Bug 23703 - python-marshmallow new security issue CVE-2018-17175
Summary: python-marshmallow new security issue CVE-2018-17175
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-16 00:40 CEST by David Walser
Modified: 2019-02-13 12:10 CET (History)
5 users (show)

See Also:
Source RPM: python-marshmallow-2.2.1-0.6.gitea1def9.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-16 00:40:07 CEST
Fedora has issued an advisory on October 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GCKZAADQI7JJ3ZUN7DSIR2JH3VZEJZDM/

The issue is fixed upstream in 2.15.1.

Mageia 6 is also affected.
David Walser 2018-10-16 00:40:15 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-16 19:52:07 CEST
Assigning to the Python stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => python
CC: (none) => marja11, ngompa13

Comment 2 David Walser 2019-02-03 02:40:27 CET
Patched packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated python-marshmallow packages fix security vulnerability:

In the marshmallow library before 2.15.1 for Python, the schema "only" option
treats an empty list as implying no "only" option, which allows a request that
was intended to expose no fields to instead expose all fields (if the schema is
being filtered dynamically using the "only" option, and there is a user role
that produces an empty value for "only") (CVE-2018-17175).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17175
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GCKZAADQI7JJ3ZUN7DSIR2JH3VZEJZDM/
========================

Updated packages in core/updates_testing:
========================
python2-marshmallow-2.2.1-0.5.gitea1def9.mga6
python2-marshmallow-doc-2.2.1-0.5.gitea1def9.mga6
python3-marshmallow-2.2.1-0.5.gitea1def9.mga6
python3-marshmallow-doc-2.2.1-0.5.gitea1def9.mga6

from python-marshmallow-2.2.1-0.5.gitea1def9.mga6.src.rpm

Version: Cauldron => 6
Assignee: python => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 3 Len Lawrence 2019-02-03 17:39:05 CET
Mageia6, x86_64
$ rpm -qa | grep marshmallow
python3-marshmallow-doc-2.2.1-0.4.gitea1def9.mga6
python3-marshmallow-2.2.1-0.4.gitea1def9.mga6
python2-marshmallow-doc-2.2.1-0.4.gitea1def9.mga6
python2-marshmallow-2.2.1-0.4.gitea1def9.mga6

Documentation at 
https://marshmallow.readthedocs.io/en/3.0/

$ cat example.py
from datetime import date
from marshmallow import Schema, fields, pprint

class ArtistSchema(Schema):
    name = fields.Str()

class AlbumSchema(Schema):
    title = fields.Str()
    release_date = fields.Date()
    artist = fields.Nested(ArtistSchema())

bowie = dict(name='David Bowie')
album = dict(artist=bowie, title='Hunky Dory', release_date=date(1971, 12, 17))

schema = AlbumSchema()
result = schema.dump(album)
pprint(result, indent=2)

This works with python2.7 or python3.

$ python3 example.py
MarshalResult(data={'artist': {'name': 'David Bowie'}, 'title': 'Hunky Dory', 'release_date': '1971-12-17'}, errors={})

Quick start for Schemas:
https://marshmallow.readthedocs.io/en/3.0/quickstart.html

CVE-2018-17175
https://github.com/marshmallow-code/marshmallow/issues/772

$ cat test.py
from marshmallow import Schema, fields, pprint

class TestSchema(Schema):
    foo = fields.Field()
sch = TestSchema(only=())
data = dict(foo='bar')
result = sch.dump(data)
assert 'foo' not in result

The snippet above is supposed to return an assertion but returns nothing when run before the update.
$ python test.py
$ python3 test.py
$

Updated packages to version 2.2.1-0.5

Same results from running 'python{,3} {example,test}.py'.

So clean update, expected result from the example script, but do insufficient knowledge of python to interpret the outcomes of running test.py.

Placing None in the argument list shows what a null argument should have produced before the update:
$ cat test1.py
from marshmallow import Schema, fields, pprint

class TestSchema(Schema):
    foo = fields.Field()
sch = TestSchema(only=(None))
data = dict(foo='bar')
result = sch.dump(data)
pprint( result, indent=2 )
assert 'foo' not in result

$ python test1.py
MarshalResult(data={'foo': 'bar'}, errors={})

This seems to suggest that the fault had been repaired in 2.2.0.4.

OK for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Len Lawrence 2019-02-09 00:33:23 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-02-13 03:03:14 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2019-02-13 12:10:26 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0065.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.