A CVE has been assigned for yet another zipfile issue in Python: http://openwall.com/lists/oss-security/2014/03/19/3 The upstream bug and commit to fix it are linked in the message above. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Advisory: ======================== Updated python3 packages fix security vulnerabilities: ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips (CVE-2013-7338). References: http://bugs.python.org/issue20078 http://openwall.com/lists/oss-security/2014/03/19/3 ======================== Updated packages in core/updates_testing: ======================== libpython3-3.3.0-4.7.mga3 libpython3-devel-3.3.0-4.7.mga3 tkinter3-3.3.0-4.7.mga3 tkinter3-apps-3.3.0-4.7.mga3 python3-3.3.0-4.7.mga3 python3-docs-3.3.0-4.7.mga3 libpython3-3.3.2-13.2.mga4 libpython3-devel-3.3.2-13.2.mga4 tkinter3-3.3.2-13.2.mga4 tkinter3-apps-3.3.2-13.2.mga4 python3-3.3.2-13.2.mga4 python3-docs-3.3.2-13.2.mga4 from SRPMS: python3-3.3.0-4.7.mga3.src.rpm python3-3.3.2-13.2.mga4.src.rpm note : the fix is present in Python 3.3.4 so Cauldron is not affected.
Version: Cauldron => 4Assignee: makowski.mageia => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
PoC attached to the bug link: http://bugs.python.org/issue20078 General testing here: https://bugs.mageia.org/show_bug.cgi?id=10391#c15 $ cd test $ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt $ idle3 python3programs.py Choose Run Module in the Run menu. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 and tkinter3 working.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Thanks Philippe! Just adding the CVE URL and a hard return. Advisory: ======================== Updated python3 packages fix security vulnerabilities: ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips (CVE-2013-7338). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7338 http://bugs.python.org/issue20078 http://openwall.com/lists/oss-security/2014/03/19/3
CC: (none) => makowski.mageia
Tested Mga4 64-bit using PySol and running a couple of Anne Dawson's scripts and a couple of mine from Bash and from IDLE. No problems noticed. Carolyn
CC: (none) => cmrisoldeWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Tested Mga4 32-bit as above - no problems encountered. Carolyn
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK
In Mga3 32-bit I can't get the necessary packages to appear in the list of update candidates, and I checked that I've got the right media enabled and updated. Any ideas, anyone? Mga3 64-bit I'm not able to test at the moment. Carolyn
(In reply to Carolyn Rowse from comment #6) > In Mga3 32-bit I can't get the necessary packages to appear in the list of > update candidates, and I checked that I've got the right media enabled and > updated. Any ideas, anyone? Try a different mirror. I see them on this one: http://mageia.c3sl.ufpr.br/distrib/3/i586/media/core/updates_testing/
Super, thanks David. Testing complete for Mga3 32-bit, no problems encountered. Carolyn
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK
Tested mga3_64, Testing complete for python3-3.3.0-4.7.mga3, nothing to report and seems work fine here. Using test procedure on comment 2 lib64python3-3.3.0-4.7.mga3 tkinter3-3.3.0-4.7.mga3 tkinter3-apps-3.3.0-4.7.mga3 python3-3.3.0-4.7.mga3 python3-docs-3.3.0-4.7.mga3
CC: (none) => geiger.david68210Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK
Advisory uploaded to svn. Validating the update. Someone from the sysadmin team please push 13052.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0140.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/591685/