A security issue in the _json module in Python was reported: http://openwall.com/lists/oss-security/2014/06/23/6 and assigned a CVE: http://openwall.com/lists/oss-security/2014/06/24/7 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
A security issue in the CGIHTTPServer class in Python was reported: http://openwall.com/lists/oss-security/2014/06/23/5 and assigned a CVE: http://openwall.com/lists/oss-security/2014/06/26/3
Summary: python/python3 new security issue CVE-2014-4616 => python/python3 new security issues CVE-2014-4616 and CVE-2014-4650
note : Python 3.4.1 is not affected by CVE-2014-4616, but is by CVE-2014-4650
Depends on: (none) => 13601
Updated packages (with upstream patches) : python3-3.4.1-3.mga5 python-2.7.6-7.mga5 python-2.7.6-1.2.mga4 python3-3.3.2-13.4.mga4 python3-3.3.0-4.9.mga3 python-2.7.6-1.2.mga3 need to write the advisory
Thanks Philippe! CVE-2014-4616 for python-simplejson is being handled in Bug 13601. I think this should suffice as an advisory. Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root (CVE-2014-4650). References: http://bugs.python.org/issue21529 http://bugs.python.org/issue21766 http://openwall.com/lists/oss-security/2014/06/24/7 http://openwall.com/lists/oss-security/2014/06/26/3 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html ======================== Updated packages in core/updates_testing: ======================== python-2.7.6-1.2.mga3 libpython2.7-2.7.6-1.2.mga3 libpython-devel-2.7.6-1.2.mga3 python-docs-2.7.6-1.2.mga3 tkinter-2.7.6-1.2.mga3 tkinter-apps-2.7.6-1.2.mga3 python3-3.3.0-4.9.mga3 libpython3.3-3.3.0-4.9.mga3 libpython3-devel-3.3.0-4.9.mga3 python3-docs-3.3.0-4.9.mga3 tkinter3-3.3.0-4.9.mga3 tkinter3-apps-3.3.0-4.9.mga3 python-2.7.6-1.2.mga4 libpython2.7-2.7.6-1.2.mga4 libpython-devel-2.7.6-1.2.mga4 python-docs-2.7.6-1.2.mga4 tkinter-2.7.6-1.2.mga4 tkinter-apps-2.7.6-1.2.mga4 python3-3.3.2-13.4.mga4 libpython3.3-3.3.2-13.4.mga4 libpython3-devel-3.3.2-13.4.mga4 python3-docs-3.3.2-13.4.mga4 tkinter3-3.3.2-13.4.mga4 tkinter3-apps-3.3.2-13.4.mga4 from SRPMS: python-2.7.6-1.2.mga3.src.rpm python3-3.3.0-4.9.mga3.src.rpm python-2.7.6-1.2.mga4.src.rpm python3-3.3.2-13.4.mga4.src.rpm
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOOCC: (none) => makowski.mageiaVersion: Cauldron => 4Assignee: makowski.mageia => qa-bugs
Fedora has issued an advisory for CVE-2014-4616 for the python package: https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134903.html It'd be a better reference for the advisory than the other one. Reposting... Advisory: ======================== Updated python and python3 packages fix security vulnerabilities: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root (CVE-2014-4650). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650 http://bugs.python.org/issue21766 http://openwall.com/lists/oss-security/2014/06/26/3 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134903.html
URL: (none) => http://lwn.net/Vulnerabilities/603975/
trying to reproduce this method: http://bugs.python.org/issue21766 before update: [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir/test.py <head> <title>Error response</title> </head> <body> <h1>Error response</h1> <p>Error code 403. <p>Message: CGI script is not a plain file ('/cgi-bin/subdir'). <p>Error code explanation: 403 = Request forbidden -- authorization will not help. </body> and: [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir%2ftest.py {"text": "This is a Test"} this seems to be the explained behaviour- After update: [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir%2ftest.py <head> <title>Error response</title> </head> <body> <h1>Error response</h1> <p>Error code 403. <p>Message: CGI script is not a plain file ('/cgi-bin/subdir'). <p>Error code explanation: 403 = Request forbidden -- authorization will not help. </body> the code will not be executed anymore? This seems to be the corrected behaviour? Or am I wrong? used python: python-2.7.6-1.2.mga4.i586
CC: (none) => marc.lattemann
Sorry, having very bad connection here, but I guess you can find a test here : hg.python.org/cpython/rev/b4bab0788768
(In reply to Marc Lattemann from comment #6) > the code will not be executed anymore? This seems to be the corrected > behaviour? > yes so your test is ok, thanks
Specific procedure in comment 6 General Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=12772#c6 onwards
Whiteboard: MGA3TOO => MGA3TOO has_procedure
(In reply to Philippe Makowski from comment #8) > yes so your test is ok, thanks Thanks for confirmation. I will proceed then with this specific test for the other versions and archs (maybe I will not finished today, because of a silly football game, which seems to be important for Germans :) )
CC: marc.lattemann => (none)
tested for python3 for mga4 32 bit (as in comment #6): [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir%2ftest.py will be prevented for execution as well. So adding tag mga4-32-OK Will now continue with 64bit and mga3 testing
CC: (none) => marc.lattemannWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
tested for MGA4 64bit, MGA3 32 and 64 bit: [root@localhost subdir]# curl http://localhost:8000/cgi-bin/subdir%2ftest.py will be prevented for execution for all variants... tested the installation of the related packages as well. So for me everything works fine. Please upload advisories, validate the update and push the packages to updates. Thanks.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK
Well done Marc, keep going! Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0285.html
Status: NEW => RESOLVEDCC: (none) => pterjanResolution: (none) => FIXED
LWN reference for CVE-2014-4650: http://lwn.net/Vulnerabilities/604859/