Bug 22845 - python new security issues CVE-2018-1060 and CVE-2018-1061
Summary: python new security issues CVE-2018-1060 and CVE-2018-1061
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-31 18:00 CEST by David Walser
Modified: 2018-05-29 21:42 CEST (History)
4 users (show)

See Also:
Source RPM: python-2.7.13-1.1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-03-31 18:00:05 CEST
Python 3.6.5 has been released on March 28:
https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final

RC1 (from March 13) fixed two security issues:
https://bugs.python.org/issue32981

Python 2.7 is also affected and the fix will be included in 2.7.15.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-31 18:00:12 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2018-04-07 18:30:47 CEST
Fedora has issued an advisory for this on April 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WVU6LVRWETHDLXB6T3636AYNKVHPASB/
Comment 2 David Walser 2018-04-21 23:40:49 CEST
openSUSE has issued an advisory on April 17:
https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html

It fixes one additional issue, which also affects Python 2.7 and Python 3.x.

Summary: python/python3 new security issues CVE-2018-1060 and CVE-2018-1061 => python/python3 new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207

Comment 3 Philippe Makowski 2018-05-02 15:55:00 CEST
Python 2.7.15 is now in Cauldron, mga5 and mga6

Python 3.6.5 is now in Cauldron

python3-3.5.3-1.3.mga6 have a patch for CVE-2018-1060 and CVE-2017-1000158

Sorry, I don't have time to do more for now

CC: (none) => makowski.mageia
Assignee: makowski.mageia => pkg-bugs

David Walser 2018-05-02 23:19:39 CEST

Blocks: (none) => 22983

David Walser 2018-05-02 23:20:59 CEST

Blocks: 22983 => (none)

Comment 4 David Walser 2018-05-02 23:22:31 CEST
Python3 moved to Bug 22983 since it hasn't been fixed yet.

All of the fixes should be in 2.7.15 for Python, so we can move forward with that update.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Source RPM: python3-3.6.4-1.mga7.src.rpm => python-2.7.13-1.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Summary: python/python3 new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207 => python new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207

Comment 5 David Walser 2018-05-02 23:25:20 CEST
Package list:
python-2.7.15-1.mga5
libpython2.7-2.7.15-1.mga5
libpython-devel-2.7.15-1.mga5
python-docs-2.7.15-1.mga5
tkinter-2.7.15-1.mga5
tkinter-apps-2.7.15-1.mga5
python-2.7.15-1.mga6
libpython2.7-2.7.15-1.mga6
libpython2.7-stdlib-2.7.15-1.mga6
libpython2.7-testsuite-2.7.15-1.mga6
libpython-devel-2.7.15-1.mga6
python-docs-2.7.15-1.mga6
tkinter-2.7.15-1.mga6
tkinter-apps-2.7.15-1.mga6

from SRPMS:
python-2.7.15-1.mga5.src.rpm
python-2.7.15-1.mga6.src.rpm
Comment 6 David Walser 2018-05-02 23:29:09 CEST
SUSE has a PoC for CVE-2017-18207:
https://bugzilla.suse.com/show_bug.cgi?id=1083507
Comment 7 David Walser 2018-05-03 15:36:53 CEST
(In reply to David Walser from comment #6)
> SUSE has a PoC for CVE-2017-18207:
> https://bugzilla.suse.com/show_bug.cgi?id=1083507

$ python
Python 2.7.15 (default, May  1 2018, 17:34:21) 
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import wave
>>> wave.open('audio-testcase.wav')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/wave.py", line 511, in open
    return Wave_read(f)
  File "/usr/lib64/python2.7/wave.py", line 164, in __init__
    self.initfp(f)
  File "/usr/lib64/python2.7/wave.py", line 150, in initfp
    self._nframes = chunk.chunksize // self._framesize
ZeroDivisionError: integer division or modulo by zero

Doesn't look like the patch for this one made it in to the right branch in time :o(

Whiteboard: MGA5TOO => MGA5TOO feedback

Comment 8 Philippe Makowski 2018-05-17 11:41:45 CEST
(In reply to David Walser from comment #7)
> Doesn't look like the patch for this one made it in to the right branch in
> time :o(

And even Suse patched only Python3, not Python2
https://www.suse.com/security/cve/CVE-2017-18207/

and same for Python upstream, for only Python 3.8, Python 3.7
https://bugs.python.org/issue32056
Comment 9 David Walser 2018-05-19 18:26:51 CEST
CVE-2017-18207 moved to Bug 23061.

Summary: python new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207 => python new security issues CVE-2018-1060 and CVE-2018-1061
Whiteboard: MGA5TOO feedback => MGA5TOO

Comment 10 Herman Viaene 2018-05-21 11:27:11 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Used tests as per bug 22103 (tx a lot Len)
# python /usr/share/doc/python-ply/example/calc/calc.py
Generating LALR tables
calc > a=25
calc > b=35
calc > a*b
875

$ cd /usr/share/doc/python-ply/test
$ python testlex.py
.E..EEEE..................................
----------------------------------------------------------------------
Ran 42 tests in 3.055s
FAILED (failures=5)

# python testlex.py
..........................................
----------------------------------------------------------------------
Ran 42 tests in 4.663s
OK

# python testyacc.py
..........................................
----------------------------------------------------------------------
Ran 42 tests in 0.772s
OK

Test for tkinter
$ python /home/tester5/Documenten/helloworld.py
Good morning QA

regrtest does not seem to exist in python2.7
So OK for now

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 11 Herman Viaene 2018-05-21 15:35:59 CEST
MGA6-32 on IBM Thinkpad R50e Xfce
No installation issues.
Did the same tests as per Comment 10 above with similar results, so OK for now.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 12 Lewis Smith 2018-05-21 21:05:51 CEST
@David: Herman is ahead of you! Advisory please.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 David Walser 2018-05-23 23:24:32 CEST
Advisory:
========================

Updated python packages fix security vulnerabilities:

A flaw was found in the way catastrophic backtracking was implemented in
Python's pop3lib's apop() method. An attacker could use this flaw to cause
denial of service (CVE-2018-1060).

A flaw was found in the way catastrophic backtracking was implemented in
Python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause
denial of service (CVE-2018-1061).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WVU6LVRWETHDLXB6T3636AYNKVHPASB/
Thomas Backlund 2018-05-29 20:24:53 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 14 Mageia Robot 2018-05-29 21:42:23 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0256.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.