Fedora has issued an advisory on June 26: https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html If I'm reading the upstream bug report correctly, it sounds like the simplejson in Python itself isn't affected, but the external one at least back to 3.2.0 is. If so, Mageia 4 would also be affected. I'm not sure about Mageia 3. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
URL: (none) => http://lwn.net/Vulnerabilities/603750/
Updated packages : python-simplejson-2.6.0-2.1.mga3 python-simplejson-3.3.0-3.1.mga4 python-simplejson-3.5.3-1.mga5 need to write the advisory
Whiteboard: MGA4TOO => MGA4TOO MGA3TOO
Thanks Philippe! I think this should suffice as an advisory. Advisory: ======================== Updated python-simplejson package fixes security vulnerability: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access. References: https://hackerone.com/reports/12297 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html ======================== Updated packages in core/updates_testing: ======================== python-simplejson-2.6.0-2.1.mga3 python-simplejson-3.3.0-3.1.mga4 from SRPMS: python-simplejson-2.6.0-2.1.mga3.src.rpm python-simplejson-3.3.0-3.1.mga4.src.rpm
CC: (none) => makowski.mageiaVersion: Cauldron => 4Assignee: makowski.mageia => qa-bugsWhiteboard: MGA4TOO MGA3TOO => MGA3TOO
and python3-simplejson-3.3.0-3.1.mga4
Oh wait, this is CVE-2014-4616, so it actually does affect python's bundled module (in fact that's what the advisory blurb says). The upstream Python bug has links to commits to fix it in Python itself: http://bugs.python.org/issue21529 We should actually fix this in python/python3 as well before pushing to QA. There's also CVE-2014-4650, which I also reported in Bug 13588, for python/python3 which I imagine we'll fix at the same time.
CC: (none) => qa-bugsBlocks: (none) => 13588Assignee: qa-bugs => makowski.mageiaSummary: python-simplejson possible security issue fixed upstream in 3.5.3 => python-simplejson security issue fixed upstream in 3.5.3 (CVE-2014-4616)
The python and python3 packages have been patched. Handling that in Bug 13588. Advisory: ======================== Updated python-simplejson package fixes security vulnerability: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). This issue also affected the python-simplejson package, which has been patched to fix the bug. References: http://bugs.python.org/issue21529 http://openwall.com/lists/oss-security/2014/06/24/7 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html ======================== Updated packages in core/updates_testing: ======================== python-simplejson-2.6.0-2.1.mga3 python-simplejson-3.3.0-3.1.mga4 python3-simplejson-3.3.0-3.1.mga4 from SRPMS: python-simplejson-2.6.0-2.1.mga3.src.rpm python-simplejson-3.3.0-3.1.mga4.src.rpm
CC: qa-bugs => (none)Assignee: makowski.mageia => qa-bugsSeverity: normal => major
Forgot the CVE URL in the advisory. Advisory: ======================== Updated python-simplejson package fixes security vulnerability: Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). This issue also affected the python-simplejson package, which has been patched to fix the bug. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616 http://bugs.python.org/issue21529 http://openwall.com/lists/oss-security/2014/06/24/7 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html
Correct me if I'm wrong JSON depends on python-simplejson and JSON is built into Firefox. So is there a website I can go to that exercises JSON, or something, that I can test if this update works? Lets make a simple procedure that we can use now and in the future. Thanks.
CC: (none) => wilcal.int
Python has its own built in JSON implementation, and if Firefox uses that it would as well. You can see what depends on this package with "urpmi --whatrequires python-simplejson"
David it is rather this: :-) urpmq --whatrequires python-simplejson
CC: (none) => geiger.david68210
Thanks guys back soon.
you have simple tests on the first documentation page : http://simplejson.readthedocs.org/en/latest/
and the package itself run tests during the build, including one for the CVE fix
In VirtualBox, M3, KDE, 32-bit Package(s) under test: python-simplejson zim zim has only one package dependency and that is python-simplejson default install of python-simplejson zim [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-2.6.0-2.mga3.i586 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-1.mga3.noarch is already installed zim creates and saves a desktop Wiki install python-simplejson from updates_testing [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-2.6.0-2.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-1.mga3.noarch is already installed zim creates and saves a new desktop Wiki zim loads and reads previously created Wiki Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK
(In reply to Philippe Makowski from comment #11) > you have simple tests on the first documentation page : > http://simplejson.readthedocs.org/en/latest/ Is what I did in Comment #13 OK?
In VirtualBox, M3, KDE, 64-bit Package(s) under test: python-simplejson zim zim has only one package dependency and that is python-simplejson default install of python-simplejson zim [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-2.6.0-2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-1.mga3.noarch is already installed zim creates and saves a desktop Wiki install python-simplejson from updates_testing [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-2.6.0-2.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-1.mga3.noarch is already installed zim creates and saves a new desktop Wiki zim loads and reads previously created Wiki Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: python-simplejson zim zim has only one package dependency and that is python-simplejson default install of python-simplejson zim [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-3.3.0-3.mga4.i586 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-3.mga4.noarch is already installed zim creates and saves a desktop Wiki install python-simplejson from updates_testing [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-3.3.0-3.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-3.mga4.noarch is already installed zim creates and saves a new desktop Wiki zim loads and reads previously created Wiki Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: python-simplejson zim zim has only one package dependency and that is python-simplejson default install of python-simplejson zim [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-3.3.0-3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-3.mga4.noarch is already installed zim creates and saves a desktop Wiki install python-simplejson from updates_testing [root@localhost wilcal]# urpmi python-simplejson Package python-simplejson-3.3.0-3.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi zim Package zim-0.60-3.mga4.noarch is already installed zim creates and saves a new Wiki zim loads and reads previously created Wiki Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
This testing seems to indicate that the update is good to go. What say ye all?
I uploaded the advisory, I'll let you confirm whether the update is good to go :-)
CC: (none) => remiWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
(In reply to Rémi Verschelde from comment #19) > I uploaded the advisory, I'll let you confirm whether the update is good to > go :-) Thanks Rémi. If David's comfortable with this then I'll turn it loose.
I am. Let's ship it :o)
Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0286.html
Status: NEW => RESOLVEDCC: (none) => pterjanResolution: (none) => FIXED
URL: http://lwn.net/Vulnerabilities/603750/ => http://lwn.net/Vulnerabilities/603975/