Python 3.6.5 has been released on March 28: https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final RC1 (from March 13) fixed two security issues: https://bugs.python.org/issue32981 Python 2.7 is also affected and the fix will be included in 2.7.15. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Fedora has issued an advisory for this on April 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WVU6LVRWETHDLXB6T3636AYNKVHPASB/
openSUSE has issued an advisory on April 17: https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html It fixes one additional issue, which also affects Python 2.7 and Python 3.x.
Summary: python/python3 new security issues CVE-2018-1060 and CVE-2018-1061 => python/python3 new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207
Python 2.7.15 is now in Cauldron, mga5 and mga6 Python 3.6.5 is now in Cauldron python3-3.5.3-1.3.mga6 have a patch for CVE-2018-1060 and CVE-2017-1000158 Sorry, I don't have time to do more for now
CC: (none) => makowski.mageiaAssignee: makowski.mageia => pkg-bugs
Blocks: (none) => 22983
Blocks: 22983 => (none)
Python3 moved to Bug 22983 since it hasn't been fixed yet. All of the fixes should be in 2.7.15 for Python, so we can move forward with that update.
Source RPM: python3-3.6.4-1.mga7.src.rpm => python-2.7.13-1.1.mga6.src.rpmAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOSummary: python/python3 new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207 => python new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207
Package list: python-2.7.15-1.mga5 libpython2.7-2.7.15-1.mga5 libpython-devel-2.7.15-1.mga5 python-docs-2.7.15-1.mga5 tkinter-2.7.15-1.mga5 tkinter-apps-2.7.15-1.mga5 python-2.7.15-1.mga6 libpython2.7-2.7.15-1.mga6 libpython2.7-stdlib-2.7.15-1.mga6 libpython2.7-testsuite-2.7.15-1.mga6 libpython-devel-2.7.15-1.mga6 python-docs-2.7.15-1.mga6 tkinter-2.7.15-1.mga6 tkinter-apps-2.7.15-1.mga6 from SRPMS: python-2.7.15-1.mga5.src.rpm python-2.7.15-1.mga6.src.rpm
SUSE has a PoC for CVE-2017-18207: https://bugzilla.suse.com/show_bug.cgi?id=1083507
(In reply to David Walser from comment #6) > SUSE has a PoC for CVE-2017-18207: > https://bugzilla.suse.com/show_bug.cgi?id=1083507 $ python Python 2.7.15 (default, May 1 2018, 17:34:21) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import wave >>> wave.open('audio-testcase.wav') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/wave.py", line 511, in open return Wave_read(f) File "/usr/lib64/python2.7/wave.py", line 164, in __init__ self.initfp(f) File "/usr/lib64/python2.7/wave.py", line 150, in initfp self._nframes = chunk.chunksize // self._framesize ZeroDivisionError: integer division or modulo by zero Doesn't look like the patch for this one made it in to the right branch in time :o(
Whiteboard: MGA5TOO => MGA5TOO feedback
(In reply to David Walser from comment #7) > Doesn't look like the patch for this one made it in to the right branch in > time :o( And even Suse patched only Python3, not Python2 https://www.suse.com/security/cve/CVE-2017-18207/ and same for Python upstream, for only Python 3.8, Python 3.7 https://bugs.python.org/issue32056
CVE-2017-18207 moved to Bug 23061.
Whiteboard: MGA5TOO feedback => MGA5TOOSummary: python new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207 => python new security issues CVE-2018-1060 and CVE-2018-1061
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Used tests as per bug 22103 (tx a lot Len) # python /usr/share/doc/python-ply/example/calc/calc.py Generating LALR tables calc > a=25 calc > b=35 calc > a*b 875 $ cd /usr/share/doc/python-ply/test $ python testlex.py .E..EEEE.................................. ---------------------------------------------------------------------- Ran 42 tests in 3.055s FAILED (failures=5) # python testlex.py .......................................... ---------------------------------------------------------------------- Ran 42 tests in 4.663s OK # python testyacc.py .......................................... ---------------------------------------------------------------------- Ran 42 tests in 0.772s OK Test for tkinter $ python /home/tester5/Documenten/helloworld.py Good morning QA regrtest does not seem to exist in python2.7 So OK for now
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
MGA6-32 on IBM Thinkpad R50e Xfce No installation issues. Did the same tests as per Comment 10 above with similar results, so OK for now.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK
@David: Herman is ahead of you! Advisory please.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory: ======================== Updated python packages fix security vulnerabilities: A flaw was found in the way catastrophic backtracking was implemented in Python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service (CVE-2018-1060). A flaw was found in the way catastrophic backtracking was implemented in Python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service (CVE-2018-1061). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061 https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WVU6LVRWETHDLXB6T3636AYNKVHPASB/
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0256.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED