A CVE has been assigned for an issue fixed in Python 2.7.8: http://openwall.com/lists/oss-security/2014/09/25/47 The upstream bug links to the commit that fixed it. Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Fixed with python-2.7.6-1.3.mga4. Fixed with python-2.7.6-1.3.mga3 but it fails to build due to sqlite3 3.8.x in updates_testing. To fix the build https://hg.python.org/cpython/rev/1763e27a182d is needed, but you don't want to link python against sqlite3 3.8.x unless this new version will be pushed.
CC: (none) => oe
Thanks Oden. We should add that patch, but we can do it later. I've asked in IRC and CC'd sysadmins here to remove sqlite3 from Mageia 3 updates_testing for now so that we can get this built.
CC: (none) => sysadmin-bugs
sqlite3 3.8.6 is still in updates_testing.
Also, lib[64]png-devel-1.6.12 is in updates_testing which will pose more serious problems if there and if pushed.
(In reply to Oden Eriksson from comment #4) > Also, lib[64]png-devel-1.6.12 is in updates_testing which will pose more > serious problems if there and if pushed. I just asked in IRC again. I hadn't noticed the libpng16's devel package was misnamed (should be libpng16-devel), so that'll have to be fixed too.
CC: (none) => doktor5000
https://bugs.mageia.org/show_bug.cgi?id=14071#c26
This is now built. I'll post an advisory later.
CC: sysadmin-bugs => makowski.mageiaAssignee: makowski.mageia => qa-bugs
Note the PoC at the bottom of the CVE request: http://openwall.com/lists/oss-security/2014/09/23/5 Advisory: ======================== Updated python packages fix security vulnerability: Python before 2.7.8 is vulnerable to an integer overflow in the buffer type (CVE-2014-7185). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185 http://openwall.com/lists/oss-security/2014/09/25/47 ======================== Updated packages in core/updates_testing: ======================== python-2.7.6-1.3.mga3 libpython2.7-2.7.6-1.3.mga3 libpython-devel-2.7.6-1.3.mga3 python-docs-2.7.6-1.3.mga3 tkinter-2.7.6-1.3.mga3 tkinter-apps-2.7.6-1.3.mga3 python-2.7.6-1.3.mga4 libpython2.7-2.7.6-1.3.mga4 libpython-devel-2.7.6-1.3.mga4 python-docs-2.7.6-1.3.mga4 tkinter-2.7.6-1.3.mga4 tkinter-apps-2.7.6-1.3.mga4 from SRPMS: python-2.7.6-1.3.mga3.src.rpm python-2.7.6-1.3.mga4.src.rpm
Testing procedure ================= Test against the PoC: --- overflow.py --- import sys a = bytearray('CVE request') b = buffer(a, sys.maxsize, sys.maxsize) print b[:8192] ------------------- Make sure python still works properly with python applications (e.g. isodumper or pychess), etc. Test more if you know python :-)
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
In VirtualBox, M4, KDE, 32-bit Package(s) under test: python tkinter pychess default install of python tkinter pychess [root@localhost wilcal]# urpmi python Package python-2.7.6-1.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.2.mga4.i586 is already installed [root@localhost wilcal]# urpmi pychess Package pychess-0.10.1-7.mga4.noarch is already installed I can play pychess. I lost. install python & tkinter from updates_testing [root@localhost wilcal]# urpmi python Package python-2.7.6-1.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi pychess Package pychess-0.10.1-7.mga4.noarch is already installed I can play pychess. I lost again. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: python tkinter pychess default install of python tkinter pychess root@localhost wilcal]# urpmi python Package python-2.7.6-1.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi pychess Package pychess-0.10.1-7.mga4.noarch is already installed I can play pychess. install python & tkinter from updates_testing [root@localhost wilcal]# urpmi python Package python-2.7.6-1.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.3.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi pychess Package pychess-0.10.1-7.mga4.noarch is already installed I can play pychess. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M3, KDE, 32-bit Package(s) under test: python tkinter pychess default install of python tkinter pychess [root@localhost wilcal]# urpmi python Package python-2.7.6-1.2.mga3.i586 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.2.mga3.i586 is already installed [root@localhost wilcal]# urpmi pychess Package pychess-0.10.1-5.mga3.noarch is already installed I can play pychess install python & tkinter from updates_testing [root@localhost wilcal]# urpmi python Package python-2.7.6-1.3.mga3.i586 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.3.mga3.i586 is already installed [root@localhost wilcal]# urpmi pychess Package pychess-0.10.1-5.mga3.noarch is already installed I can play pychess Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M3, KDE, 64-bit Package(s) under test: python tkinter pychess default install of python tkinter pychess [root@localhost wilcal]# urpmi python Package python-2.7.6-1.2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi pychess Package pychess-0.10.1-5.mga3.noarch is already installed I can play pychess install python & tkinter from updates_testing [root@localhost wilcal]# urpmi python Package python-2.7.6-1.3.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.3.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi pychess Package pychess-0.10.1-5.mga3.noarch is already installed I can play pychess Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William, this update only affects the 'buffer' datatype, it's a small patch. Have you tried the PoC? I just tried it and it prints garbage all over the terminal (before the update). Probably dumping memory it's not supposed to be accessing. It shouldn't do that after the update.
