+++ This bug was initially created as a clone of Bug #22845 +++ openSUSE has issued an advisory on April 17: https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html The issue hasn't been fixed yet in Python 2.7.x. Mageia 5 and Mageia 6 are also affected. SUSE has a PoC for CVE-2017-18207: https://bugzilla.suse.com/show_bug.cgi?id=1083507 $ python Python 2.7.15 (default, May 1 2018, 17:34:21) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import wave >>> wave.open('audio-testcase.wav') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/wave.py", line 511, in open return Wave_read(f) File "/usr/lib64/python2.7/wave.py", line 164, in __init__ self.initfp(f) File "/usr/lib64/python2.7/wave.py", line 150, in initfp self._nframes = chunk.chunksize // self._framesize ZeroDivisionError: integer division or modulo by zero
Whiteboard: (none) => MGA6TOO, MGA5TOOSummary: python new security issues CVE-2018-1060, CVE-2018-1061, and CVE-2017-18207 => python new security issue CVE-2017-18207
CC: (none) => marja11Assignee: bugsquad => python
The fix made by openSUSE (https://build.opensuse.org/package/view_file/openSUSE:Maintenance:7988/python3-base.openSUSE_Leap_42.3_Update/python-3.6-CVE-2017-18207.patch?expand=1) is not really the good one, it consider only wave, and it not clear that it is a vulnerability see https://bugs.python.org/issue32056 and the final commit in Python3.7 https://github.com/python/cpython/commit/3c0a5a7c7ba8fbbc95dd1fe76cd7a1c0ce167371 For information I backported the openSUSE patch in python-2.7.15-5.mga7
Thanks Philippe. If the divide by zero causes Python to crash, it's definitely a security issue, but if it only raises an exception, than I would agree that it's not. I've committed the patch in mga5/mga6 SVN, but won't push any builds at this time.
Version: Cauldron => 6Status comment: (none) => possibly incomplete patch in SVN (aifc and sunau not addressed)Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CVE-2018-1000030 is another issue we may or may not have fixed. openSUSE advisory for that from May 24: https://lists.opensuse.org/opensuse-updates/2018-05/msg00108.html
Have 3DES ciphers already been disabled by default in our python package? https://access.redhat.com/errata/RHSA-2018:2123
openSUSE has issued an advisory for this for Python 2.7 on July 28: https://lists.opensuse.org/opensuse-updates/2018-07/msg00084.html
CVE-2018-14647 and CVE-2018-1000802 are more new issues. Debian has issued advisories for those on September 27: https://www.debian.org/security/2018/dsa-4306
openSUSE has issued an advisory for CVE-2018-1000802 on October 6: https://lists.opensuse.org/opensuse-updates/2018-10/msg00035.html
Fedora has issued an advisory for CVE-2018-1000802 on September 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4ERR26C7JCSELMELHCVZ5TZXFKHBJ72/
CC: (none) => tmbWhiteboard: MGA5TOO => (none)
Fedora has issued an advisory for CVE-2018-14647 on October 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HFL5UURGWQ53IKGPTD7B4MKMSMUZPTGU/
Ubuntu has issued an advisory for some of these issues on November 13: https://usn.ubuntu.com/3817-1/
CVE-2018-14647 and CVE-2018-1000802 fixed on Cauldron!
CC: (none) => geiger.david68210
So Comment 3 and Comment 4 are the only possible questions for Cauldron left.
CVE-2016-2183 was fixed upstream since release 2.7.13 in this commit: https://github.com/python/cpython/commit/d988f429fe43808345812ef63dfa8da170c61871 https://python-security.readthedocs.io/vuln/cve-2016-2183_sweet32_attack_des_3des.html
Also CVE-2018-1000030 already fixed upstream in release 2.7.15: - bpo-31530: Fixed crashes when iterating over a file on multiple threads https://bugs.python.org/issue31530#msg320189
So fixed now for mga6!
Advisory: ======================== Updated python packages fix security vulnerabilities: Possible denial of service vulnerability due to a missing check in Lib/wave.py to verify that at least one channel is provided (CVE-2017-18207). Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM (CVE-2018-14647). It was discovered that the shutil module of python does not properly sanitize input when creating a zip file on Windows. An attacker could use this flaw to cause a denial of service or add unintended files to the generated archive (CVE-2018-1000802). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18207 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802 https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4ERR26C7JCSELMELHCVZ5TZXFKHBJ72/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HFL5UURGWQ53IKGPTD7B4MKMSMUZPTGU/ ======================== Updated packages in core/updates_testing: ======================== python-2.7.15-1.1.mga6 libpython2.7-2.7.15-1.1.mga6 libpython2.7-stdlib-2.7.15-1.1.mga6 libpython2.7-testsuite-2.7.15-1.1.mga6 libpython-devel-2.7.15-1.1.mga6 python-docs-2.7.15-1.1.mga6 tkinter-2.7.15-1.1.mga6 tkinter-apps-2.7.15-1.1.mga6 from python-2.7.15-1.1.mga6.src.rpm
Assignee: python => qa-bugs
Summary: python new security issue CVE-2017-18207 => python new security issues CVE-2017-18207, CVE-2018-14647, CVE-2018-1000802
Mageia 6, x86_64 CVE-2017-18207 https://bugzilla.suse.com/show_bug.cgi?id=1083507 This is an old divide-by-zero bug - probably fixed already. Running this test confirms that. $ python Python 2.7.15 (default, May 1 2018, 17:08:05) [GCC 5.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import wave >>> wave.open('audio-testcase.wav') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/wave.py", line 511, in open return Wave_read(f) File "/usr/lib64/python2.7/wave.py", line 164, in __init__ self.initfp(f) -2017- File "/usr/lib64/python2.7/wave.py", line 150, in initfp self._nframes = chunk.chunksize // self._framesize ZeroDivisionError: integer division or modulo by zero >>> exit() Updated all the packages. The testsuite files can be found in /usr/lib/python2.7/ under subdirectories bsddb/test, ctypes/test, distutils/tests, email/test, lib2to3/tests, sqlite/test, test and unittest/test. A web search indicated that there should be a /usr/share/doc/libpython2.7-testsuite file but we do not appear to have it, unless it belongs to a not-installed package. Other results seem to indicate that the test files belong to the unit testing framework rather than providing a general way to test the functionality of the python installation which is what I was hoping to find. Tested the CVE-2017-18207 issue again: >>> import wave >>> wave.open('audio-testcase.wav') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python2.7/wave.py", line 513, in open return Wave_read(f) File "/usr/lib64/python2.7/wave.py", line 164, in __init__ self.initfp(f) File "/usr/lib64/python2.7/wave.py", line 144, in initfp self._read_fmt_chunk(chunk) File "/usr/lib64/python2.7/wave.py", line 276, in _read_fmt_chunk raise Error, "The audio file in wav format should have at least one channel!" wave.Error: The audio file in wav format should have at least one channel! which differs from the pre-update test by rejecting the data. Good result. Generated a list of applications which depend on python. Picked scribus and opened it under strace to create a dummy .sla document. The output trace contained 357 references to python2.7. sonata opens OK. calibre works fine. Installed vegastrike and launched it. Big mistake. It worked OK as far as I could see but there was no way to exit or quit the game. Killed it from a virtual console then switched back to graphics mode. The display was running in the lowest resolution possible and the mouse was not responding so a crash reboot was necessary. But the game runs. Launched glade and tinkered with it. All looked fine. Tried pycharm and ran a couple of simple python scripts from the interface. All worked as expected. Ran some beginner's scripts from the cli, posting a hello world button and calculating the first 10 numbers of the Fibonacci series. It all looks good for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0495.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED