Bug 14177 - python new security issue CVE-2014-7185
Summary: python new security issue CVE-2014-7185
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/614407/
Whiteboard: MGA3TOO has_procedure advisory MGA3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-25 22:42 CEST by David Walser
Modified: 2014-10-07 11:23 CEST (History)
6 users (show)

See Also:
Source RPM: python-2.7.6-1.2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-09-25 22:42:26 CEST
A CVE has been assigned for an issue fixed in Python 2.7.8:
http://openwall.com/lists/oss-security/2014/09/25/47

The upstream bug links to the commit that fixed it.

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-25 22:42:32 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Oden Eriksson 2014-09-26 16:36:55 CEST
Fixed with python-2.7.6-1.3.mga4.

Fixed with python-2.7.6-1.3.mga3 but it fails to build due to sqlite3 3.8.x in updates_testing. To fix the build https://hg.python.org/cpython/rev/1763e27a182d is needed, but you don't want to link python against sqlite3 3.8.x unless this new version will be pushed.

CC: (none) => oe

Comment 2 David Walser 2014-09-27 15:48:58 CEST
Thanks Oden.  We should add that patch, but we can do it later.  I've asked in IRC and CC'd sysadmins here to remove sqlite3 from Mageia 3 updates_testing for now so that we can get this built.

CC: (none) => sysadmin-bugs

Comment 3 Oden Eriksson 2014-09-29 15:26:44 CEST
sqlite3 3.8.6 is still in updates_testing.
Comment 4 Oden Eriksson 2014-09-29 15:29:09 CEST
Also, lib[64]png-devel-1.6.12 is in updates_testing which will pose more serious problems if there and if pushed.
Comment 5 David Walser 2014-09-29 15:31:43 CEST
(In reply to Oden Eriksson from comment #4)
> Also, lib[64]png-devel-1.6.12 is in updates_testing which will pose more
> serious problems if there and if pushed.

I just asked in IRC again.  I hadn't noticed the libpng16's devel package was misnamed (should be libpng16-devel), so that'll have to be fixed too.

CC: (none) => doktor5000

Comment 6 Oden Eriksson 2014-09-29 15:39:57 CEST
https://bugs.mageia.org/show_bug.cgi?id=14071#c26
Comment 7 David Walser 2014-09-29 19:00:36 CEST
This is now built.  I'll post an advisory later.

CC: sysadmin-bugs => makowski.mageia
Assignee: makowski.mageia => qa-bugs

Comment 8 David Walser 2014-09-30 03:14:58 CEST
Note the PoC at the bottom of the CVE request:
http://openwall.com/lists/oss-security/2014/09/23/5

Advisory:
========================

Updated python packages fix security vulnerability:

Python before 2.7.8 is vulnerable to an integer overflow in the buffer type
(CVE-2014-7185).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185
http://openwall.com/lists/oss-security/2014/09/25/47
========================

Updated packages in core/updates_testing:
========================
python-2.7.6-1.3.mga3
libpython2.7-2.7.6-1.3.mga3
libpython-devel-2.7.6-1.3.mga3
python-docs-2.7.6-1.3.mga3
tkinter-2.7.6-1.3.mga3
tkinter-apps-2.7.6-1.3.mga3
python-2.7.6-1.3.mga4
libpython2.7-2.7.6-1.3.mga4
libpython-devel-2.7.6-1.3.mga4
python-docs-2.7.6-1.3.mga4
tkinter-2.7.6-1.3.mga4
tkinter-apps-2.7.6-1.3.mga4

from SRPMS:
python-2.7.6-1.3.mga3.src.rpm
python-2.7.6-1.3.mga4.src.rpm
Comment 9 Rémi Verschelde 2014-09-30 14:04:52 CEST
Testing procedure
=================

Test against the PoC:

--- overflow.py ---
import sys
a = bytearray('CVE request')
b = buffer(a, sys.maxsize, sys.maxsize)
print b[:8192]
-------------------

Make sure python still works properly with python applications (e.g. isodumper or pychess), etc. Test more if you know python :-)

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 10 William Kenney 2014-09-30 20:05:09 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
python tkinter pychess

default install of python tkinter pychess

[root@localhost wilcal]# urpmi python
Package python-2.7.6-1.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi pychess
Package pychess-0.10.1-7.mga4.noarch is already installed

I can play pychess. I lost.

install python & tkinter from updates_testing

[root@localhost wilcal]# urpmi python
Package python-2.7.6-1.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi pychess
Package pychess-0.10.1-7.mga4.noarch is already installed

I can play pychess. I lost again.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 11 William Kenney 2014-09-30 20:20:36 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
python tkinter pychess

default install of python tkinter pychess

root@localhost wilcal]# urpmi python
Package python-2.7.6-1.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi pychess
Package pychess-0.10.1-7.mga4.noarch is already installed

I can play pychess.

install python & tkinter from updates_testing

[root@localhost wilcal]# urpmi python
Package python-2.7.6-1.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi pychess
Package pychess-0.10.1-7.mga4.noarch is already installed

I can play pychess.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 12 William Kenney 2014-09-30 21:34:57 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
python tkinter pychess

default install of python tkinter pychess

[root@localhost wilcal]# urpmi python
Package python-2.7.6-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi pychess
Package pychess-0.10.1-5.mga3.noarch is already installed

I can play pychess

install python & tkinter from updates_testing

[root@localhost wilcal]# urpmi python
Package python-2.7.6-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi pychess
Package pychess-0.10.1-5.mga3.noarch is already installed

I can play pychess

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 13 William Kenney 2014-09-30 22:00:37 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
python tkinter pychess

default install of python tkinter pychess

[root@localhost wilcal]# urpmi python
Package python-2.7.6-1.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi pychess
Package pychess-0.10.1-5.mga3.noarch is already installed

I can play pychess

install python & tkinter from updates_testing

[root@localhost wilcal]# urpmi python
Package python-2.7.6-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi pychess
Package pychess-0.10.1-5.mga3.noarch is already installed

I can play pychess

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 14 David Walser 2014-09-30 22:17:58 CEST
William, this update only affects the 'buffer' datatype, it's a small patch.  Have you tried the PoC?  I just tried it and it prints garbage all over the terminal (before the update).  Probably dumping memory it's not supposed to be accessing.  It shouldn't do that after the update.
Comment 15 William Kenney 2014-09-30 23:28:40 CEST
(In reply to David Walser from comment #14)

> William, this update only affects the 'buffer' datatype, it's a small patch.
> Have you tried the PoC?....

I'm not a python expert at all. I see the code that Rémi put in above
and I wouldn't really know how to apply that. But, I still have the
four Vbox Clients on disk that I can go back again and run some
additional tests on. Any simple coaching would be great how to run that.
Comment 16 claire robinson 2014-09-30 23:37:10 CEST
Bill HTH

$ cat overflow.py 
import sys
a = bytearray('CVE request')
b = buffer(a, sys.maxsize, sys.maxsize)
print b[:8192]


$ python overflow.py 
{
 (̵�{(̵�{����-�fØh���P����O�      0R �� ���       `
                                                 �xƵ�{lZed�Zeeejej�Zed GH�`
                                                                           �����xƵ�{`
                                                                                     �@{`е�{����������������������{
...etc
Comment 17 Rémi Verschelde 2014-09-30 23:50:29 CEST
Basically you have to put the content of the following script in a text file (that you can name overflow.py as in the example):

import sys
a = bytearray('CVE request')
b = buffer(a, sys.maxsize, sys.maxsize)
print b[:8192]



Then run:
$ python overflow.py
Comment 18 Rémi Verschelde 2014-09-30 23:51:03 CEST
You can also start python directly (with the "python" command), and then copy paste the four lines one after the other in the python interpreter.
Comment 19 William Kenney 2014-10-01 01:00:43 CEST
(In reply to Rémi Verschelde from comment #17)

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
python

> Then run:
> $ python overflow.py

Which resulted in a whole bunch of jibberish being scribbled all
over the terminal window. Then:
[wilcal@localhost python]$ 

I was then able to try and beat the computer at PyChess again, and lost.
Is this what we are expecting?
Comment 20 David Walser 2014-10-01 01:09:31 CEST
No, with the updated packages it should not print gibberish.

I just ran it by typing the code into the python interactive interpreter with the updated packages on Mageia 3 i586:

>>> import sys
>>> a=bytearray('CVE request')
>>> b=buffer(a,sys.maxsize,sys.maxsize)
>>> print b[:8192]

>>>

So if you run it as a script file, the expected output is one blank line.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK

Comment 21 William Kenney 2014-10-01 01:23:54 CEST
(In reply to David Walser from comment #20)

> So if you run it as a script file, the expected output is one blank line.

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
python

install python from updates_testing

[root@localhost wilcal]# urpmi python
Package python-2.7.6-1.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi tkinter
Package tkinter-2.7.6-1.3.mga4.i586 is already installed

Create:

--- overflow.py ---
import sys
a = bytearray('CVE request')
b = buffer(a, sys.maxsize, sys.maxsize)
print b[:8192]
-------------------

[wilcal@localhost python]$ python overflow.py

Fills the terminal with jibberish. What am I doing wrong?
Comment 22 David Walser 2014-10-01 01:27:47 CEST
(In reply to William Kenney from comment #21)
> Fills the terminal with jibberish. What am I doing wrong?

Most likely, you haven't installed (all of) the updated packages.  See the package list in Comment 8.  My guess would be that you haven't updated libpython2.7.
Comment 23 Rémi Verschelde 2014-10-01 15:15:13 CEST
Testing complete on Mageia 4 32bit with the PoC.
mageiawelcome still runs fine.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 24 claire robinson 2014-10-01 16:40:43 CEST
Testing complete mga4 64

Before - as comment 16

After
-----
$ python overflow.py 

$ 


Also tested some random scripts from here pasted into idle
https://wiki.python.org/moin/SimplePrograms

Paste into idle 'edit window' and run (Run => Run Module)

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK mga4-64-ok

Comment 25 claire robinson 2014-10-01 17:38:33 CEST
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-ok

Comment 26 claire robinson 2014-10-01 17:54:20 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-ok => MGA3TOO has_procedure advisory MGA3-32-OK mga3-64-ok MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 27 David Walser 2014-10-01 21:38:32 CEST
Fedora has issued an advisory for this on September 26:
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/139663.html

URL: (none) => http://lwn.net/Vulnerabilities/614407/

Comment 28 Mageia Robot 2014-10-07 11:23:35 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0399.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.