(In reply to David Walser from comment #14) > William, this update only affects the 'buffer' datatype, it's a small patch. > Have you tried the PoC?.... I'm not a python expert at all. I see the code that Rémi put in above and I wouldn't really know how to apply that. But, I still have the four Vbox Clients on disk that I can go back again and run some additional tests on. Any simple coaching would be great how to run that.
Bill HTH $ cat overflow.py import sys a = bytearray('CVE request') b = buffer(a, sys.maxsize, sys.maxsize) print b[:8192] $ python overflow.py { (̵�{(̵�{����-�fØh���P����O� 0R �� ��� ` �xƵ�{lZed�Zeeejej�Zed GH�` �����xƵ�{` �@{`е�{����������������������{ ...etc
Basically you have to put the content of the following script in a text file (that you can name overflow.py as in the example): import sys a = bytearray('CVE request') b = buffer(a, sys.maxsize, sys.maxsize) print b[:8192] Then run: $ python overflow.py
You can also start python directly (with the "python" command), and then copy paste the four lines one after the other in the python interpreter.
(In reply to Rémi Verschelde from comment #17) In VirtualBox, M4, KDE, 32-bit Package(s) under test: python > Then run: > $ python overflow.py Which resulted in a whole bunch of jibberish being scribbled all over the terminal window. Then: [wilcal@localhost python]$ I was then able to try and beat the computer at PyChess again, and lost. Is this what we are expecting?
No, with the updated packages it should not print gibberish. I just ran it by typing the code into the python interactive interpreter with the updated packages on Mageia 3 i586: >>> import sys >>> a=bytearray('CVE request') >>> b=buffer(a,sys.maxsize,sys.maxsize) >>> print b[:8192] >>> So if you run it as a script file, the expected output is one blank line.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK
(In reply to David Walser from comment #20) > So if you run it as a script file, the expected output is one blank line. In VirtualBox, M4, KDE, 32-bit Package(s) under test: python install python from updates_testing [root@localhost wilcal]# urpmi python Package python-2.7.6-1.3.mga4.i586 is already installed [root@localhost wilcal]# urpmi tkinter Package tkinter-2.7.6-1.3.mga4.i586 is already installed Create: --- overflow.py --- import sys a = bytearray('CVE request') b = buffer(a, sys.maxsize, sys.maxsize) print b[:8192] ------------------- [wilcal@localhost python]$ python overflow.py Fills the terminal with jibberish. What am I doing wrong?
(In reply to William Kenney from comment #21) > Fills the terminal with jibberish. What am I doing wrong? Most likely, you haven't installed (all of) the updated packages. See the package list in Comment 8. My guess would be that you haven't updated libpython2.7.
Testing complete on Mageia 4 32bit with the PoC. mageiawelcome still runs fine.
Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK
Testing complete mga4 64 Before - as comment 16 After ----- $ python overflow.py $ Also tested some random scripts from here pasted into idle https://wiki.python.org/moin/SimplePrograms Paste into idle 'edit window' and run (Run => Run Module)
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure advisory MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
Fedora has issued an advisory for this on September 26: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/139663.html
URL: (none) => http://lwn.net/Vulnerabilities/614407/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0399.html
Status: NEW => RESOLVEDResolution: (none) => FIXED