Bug 13601 - python-simplejson security issue fixed upstream in 3.5.3 (CVE-2014-4616)
Summary: python-simplejson security issue fixed upstream in 3.5.3 (CVE-2014-4616)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/603975/
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks: 13588
  Show dependency treegraph
 
Reported: 2014-06-27 14:13 CEST by David Walser
Modified: 2014-07-24 16:07 CEST (History)
6 users (show)

See Also:
Source RPM: python-simplejson-3.4.0-2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-06-27 14:13:48 CEST
Fedora has issued an advisory on June 26:
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html

If I'm reading the upstream bug report correctly, it sounds like the simplejson in Python itself isn't affected, but the external one at least back to 3.2.0 is.  If so, Mageia 4 would also be affected.  I'm not sure about Mageia 3.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-27 14:14:03 CEST

Whiteboard: (none) => MGA4TOO

David Walser 2014-06-27 18:29:20 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603750/

Comment 1 Philippe Makowski 2014-06-28 17:27:29 CEST
Updated packages :

 python-simplejson-2.6.0-2.1.mga3
 python-simplejson-3.3.0-3.1.mga4
 python-simplejson-3.5.3-1.mga5

need to write the advisory
Philippe Makowski 2014-06-28 17:27:58 CEST

Whiteboard: MGA4TOO => MGA4TOO MGA3TOO

Comment 2 David Walser 2014-06-28 18:20:40 CEST
Thanks Philippe!

I think this should suffice as an advisory.

Advisory:
========================

Updated python-simplejson package fixes security vulnerability:

Python 2 and 3 are susceptible to arbitrary process memory reading by a user
or adversary due to a bug in the _json module caused by insufficient bounds
checking. The bug is caused by allowing the user to supply a negative value
that is used an an array index, causing the scanstring function to access
process memory outside of the string it is intended to access.

References:
https://hackerone.com/reports/12297
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html
========================

Updated packages in core/updates_testing:
========================
python-simplejson-2.6.0-2.1.mga3
python-simplejson-3.3.0-3.1.mga4

from SRPMS:
python-simplejson-2.6.0-2.1.mga3.src.rpm
python-simplejson-3.3.0-3.1.mga4.src.rpm

CC: (none) => makowski.mageia
Version: Cauldron => 4
Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA4TOO MGA3TOO => MGA3TOO

Comment 3 Philippe Makowski 2014-06-28 18:38:28 CEST
and python3-simplejson-3.3.0-3.1.mga4
Comment 4 David Walser 2014-06-28 19:39:15 CEST
Oh wait, this is CVE-2014-4616, so it actually does affect python's bundled module (in fact that's what the advisory blurb says).  The upstream Python bug has links to commits to fix it in Python itself:
http://bugs.python.org/issue21529

We should actually fix this in python/python3 as well before pushing to QA.

There's also CVE-2014-4650, which I also reported in Bug 13588, for python/python3 which I imagine we'll fix at the same time.

CC: (none) => qa-bugs
Blocks: (none) => 13588
Assignee: qa-bugs => makowski.mageia
Summary: python-simplejson possible security issue fixed upstream in 3.5.3 => python-simplejson security issue fixed upstream in 3.5.3 (CVE-2014-4616)

Comment 5 David Walser 2014-06-28 22:37:22 CEST
The python and python3 packages have been patched.  Handling that in Bug 13588.

Advisory:
========================

Updated python-simplejson package fixes security vulnerability:

Python 2 and 3 are susceptible to arbitrary process memory reading by a user
or adversary due to a bug in the _json module caused by insufficient bounds
checking. The bug is caused by allowing the user to supply a negative value
that is used an an array index, causing the scanstring function to access
process memory outside of the string it is intended to access
(CVE-2014-4616).

This issue also affected the python-simplejson package, which has been
patched to fix the bug.

References:
http://bugs.python.org/issue21529
http://openwall.com/lists/oss-security/2014/06/24/7
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html
========================

Updated packages in core/updates_testing:
========================
python-simplejson-2.6.0-2.1.mga3
python-simplejson-3.3.0-3.1.mga4
python3-simplejson-3.3.0-3.1.mga4

from SRPMS:
python-simplejson-2.6.0-2.1.mga3.src.rpm
python-simplejson-3.3.0-3.1.mga4.src.rpm

CC: qa-bugs => (none)
Assignee: makowski.mageia => qa-bugs
Severity: normal => major

Comment 6 David Walser 2014-06-30 23:20:52 CEST
Forgot the CVE URL in the advisory.

Advisory:
========================

Updated python-simplejson package fixes security vulnerability:

Python 2 and 3 are susceptible to arbitrary process memory reading by a user
or adversary due to a bug in the _json module caused by insufficient bounds
checking. The bug is caused by allowing the user to supply a negative value
that is used an an array index, causing the scanstring function to access
process memory outside of the string it is intended to access
(CVE-2014-4616).

This issue also affected the python-simplejson package, which has been
patched to fix the bug.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616
http://bugs.python.org/issue21529
http://openwall.com/lists/oss-security/2014/06/24/7
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134761.html
Comment 7 William Kenney 2014-07-06 18:58:36 CEST
Correct me if I'm wrong JSON depends on python-simplejson and JSON
is built into Firefox. So is there a website I can go to that
exercises JSON, or something, that I can test if this update works?
Lets make a simple procedure that we can use now and in the future.
Thanks.

CC: (none) => wilcal.int

Comment 8 David Walser 2014-07-06 19:04:02 CEST
Python has its own built in JSON implementation, and if Firefox uses that it would as well.  You can see what depends on this package with "urpmi --whatrequires python-simplejson"
Comment 9 David GEIGER 2014-07-06 19:07:30 CEST
David it is rather this: :-)

urpmq --whatrequires python-simplejson

CC: (none) => geiger.david68210

Comment 10 William Kenney 2014-07-06 19:25:16 CEST
Thanks guys back soon.
Comment 11 Philippe Makowski 2014-07-06 19:43:32 CEST
you have simple tests on the first documentation page :
http://simplejson.readthedocs.org/en/latest/
Comment 12 Philippe Makowski 2014-07-06 19:46:49 CEST
and the package itself run tests during the build, including one for the CVE fix
Comment 13 William Kenney 2014-07-06 20:27:14 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
python-simplejson zim

zim has only one package dependency and that is python-simplejson

default install of python-simplejson zim

[root@localhost wilcal]# urpmi python-simplejson
Package python-simplejson-2.6.0-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi zim
Package zim-0.60-1.mga3.noarch is already installed

zim creates and saves a desktop Wiki

install python-simplejson from updates_testing

[root@localhost wilcal]# urpmi python-simplejson
Package python-simplejson-2.6.0-2.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi zim
Package zim-0.60-1.mga3.noarch is already installed

zim creates and saves a new desktop Wiki
zim loads and reads previously created Wiki

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK

Comment 14 William Kenney 2014-07-06 20:28:32 CEST
(In reply to Philippe Makowski from comment #11)

> you have simple tests on the first documentation page :
> http://simplejson.readthedocs.org/en/latest/

Is what I did in Comment #13 OK?
Comment 15 William Kenney 2014-07-06 21:45:41 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
python-simplejson zim

zim has only one package dependency and that is python-simplejson

default install of python-simplejson zim

[root@localhost wilcal]# urpmi python-simplejson
Package python-simplejson-2.6.0-2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi zim
Package zim-0.60-1.mga3.noarch is already installed

zim creates and saves a desktop Wiki

install python-simplejson from updates_testing

[root@localhost wilcal]# urpmi python-simplejson
Package python-simplejson-2.6.0-2.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi zim
Package zim-0.60-1.mga3.noarch is already installed

zim creates and saves a new desktop Wiki
zim loads and reads previously created Wiki

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK

Comment 16 William Kenney 2014-07-06 22:25:00 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
python-simplejson zim

zim has only one package dependency and that is python-simplejson

default install of python-simplejson zim

[root@localhost wilcal]# urpmi python-simplejson
Package python-simplejson-3.3.0-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi zim
Package zim-0.60-3.mga4.noarch is already installed

zim creates and saves a desktop Wiki

install python-simplejson from updates_testing

[root@localhost wilcal]# urpmi python-simplejson
Package python-simplejson-3.3.0-3.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi zim
Package zim-0.60-3.mga4.noarch is already installed

zim creates and saves a new desktop Wiki
zim loads and reads previously created Wiki

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 17 William Kenney 2014-07-06 22:39:27 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
python-simplejson zim

zim has only one package dependency and that is python-simplejson

default install of python-simplejson zim

[root@localhost wilcal]# urpmi python-simplejson
Package python-simplejson-3.3.0-3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi zim
Package zim-0.60-3.mga4.noarch is already installed

zim creates and saves a desktop Wiki

install python-simplejson from updates_testing

[root@localhost wilcal]# urpmi python-simplejson
Package python-simplejson-3.3.0-3.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi zim
Package zim-0.60-3.mga4.noarch is already installed

zim creates and saves a new Wiki
zim loads and reads previously created Wiki

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 18 William Kenney 2014-07-06 22:40:26 CEST
This testing seems to indicate that the update is good to go.
What say ye all?
Comment 19 Rémi Verschelde 2014-07-06 23:01:21 CEST
I uploaded the advisory, I'll let you confirm whether the update is good to go :-)

CC: (none) => remi
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 20 William Kenney 2014-07-06 23:41:57 CEST
(In reply to Rémi Verschelde from comment #19)
> I uploaded the advisory, I'll let you confirm whether the update is good to
> go :-)

Thanks Rémi. If David's comfortable with this then I'll turn it loose.
Comment 21 David Walser 2014-07-06 23:56:22 CEST
I am.  Let's ship it :o)
Comment 22 William Kenney 2014-07-07 00:14:02 CEST
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 23 Pascal Terjan 2014-07-09 00:40:14 CEST
http://advisories.mageia.org/MGASA-2014-0286.html

Status: NEW => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED

David Walser 2014-07-24 16:07:00 CEST

URL: http://lwn.net/Vulnerabilities/603750/ => http://lwn.net/Vulnerabilities/603975/


Note You need to log in before you can comment on or make changes to this bug.