.3.0-4.7.mga3
python3-docs-3.3.0-4.7.mga3
libpython3-3.3.2-13.2.mga4
libpython3-devel-3.3.2-13.2.mga4
tkinter3-3.3.2-13.2.mga4
tkinter3-apps-3.3.2-13.2.mga4
python3-3.3.2-13.2.mga4
python3-docs-3.3.2-13.2.mga4

from SRPMS:
python3-3.3.0-4.7.mga3.src.rpm
python3-3.3.2-13.2.mga4.src.rpm


note : the fix is present in Python 3.3.4 so Cauldron is not affected.
Comment 2 claire robinson 2014-03-22 12:59:18 CET
PoC attached to the bug link: http://bugs.python.org/issue20078

General testing here: https://bugs.mageia.org/show_bug.cgi?id=10391#c15

$ cd test
$ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt
$ idle3 python3programs.py

Choose Run Module in the Run menu. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 and tkinter3 working.
Comment 3 David Walser 2014-03-22 14:26:00 CET
Thanks Philippe!  Just adding the CVE URL and a hard return.

Advisory:
========================

Updated python3 packages fix security vulnerabilities:

ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited
zips (CVE-2013-7338).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7338
http://bugs.python.org/issue20078
http://openwall.com/lists/oss-security/2014/03/19/3
Comment 4 Carolyn Rowse 2014-03-22 19:59:36 CET
Tested Mga4 64-bit using PySol and running a couple of Anne Dawson's scripts and a couple of mine from Bash and from IDLE.  No problems noticed.

Carolyn
Comment 5 Carolyn Rowse 2014-03-22 21:38:15 CET
Tested Mga4 32-bit as above - no problems encountered.

Carolyn
Comment 6 Carolyn Rowse 2014-03-22 21:48:19 CET
In Mga3 32-bit I can't get the necessary packages to appear in the list of update candidates, and I checked that I've got the right media enabled and updated.   Any ideas, anyone?

Mga3 64-bit I'm not able to test at the moment.

Carolyn
Comment 7 David Walser 2014-03-22 22:04:08 CET
(In reply to Carolyn Rowse from comment #6)
> In Mga3 32-bit I can't get the necessary packages to appear in the list of
> update candidates, and I checked that I've got the right media enabled and
> updated.   Any ideas, anyone?

Try a different mirror.  I see them on this one:
http://mageia.c3sl.ufpr.br/distrib/3/i586/media/core/updates_testing/
Comment 8 Carolyn Rowse 2014-03-23 09:04:38 CET
Super, thanks David.

Testing complete for Mga3 32-bit, no problems encountered.

Carolyn
Comment 9 David GEIGER 2014-03-23 21:20:52 CET
Tested mga3_64,

Testing complete for python3-3.3.0-4.7.mga3, nothing to report and seems work fine here.

Using test procedure on comment 2


lib64python3-3.3.0-4.7.mga3
tkinter3-3.3.0-4.7.mga3
tkinter3-apps-3.3.0-4.7.mga3
python3-3.3.0-4.7.mga3
python3-docs-3.3.0-4.7.mga3
Comment 10 Dave Hodgins 2014-03-23 21:29:39 CET
Advisory uploaded to svn. Validating the update.

Someone from the sysadmin team please push 13052.adv to updates.
Comment 11 Thomas Backlund 2014-03-24 08:44:14 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0140.html

Note You need to log in before you can comment on or make changes to this bug.