Bug 22983 - python3 new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207
Summary: python3 new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-05-02 23:19 CEST by David Walser
Modified: 2018-06-04 17:12 CEST (History)
4 users (show)

See Also:
Source RPM: python3-3.6.4-1.mga7.src.rpm
CVE:
Status comment: Patches available from openSUSE and upstream


Attachments
Generates fibonacci numbers (586 bytes, text/x-python)
2018-06-03 12:39 CEST, Len Lawrence
Details
Eratosthenes Sieve for prime numbers (985 bytes, text/x-python)
2018-06-03 12:40 CEST, Len Lawrence
Details
Helloworld program for Tkinter3 (912 bytes, text/x-python)
2018-06-03 17:11 CEST, Len Lawrence
Details

Description David Walser 2018-05-02 23:19:39 CEST
+++ This bug was initially created as a clone of Bug #22845 +++

Python 3.6.5 has been released on March 28:
https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final

RC1 (from March 13) fixed two security issues:
https://bugs.python.org/issue32981

Fedora has issued an advisory for this on April 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WVU6LVRWETHDLXB6T3636AYNKVHPASB/

openSUSE has issued an advisory on April 17:
https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html

It fixes one additional issue.

Mageia 5 is also affected.
Comment 1 David Walser 2018-05-02 23:20:59 CEST
Philippe upgraded to 3.6.5 in Cauldron which should have all of the fixes.

"python3-3.5.3-1.3.mga6 have a patch for CVE-2018-1060 and CVE-2017-1000158," but he didn't have time to address the other issues.

Depends on: 22845 => (none)
Assignee: bugsquad => python
CC: security => (none)

David Walser 2018-05-04 08:26:08 CEST

Status comment: (none) => Patches available from openSUSE and upstream

Comment 2 Philippe Makowski 2018-05-24 09:26:49 CEST
done in python3-3.4.3-1.7.mga5 and python3-3.5.3-1.4.mga6
they are in testing

CVE-2017-18207 is not fixed, see : https://bugs.mageia.org/show_bug.cgi?id=23061#c1
Comment 3 David Walser 2018-06-02 23:52:33 CEST
I would say CVE-2017-18207 is fixed as it only covers the wave issue, but the same issue (however you want to characterize it) also exists in two other modules.

What's the status of CVE-2018-1061?

Whiteboard: (none) => MGA5TOO

Comment 4 David Walser 2018-06-02 23:54:19 CEST
(In reply to David Walser from comment #3)
> I would say CVE-2017-18207 is fixed as it only covers the wave issue, but
> the same issue (however you want to characterize it) also exists in two
> other modules.
> 
> What's the status of CVE-2018-1061?

Ahh it looks like you addressed it with the CVE-2018-1060 patch.
Comment 5 David Walser 2018-06-03 00:02:22 CEST
Advisory:
========================

Updated python3 packages fix security vulnerabilities:

A flaw was found in the way catastrophic backtracking was implemented in
Python's pop3lib's apop() method. An attacker could use this flaw to cause
denial of service (CVE-2018-1060).

A flaw was found in the way catastrophic backtracking was implemented in
Python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause
denial of service (CVE-2018-1061).

Possible denial of service vulnerability due to a missing check in Lib/wave.py
to verify that at least one channel is provided (CVE-2017-18207).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18207
https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WVU6LVRWETHDLXB6T3636AYNKVHPASB/
https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html
========================

Updated packages in core/updates_testing:
========================
libpython3-devel-3.4.3-1.7.mga5
libpython3.4-3.4.3-1.7.mga5
python3-3.4.3-1.7.mga5
python3-docs-3.4.3-1.7.mga5
tkinter3-3.4.3-1.7.mga5
tkinter3-apps-3.4.3-1.7.mga5
libpython3-devel-3.5.3-1.4.mga6
libpython3.5-3.5.3-1.4.mga6
libpython3.5-stdlib-3.5.3-1.4.mga6
libpython3.5-testsuite-3.5.3-1.4.mga6
python3-3.5.3-1.4.mga6
python3-docs-3.5.3-1.4.mga6
tkinter3-3.5.3-1.4.mga6
tkinter3-apps-3.5.3-1.4.mga6

from SRPMS:
python3-3.4.3-1.7.mga5.src.rpm
python3-3.5.3-1.4.mga6.src.rpm

CC: pkg-bugs => python
Assignee: python => qa-bugs

Comment 6 Len Lawrence 2018-06-03 12:36:40 CEST
Mageia 6 :: x86_64

A PoC was found for the wave issue but nothing else.
CVE-2017-18207
https://bugzilla.suse.com/show_bug.cgi?id=1083507

Before updates:

The procedure here applies to both python and python3.
$ python3
>>> import wave
>>> wave.open('audio-testcase.wav')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.5/wave.py", line 499, in open
    return Wave_read(f)
  File "/usr/lib64/python3.5/wave.py", line 163, in __init__
    self.initfp(f)
  File "/usr/lib64/python3.5/wave.py", line 149, in initfp
    self._nframes = chunk.chunksize // self._framesize
ZeroDivisionError: integer division or modulo by zero
>>> exit()

After updates:

$ python3
Python 3.5.3 (default, May 23 2018, 14:20:56) 
[GCC 5.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import wave
>>> wave.open('audio-testcase.wav')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.5/wave.py", line 501, in open
    return Wave_read(f)
  File "/usr/lib64/python3.5/wave.py", line 163, in __init__
    self.initfp(f)
  File "/usr/lib64/python3.5/wave.py", line 143, in initfp
    self._read_fmt_chunk(chunk)
  File "/usr/lib64/python3.5/wave.py", line 262, in _read_fmt_chunk
    raise ValueError("The audio file in wav format should have at least one channel!")
ValueError: The audio file in wav format should have at least one channel!

This is the expected response.

Python is pretty well embedded in the operating system.  A quick look at /bin shows 79 separate scripts. 
$ file /bin/* | grep -i python | wc -l
Ran youtube-dl successfullyInteractive python3 working normally.
The two attached tutorial scripts worked fine with python3.
$ python3 fibonacci.py
Fibonacci series for first 13 terms
0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233
The tenth term is 34
[0, 1, 1, 2, 3, 5, 8, 13, 21, 34]
$ python3 sieve.py
q = 2
q = 3
q = 5
q = 7
...............
q = 271
q = 277
q = 281
q = 283
q = 293

OK for 64-bits.  Moving to Mageia 5 for repeat tests.

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
CC: (none) => tarazed25

Comment 7 Len Lawrence 2018-06-03 12:39:28 CEST
Created attachment 10219 [details]
Generates fibonacci numbers
Comment 8 Len Lawrence 2018-06-03 12:40:43 CEST
Created attachment 10220 [details]
Eratosthenes Sieve for prime numbers
Comment 9 Len Lawrence 2018-06-03 12:53:06 CEST
Re comment 6.  Most of the bin scripts are not specifically python3 but youtube-dl is.
Other applications using python3, according to:
$ urpmq --whatrequires lib64python3.5 | sort -u
attic, blender, gdb, pitivi, semantik, sigil, and virtualbox.
VirtualBox is working after the updates.
Comment 10 Len Lawrence 2018-06-03 17:11:13 CEST
Created attachment 10222 [details]
Helloworld program for Tkinter3
Comment 11 Len Lawrence 2018-06-03 17:12:42 CEST
Mageia 5, x86_64

Initially at python 3.4.3-1.6

Before update:
$ python3
>>> import wave
>>> wave.open( "audio-testcase.wav" )
Traceback (most recent call last):
ZeroDivisionError: integer division or modulo by zero

After update:
$ python3
>>> import wave
>>> wave.open('audio-testcase.wav')
Traceback (most recent call last):
ValueError: The audio file in wav format should have at least one channel!

Which validates the patch.

VirtualBox continues to work.  The Fibonacci number generator and Sieve of Eratosthenes also work.  youtube-dl does not work on Mageia 5 (mga5 EOS apart from core applications).

tkinter may not be affected by this update but it is on the list so is worth a cursory test.  Ran the "Hello world" script attached.

Good for 64-bits.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK

Comment 12 Len Lawrence 2018-06-03 17:33:00 CEST
In comment 11: s/validates the patch/validates the patch for CVE-2017-18207/
claire robinson 2018-06-04 15:28:26 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 claire robinson 2018-06-04 15:33:27 CEST
advisory uploaded

Keywords: (none) => advisory

Comment 14 Mageia Robot 2018-06-04 17:12:47 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0270.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.