The fix made by openSUSE (https://build.opensuse.org/package/view_file/openSUSE:Maintenance:7988/python3-base.openSUSE_Leap_42.3_Update/python-3.6-CVE-2017-18207.patch?expand=1) is not really the good one, it consider only wave,
and it not clear that it is a vulnerability

see https://bugs.python.org/issue32056

and the final commit in Python3.7 https://github.com/python/cpython/commit/3c0a5a7c7ba8fbbc95dd1fe76cd7a1c0ce167371

For information I backported the openSUSE patch in python-2.7.15-5.mga7

Thanks Philippe.  If the divide by zero causes Python to crash, it's definitely a security issue, but if it only raises an exception, than I would agree that it's not.  I've committed the patch in mga5/mga6 SVN, but won't push any builds at this time.

Version: Cauldron => 6
Status comment: (none) => possibly incomplete patch in SVN (aifc and sunau not addressed)
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

CVE-2018-1000030 is another issue we may or may not have fixed.

openSUSE advisory for that from May 24:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00108.html

Have 3DES ciphers already been disabled by default in our python package?
https://access.redhat.com/errata/RHSA-2018:2123

openSUSE has issued an advisory for this for Python 2.7 on July 28:
https://lists.opensuse.org/opensuse-updates/2018-07/msg00084.html

CVE-2018-14647 and CVE-2018-1000802 are more new issues.

Debian has issued advisories for those on September 27:
https://www.debian.org/security/2018/dsa-4306

openSUSE has issued an advisory for CVE-2018-1000802 on October 6:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00035.html

Fedora has issued an advisory for CVE-2018-1000802 on September 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4ERR26C7JCSELMELHCVZ5TZXFKHBJ72/

Fedora has issued an advisory for CVE-2018-14647 on October 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HFL5UURGWQ53IKGPTD7B4MKMSMUZPTGU/

Ubuntu has issued an advisory for some of these issues on November 13:
https://usn.ubuntu.com/3817-1/

CVE-2018-14647 and CVE-2018-1000802 fixed on Cauldron!

CC: (none) => geiger.david68210

So Comment 3 and Comment 4 are the only possible questions for Cauldron left.

CVE-2016-2183 was fixed upstream since release 2.7.13 in this commit:

https://github.com/python/cpython/commit/d988f429fe43808345812ef63dfa8da170c61871

https://python-security.readthedocs.io/vuln/cve-2016-2183_sweet32_attack_des_3des.html

Also CVE-2018-1000030 already fixed upstream in release 2.7.15:

- bpo-31530: Fixed crashes when iterating over a file on multiple threads

https://bugs.python.org/issue31530#msg320189

So fixed now for mga6!

Advisory:
========================

Updated python packages fix security vulnerabilities:

Possible denial of service vulnerability due to a missing check in Lib/wave.py
to verify that at least one channel is provided (CVE-2017-18207).

Python's elementtree C accelerator failed to initialise Expat's hash salt
during initialization. This could make it easy to conduct denial of service
attacks against Expat by contructing an XML document that would cause
pathological hash collisions in Expat's internal data structures, consuming
large amounts CPU and RAM (CVE-2018-14647).

It was discovered that the shutil module of python does not properly sanitize
input when creating a zip file on Windows. An attacker could use this flaw to
cause a denial of service or add unintended files to the generated archive
(CVE-2018-1000802).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
https://lists.opensuse.org/opensuse-updates/2018-04/msg00041.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O4ERR26C7JCSELMELHCVZ5TZXFKHBJ72/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HFL5UURGWQ53IKGPTD7B4MKMSMUZPTGU/
========================

Updated packages in core/updates_testing:
========================
python-2.7.15-1.1.mga6
libpython2.7-2.7.15-1.1.mga6
libpython2.7-stdlib-2.7.15-1.1.mga6
libpython2.7-testsuite-2.7.15-1.1.mga6
libpython-devel-2.7.15-1.1.mga6
python-docs-2.7.15-1.1.mga6
tkinter-2.7.15-1.1.mga6
tkinter-apps-2.7.15-1.1.mga6

from python-2.7.15-1.1.mga6.src.rpm

Assignee: python => qa-bugs

Mageia 6, x86_64

CVE-2017-18207
https://bugzilla.suse.com/show_bug.cgi?id=1083507
This is an old divide-by-zero bug - probably fixed already.
Running this test confirms that.

$ python
Python 2.7.15 (default, May  1 2018, 17:08:05) 
[GCC 5.4.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import wave
>>> wave.open('audio-testcase.wav')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/wave.py", line 511, in open
    return Wave_read(f)
  File "/usr/lib64/python2.7/wave.py", line 164, in __init__
    self.initfp(f)
-2017-  File "/usr/lib64/python2.7/wave.py", line 150, in initfp
    self._nframes = chunk.chunksize // self._framesize
ZeroDivisionError: integer division or modulo by zero
>>> exit()

Updated all the packages.

The testsuite files can be found in /usr/lib/python2.7/ under subdirectories bsddb/test, ctypes/test, distutils/tests, email/test, lib2to3/tests, sqlite/test,
test and unittest/test.  A web search indicated that there should be a /usr/share/doc/libpython2.7-testsuite file but we do not appear to have it, unless it belongs to a not-installed package.  Other results seem to indicate that the test files belong to the unit testing framework rather than providing a general way to test the functionality of the python installation which is what I was hoping to find.

Tested the CVE-2017-18207 issue again:

>>> import wave
>>> wave.open('audio-testcase.wav')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/wave.py", line 513, in open
    return Wave_read(f)
  File "/usr/lib64/python2.7/wave.py", line 164, in __init__
    self.initfp(f)
  File "/usr/lib64/python2.7/wave.py", line 144, in initfp
    self._read_fmt_chunk(chunk)
  File "/usr/lib64/python2.7/wave.py", line 276, in _read_fmt_chunk
    raise Error, "The audio file in wav format should have at least one channel!"
wave.Error: The audio file in wav format should have at least one channel!

which differs from the pre-update test by rejecting the data.  Good result.

Generated a list of applications which depend on python.
Picked scribus and opened it under strace to create a dummy .sla document.
The output trace contained 357 references to python2.7.

sonata opens OK.  calibre works fine.
Installed vegastrike and launched it.  Big mistake.  It worked OK as far as I could see but there was no way to exit or quit the game.    Killed it from a virtual console then switched back to graphics mode.  The display was running in the lowest resolution possible and the mouse was not responding so a crash reboot was necessary.  But the game runs.

Launched glade and tinkered with it.  All looked fine.
Tried pycharm and ran a couple of simple python scripts from the interface.  All worked as expected.
Ran some beginner's scripts from the cli, posting a hello world button and calculating the first 10 numbers of the Fibonacci series.

It all looks good for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0495.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED