Advisory:
========================

Updated python3 packages fix security vulnerabilities:

 ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips (CVE-2013-7338).

References:
http://bugs.python.org/issue20078
http://openwall.com/lists/oss-security/2014/03/19/3
========================

Updated packages in core/updates_testing:
========================
libpython3-3.3.0-4.7.mga3
libpython3-devel-3.3.0-4.7.mga3
tkinter3-3.3.0-4.7.mga3
tkinter3-apps-3.3.0-4.7.mga3
python3-3.3.0-4.7.mga3
python3-docs-3.3.0-4.7.mga3
libpython3-3.3.2-13.2.mga4
libpython3-devel-3.3.2-13.2.mga4
tkinter3-3.3.2-13.2.mga4
tkinter3-apps-3.3.2-13.2.mga4
python3-3.3.2-13.2.mga4
python3-docs-3.3.2-13.2.mga4

from SRPMS:
python3-3.3.0-4.7.mga3.src.rpm
python3-3.3.2-13.2.mga4.src.rpm


note : the fix is present in Python 3.3.4 so Cauldron is not affected.

Version: Cauldron => 4
Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

PoC attached to the bug link: http://bugs.python.org/issue20078

General testing here: https://bugs.mageia.org/show_bug.cgi?id=10391#c15

$ cd test
$ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt
$ idle3 python3programs.py

Choose Run Module in the Run menu. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 and tkinter3 working.

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Thanks Philippe!  Just adding the CVE URL and a hard return.

Advisory:
========================

Updated python3 packages fix security vulnerabilities:

ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited
zips (CVE-2013-7338).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7338
http://bugs.python.org/issue20078
http://openwall.com/lists/oss-security/2014/03/19/3

CC: (none) => makowski.mageia

Tested Mga4 64-bit using PySol and running a couple of Anne Dawson's scripts and a couple of mine from Bash and from IDLE.  No problems noticed.

Carolyn

CC: (none) => cmrisolde
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Tested Mga4 32-bit as above - no problems encountered.

Carolyn

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK

In Mga3 32-bit I can't get the necessary packages to appear in the list of update candidates, and I checked that I've got the right media enabled and updated.   Any ideas, anyone?

Mga3 64-bit I'm not able to test at the moment.

Carolyn

(In reply to Carolyn Rowse from comment #6)
> In Mga3 32-bit I can't get the necessary packages to appear in the list of
> update candidates, and I checked that I've got the right media enabled and
> updated.   Any ideas, anyone?

Try a different mirror.  I see them on this one:
http://mageia.c3sl.ufpr.br/distrib/3/i586/media/core/updates_testing/

Super, thanks David.

Testing complete for Mga3 32-bit, no problems encountered.

Carolyn

Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK

Tested mga3_64,

Testing complete for python3-3.3.0-4.7.mga3, nothing to report and seems work fine here.

Using test procedure on comment 2


lib64python3-3.3.0-4.7.mga3
tkinter3-3.3.0-4.7.mga3
tkinter3-apps-3.3.0-4.7.mga3
python3-3.3.0-4.7.mga3
python3-docs-3.3.0-4.7.mga3

CC: (none) => geiger.david68210
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Advisory uploaded to svn. Validating the update.

Someone from the sysadmin team please push 13052.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2014-0140.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED