Bug 23664 - python3 new security issues CVE-2018-14647, CVE-2018-20406, CVE-2019-5010, CVE-2019-9636
Summary: python3 new security issues CVE-2018-14647, CVE-2018-20406, CVE-2019-5010, CV...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-10 00:24 CEST by David Walser
Modified: 2019-04-10 23:26 CEST (History)
5 users (show)

See Also:
Source RPM: python3-3.6.6-4.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 3.5.7 and 3.7.3

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-10-10 00:24:48 CEST 
Debian has issued an advisory on September 28:
https://www.debian.org/security/2018/dsa-4307

The python package is also affected (Bug 23061).

Mageia 6 is also affected.
David Walser 2018-10-10 00:24:57 CEST

Whiteboard: (none) => MGA6TOO

David Walser 2018-10-21 23:02:23 CEST

Status comment: (none) => Fixed upstream in 3.6.7 and 3.7.1

Comment 1 David Walser 2018-10-26 19:54:19 CEST 
Fedora has issued an advisory for this on October 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A7QEHDSATR6O6LCG44EN2DA4QDAYBYWW/
Comment 3 David GEIGER 2018-12-25 20:36:57 CET 
release 3.6.7 already in Cauldron!

CC: (none) => geiger.david68210

David Walser 2018-12-25 20:39:01 CET

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 David Walser 2019-01-06 17:53:55 CET 
3.7.2 also fixes two security issues that also affect older versions:
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-2-release-candidate-1
https://bugs.python.org/issue34812
https://bugs.python.org/issue34791
Comment 5 David Walser 2019-01-28 01:59:52 CET 
Fedora has issued an advisory on January 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KQAHRQV4GLSC4MKWUVJELXIIHJ44VI5P/

It fixes one new issue (patch pushed in Cauldron).

Summary: python3 new security issue CVE-2018-14647 => python3 new security issues CVE-2018-14647 and CVE-2019-5010

Comment 6 David Walser 2019-02-01 19:29:18 CET 
SUSE has issued an advisory on January 31:
http://lists.suse.com/pipermail/sle-security-updates/2019-January/005071.html

The new issue, CVE-2018-20406, was fixed in 3.7.1 (so Cauldron is OK).

Summary: python3 new security issues CVE-2018-14647 and CVE-2019-5010 => python3 new security issues CVE-2018-14647, CVE-2018-20406, and CVE-2019-5010

Comment 7 David Walser 2019-03-18 01:23:18 CET 
3.7.3 fixes CVE-2019-5010 (already patched in Cauldron) and two other issues:
https://bugs.python.org/issue36216
https://bugs.python.org/issue35121
Comment 9 David Walser 2019-03-28 21:12:05 CET 
Fedora has issued an advisory on March 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/

It fixes one new, high-severity security issue.  They also patched for the CVE in Comment 7.

Version: 6 => Cauldron
Severity: normal => critical
Whiteboard: (none) => MGA6TOO
Summary: python3 new security issues CVE-2018-14647, CVE-2018-20406, and CVE-2019-5010 => python3 new security issues CVE-2018-14647, CVE-2018-20406, CVE-2019-5010, CVE-2019-9636

David Walser 2019-03-28 21:12:20 CET

CC: (none) => makowski.mageia
Assignee: makowski.mageia => python

Comment 10 David Walser 2019-03-28 21:51:53 CET 
Fedora advisory for Python 3.5, which may help us for Mageia 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/
Comment 13 David GEIGER 2019-04-04 11:43:26 CEST 
python 3.7.3 submitted on Cauldron!
David Walser 2019-04-04 13:47:55 CEST

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Status comment: Fixed upstream in 3.6.7 and 3.7.1 => Fixed upstream in 3.5.7 and 3.7.3

Comment 14 David GEIGER 2019-04-04 14:21:24 CEST 
python 3.5.7 submitted on mga6!
Comment 15 David Walser 2019-04-04 20:09:54 CEST 
Advisory:
========================

Updated python3 packages fixes security vulnerabilities:

Python's elementtree C accelerator failed to initialise Expat's hash salt
during initialization. This could make it easy to conduct denial of service
attacks against Expat by contructing an XML document that would cause
pathological hash collisions in Expat's internal data structures, consuming
large amounts CPU and RAM (CVE-2018-14647).

Modules/_pickle.c in Python before 3.5.7 has an integer overflow via a large
LONG_BINPUT value that is mishandled during a "resize to twice the size"
attempt. This issue might cause memory exhaustion, but is only relevant if the
pickle format is used for serializing tens or hundreds of gigabytes of data
(CVE-2018-20406).

A null pointer dereference vulnerability was found in the certificate parsing
code in Python. This causes a denial of service to applications when parsing
specially crafted certificates. This vulnerability is unlikely to be triggered
if application enables SSL/TLS certificate validation and accepts certificates
only from trusted root certificate authorities (CVE-2019-5010).

A vulnerability was found in Python 3.x through 3.5.7. An improper Handling of
Unicode Encoding (with an incorrect netloc) during NFKC normalization could
lead to an Information Disclosure (credentials, cookies, etc. that are cached
against a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse
components. A specially crafted URL could be incorrectly parsed to locate
cookies or authentication data and send that information to a different host
than when parsed correctly (CVE-2019-9636).

The python3 package has been updated to version 3.5.7, fixing these and other
issues.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636
https://pythoninsider.blogspot.com/2019/03/python-3.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A7QEHDSATR6O6LCG44EN2DA4QDAYBYWW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/
========================

Updated packages in core/updates_testing:
========================
python3-3.5.7-1.mga6
libpython3.5-3.5.7-1.mga6
libpython3.5-stdlib-3.5.7-1.mga6
libpython3.5-testsuite-3.5.7-1.mga6
libpython3-devel-3.5.7-1.mga6
python3-docs-3.5.7-1.mga6
tkinter3-3.5.7-1.mga6
tkinter3-apps-3.5.7-1.mga6

from python3-3.5.7-1.mga6.src.rpm

Assignee: python => qa-bugs

Comment 16 Len Lawrence 2019-04-05 16:42:53 CEST 
mga6, x86_64

Checked the CVE links but found no POC.

python3 used by: blender, cantor, glom, net_monitor, onboard, pitivi, sigil and virtualbox amongst others.

Updated the packages.

Ran blender under strace and found multiple references to lib64/python3.5.

Invoked cantor and specified the python3 backend.  Presented with a worksheet containing the python command prompt.

Installed onboard and invoked it under strace.  It presented a very neat onscreen keyboard which responded to mouse-clicks by echoing the key value to the last terminal raised.  The trace contained numerous references to lib64/python3.5.

This looks good for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 17 Dave Hodgins 2019-04-10 22:24:42 CEST 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 18 Mageia Robot 2019-04-10 23:26:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0135.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.