In the most recent Django advisory: https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ They noted that the first security issue there is fixed already by Python if it contains an upstream fix for an HTMLParser issue: http://bugs.python.org/issue20288 Our python package is at version 2.7.9 now and already contains the fix, but our python3 is only 3.3.2 and does not. Adding this: https://hg.python.org/cpython/rev/32097f193892 might be desirable, as it might mitigate other future security issues like this. Reproducible: Steps to Reproduce:
Updated packages in core/updates_testing: ======================== tkinter3-3.3.2-13.5.mga4.i586 python3-debuginfo-3.3.2-13.5.mga4.i586 lib64python3-devel-3.3.2-13.5.mga4.x86_64 python3-3.3.2-13.5.mga4.x86_64 python3-3.3.2-13.5.mga4.i586 tkinter3-3.3.2-13.5.mga4.x86_64 libpython3-devel-3.3.2-13.5.mga4.i586 python3-debuginfo-3.3.2-13.5.mga4.x86_64 python3-docs-3.3.2-13.5.mga4.noarch tkinter3-apps-3.3.2-13.5.mga4.x86_64 tkinter3-apps-3.3.2-13.5.mga4.i586 lib64python3.3-3.3.2-13.5.mga4.x86_64 libpython3.3-3.3.2-13.5.mga4.i586 from python3-3.3.2-13.5.mga4.src
Assignee: makowski.mageia => qa-bugs
Thanks Philippe! Would you be able to help with a description of the issue being fixed, so we can provide an advisory?
CC: (none) => makowski.mageia
in HTMLParser, if you feed a broken charref, that is non-numeric, it will pass whatever random string that happened to be at the start of rawdata to handle_data() This behavior could then in code like Django strip_tags() lead to an infinite loop. This update help to fix CVE-2015-2316 as reported in Django advisory: https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ Python upstream fix for the HTMLParser issue: http://bugs.python.org/issue20288
Thanks again. Advisory: ---------------------------------------- A bug in HTMLParser in Python3 before 3.3.5 causes the parser to not behave correctly when passed an invalid numeric character entity reference containing non-numeric data (python#20288). The unexpected behavior could cause an infinite loop in client code, as was the case in Django 1.6 and newer. This caused an issue known as CVE-2015-2316, which was fixed in the Django advisory on March 18th. References: http://bugs.python.org/issue20288 https://www.djangoproject.com/weblog/2015/mar/18/security-releases/ ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- python3-3.3.2-13.5.mga4 libpython3.3-3.3.2-13.5.mga4 libpython3-devel-3.3.2-13.5.mga4 python3-docs-3.3.2-13.5.mga4 tkinter3-3.3.2-13.5.mga4 tkinter3-apps-3.3.2-13.5.mga4 from python3-3.3.2-13.5.mga4.src.rpm
No installation issues on MGA4-64 HP Probook 6555b KDE and MGA4-32 on Acer D620 Xfce. I have no idea how to test this.
CC: (none) => herman.viaene
I can confirm that the patch was correctly applied in the package. The patch adds a testcase to the test suite, which is run at build time, so basically we already know this is good. Just testing that the updated packages install fine should be sufficient. If you wanted to do a quick random test of running a python3 program, that would be fine too. If you want to run a testcase manually for this issue, run "python3" and then type: import html.parser p=html.parser.HTMLParser() p.handle_data = lambda x: print(x) p.feed('<div>&#bad;</div>') Before the update it will print "<d" which is incorrect. After the update it prints "&#" which is correct.
Whiteboard: (none) => has_procedure MGA4-32-OK
Confirm correct output as per comment 6 on both platforms in Comment5.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64 OK
Whiteboard: has_procedure MGA4-32-OK MGA4-64 OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating, advisory uploaded. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGAA-2015-0030.html
Status: NEW => RESOLVEDResolution: (none) => FIXED