Fedora has issued an advisory on October 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GCKZAADQI7JJ3ZUN7DSIR2JH3VZEJZDM/ The issue is fixed upstream in 2.15.1. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the Python stack maintainers, CC'ing the registered maintainer.
Assignee: bugsquad => pythonCC: (none) => marja11, ngompa13
Patched packages uploaded for Mageia 6 and Cauldron. Advisory: ======================== Updated python-marshmallow packages fix security vulnerability: In the marshmallow library before 2.15.1 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only") (CVE-2018-17175). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17175 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GCKZAADQI7JJ3ZUN7DSIR2JH3VZEJZDM/ ======================== Updated packages in core/updates_testing: ======================== python2-marshmallow-2.2.1-0.5.gitea1def9.mga6 python2-marshmallow-doc-2.2.1-0.5.gitea1def9.mga6 python3-marshmallow-2.2.1-0.5.gitea1def9.mga6 python3-marshmallow-doc-2.2.1-0.5.gitea1def9.mga6 from python-marshmallow-2.2.1-0.5.gitea1def9.mga6.src.rpm
Assignee: python => qa-bugsWhiteboard: MGA6TOO => (none)Version: Cauldron => 6
Mageia6, x86_64 $ rpm -qa | grep marshmallow python3-marshmallow-doc-2.2.1-0.4.gitea1def9.mga6 python3-marshmallow-2.2.1-0.4.gitea1def9.mga6 python2-marshmallow-doc-2.2.1-0.4.gitea1def9.mga6 python2-marshmallow-2.2.1-0.4.gitea1def9.mga6 Documentation at https://marshmallow.readthedocs.io/en/3.0/ $ cat example.py from datetime import date from marshmallow import Schema, fields, pprint class ArtistSchema(Schema): name = fields.Str() class AlbumSchema(Schema): title = fields.Str() release_date = fields.Date() artist = fields.Nested(ArtistSchema()) bowie = dict(name='David Bowie') album = dict(artist=bowie, title='Hunky Dory', release_date=date(1971, 12, 17)) schema = AlbumSchema() result = schema.dump(album) pprint(result, indent=2) This works with python2.7 or python3. $ python3 example.py MarshalResult(data={'artist': {'name': 'David Bowie'}, 'title': 'Hunky Dory', 'release_date': '1971-12-17'}, errors={}) Quick start for Schemas: https://marshmallow.readthedocs.io/en/3.0/quickstart.html CVE-2018-17175 https://github.com/marshmallow-code/marshmallow/issues/772 $ cat test.py from marshmallow import Schema, fields, pprint class TestSchema(Schema): foo = fields.Field() sch = TestSchema(only=()) data = dict(foo='bar') result = sch.dump(data) assert 'foo' not in result The snippet above is supposed to return an assertion but returns nothing when run before the update. $ python test.py $ python3 test.py $ Updated packages to version 2.2.1-0.5 Same results from running 'python{,3} {example,test}.py'. So clean update, expected result from the example script, but do insufficient knowledge of python to interpret the outcomes of running test.py. Placing None in the argument list shows what a null argument should have produced before the update: $ cat test1.py from marshmallow import Schema, fields, pprint class TestSchema(Schema): foo = fields.Field() sch = TestSchema(only=(None)) data = dict(foo='bar') result = sch.dump(data) pprint( result, indent=2 ) assert 'foo' not in result $ python test1.py MarshalResult(data={'foo': 'bar'}, errors={}) This seems to suggest that the fault had been repaired in 2.2.0.4. OK for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0065.html
Status: NEW => RESOLVEDResolution: (none) => FIXED