+++ This bug was initially created as a clone of Bug #22845 +++ Python 3.6.5 has been released on March 28: https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final RC1 (from March 13) fixed two security issues: https://bugs.python.org/issue32981 Fedora has issued an advisory for this on April 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WVU6LVRWETHDLXB6T3636AYNKVHPASB/ openSUSE has issued an advisory on April 17: https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html It fixes one additional issue. Mageia 5 is also affected.
Philippe upgraded to 3.6.5 in Cauldron which should have all of the fixes. "python3-3.5.3-1.3.mga6 have a patch for CVE-2018-1060 and CVE-2017-1000158," but he didn't have time to address the other issues.
Depends on: 22845 => (none)Assignee: bugsquad => pythonCC: security => (none)
Status comment: (none) => Patches available from openSUSE and upstream
done in python3-3.4.3-1.7.mga5 and python3-3.5.3-1.4.mga6 they are in testing CVE-2017-18207 is not fixed, see : https://bugs.mageia.org/show_bug.cgi?id=23061#c1
I would say CVE-2017-18207 is fixed as it only covers the wave issue, but the same issue (however you want to characterize it) also exists in two other modules. What's the status of CVE-2018-1061?
Whiteboard: (none) => MGA5TOO
(In reply to David Walser from comment #3) > I would say CVE-2017-18207 is fixed as it only covers the wave issue, but > the same issue (however you want to characterize it) also exists in two > other modules. > > What's the status of CVE-2018-1061? Ahh it looks like you addressed it with the CVE-2018-1060 patch.
Advisory: ======================== Updated python3 packages fix security vulnerabilities: A flaw was found in the way catastrophic backtracking was implemented in Python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service (CVE-2018-1060). A flaw was found in the way catastrophic backtracking was implemented in Python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service (CVE-2018-1061). Possible denial of service vulnerability due to a missing check in Lib/wave.py to verify that at least one channel is provided (CVE-2017-18207). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18207 https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WVU6LVRWETHDLXB6T3636AYNKVHPASB/ https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html ======================== Updated packages in core/updates_testing: ======================== libpython3-devel-3.4.3-1.7.mga5 libpython3.4-3.4.3-1.7.mga5 python3-3.4.3-1.7.mga5 python3-docs-3.4.3-1.7.mga5 tkinter3-3.4.3-1.7.mga5 tkinter3-apps-3.4.3-1.7.mga5 libpython3-devel-3.5.3-1.4.mga6 libpython3.5-3.5.3-1.4.mga6 libpython3.5-stdlib-3.5.3-1.4.mga6 libpython3.5-testsuite-3.5.3-1.4.mga6 python3-3.5.3-1.4.mga6 python3-docs-3.5.3-1.4.mga6 tkinter3-3.5.3-1.4.mga6 tkinter3-apps-3.5.3-1.4.mga6 from SRPMS: python3-3.4.3-1.7.mga5.src.rpm python3-3.5.3-1.4.mga6.src.rpm
CC: pkg-bugs => pythonAssignee: python => qa-bugs
Mageia 6 :: x86_64 A PoC was found for the wave issue but nothing else. CVE-2017-18207 https://bugzilla.suse.com/show_bug.cgi?id=1083507 Before updates: The procedure here applies to both python and python3. $ python3 >>> import wave >>> wave.open('audio-testcase.wav') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.5/wave.py", line 499, in open return Wave_read(f) File "/usr/lib64/python3.5/wave.py", line 163, in __init__ self.initfp(f) File "/usr/lib64/python3.5/wave.py", line 149, in initfp self._nframes = chunk.chunksize // self._framesize ZeroDivisionError: integer division or modulo by zero >>> exit() After updates: $ python3 Python 3.5.3 (default, May 23 2018, 14:20:56) [GCC 5.4.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import wave >>> wave.open('audio-testcase.wav') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.5/wave.py", line 501, in open return Wave_read(f) File "/usr/lib64/python3.5/wave.py", line 163, in __init__ self.initfp(f) File "/usr/lib64/python3.5/wave.py", line 143, in initfp self._read_fmt_chunk(chunk) File "/usr/lib64/python3.5/wave.py", line 262, in _read_fmt_chunk raise ValueError("The audio file in wav format should have at least one channel!") ValueError: The audio file in wav format should have at least one channel! This is the expected response. Python is pretty well embedded in the operating system. A quick look at /bin shows 79 separate scripts. $ file /bin/* | grep -i python | wc -l Ran youtube-dl successfullyInteractive python3 working normally. The two attached tutorial scripts worked fine with python3. $ python3 fibonacci.py Fibonacci series for first 13 terms 0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233 The tenth term is 34 [0, 1, 1, 2, 3, 5, 8, 13, 21, 34] $ python3 sieve.py q = 2 q = 3 q = 5 q = 7 ............... q = 271 q = 277 q = 281 q = 283 q = 293 OK for 64-bits. Moving to Mageia 5 for repeat tests.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OKCC: (none) => tarazed25
Created attachment 10219 [details] Generates fibonacci numbers
Created attachment 10220 [details] Eratosthenes Sieve for prime numbers
Re comment 6. Most of the bin scripts are not specifically python3 but youtube-dl is. Other applications using python3, according to: $ urpmq --whatrequires lib64python3.5 | sort -u attic, blender, gdb, pitivi, semantik, sigil, and virtualbox. VirtualBox is working after the updates.
Created attachment 10222 [details] Helloworld program for Tkinter3
Mageia 5, x86_64 Initially at python 3.4.3-1.6 Before update: $ python3 >>> import wave >>> wave.open( "audio-testcase.wav" ) Traceback (most recent call last): ZeroDivisionError: integer division or modulo by zero After update: $ python3 >>> import wave >>> wave.open('audio-testcase.wav') Traceback (most recent call last): ValueError: The audio file in wav format should have at least one channel! Which validates the patch. VirtualBox continues to work. The Fibonacci number generator and Sieve of Eratosthenes also work. youtube-dl does not work on Mageia 5 (mga5 EOS apart from core applications). tkinter may not be affected by this update but it is on the list so is worth a cursory test. Ran the "Hello world" script attached. Good for 64-bits.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
In comment 11: s/validates the patch/validates the patch for CVE-2017-18207/
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
advisory uploaded
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0270.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED