openSUSE has issued an advisory on April 25: https://lists.opensuse.org/opensuse-updates/2019-04/msg00187.html Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assignee: bugsquad => pythonCC: (none) => marja11
Fixed both mga6 and Cauldron!
CC: (none) => geiger.david68210
Advisory: ======================== Updated python packages fix security vulnerability: A 'file:' blacklist bypass in URIs by using the 'local-file:' scheme instead (CVE-2019-9948). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948 https://lists.opensuse.org/opensuse-updates/2019-04/msg00187.html ======================== Updated packages in core/updates_testing: ======================== python-2.7.15-1.4.mga6 libpython2.7-2.7.15-1.4.mga6 libpython2.7-stdlib-2.7.15-1.4.mga6 libpython2.7-testsuite-2.7.15-1.4.mga6 libpython-devel-2.7.15-1.4.mga6 python-docs-2.7.15-1.4.mga6 tkinter-2.7.15-1.4.mga6 tkinter-apps-2.7.15-1.4.mga6 from python-2.7.15-1.4.mga6.src.rpm
Assignee: python => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
mga6, x86_64 Investigated the CVE before updating. CVE-2019-9948 https://bugs.python.org/issue35907 Running this python snippet: ---------------------------------- import urllib print( urllib.urlopen('local_file:///etc/passwd').read()[:30] ) ---------------------------------- returned: root:x:0:0:root:/root:/bin/bas which I think demonstrated the vulnerability. As indicated upstream running modified POC code with urllib2 or python3 shows that only urllib is vulnerable. *After updating* $ python poc.py Traceback (most recent call last): File "poc.py", line 3, in <module> print( urllib.urlopen('local_file:///etc/passwd').read()[:30] ) File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen return opener.open(url) File "/usr/lib64/python2.7/urllib.py", line 213, in open return self.open_unknown(fullurl, data) File "/usr/lib64/python2.7/urllib.py", line 225, in open_unknown raise IOError, ('url error', 'unknown url type', type) IOError: [Errno url error] unknown url type: 'local_file' This agrees with the report upstream and demonstrates that the issue has been correctly handled. Checks: $ cat fib.py def fibo( ): ''' Unbounded generator for Fibonacci numbers ''' x, y = 0, 1 while True: yield x x, y = y, x + y if __name__ == "__main__": import itertools print list( itertools.islice( fibo( ), 10 ) ) $ python fib.py [0, 1, 1, 2, 3, 5, 8, 13, 21, 34] Ran calibre under strace - added five PDF books to the library, opened one and scrolled through it. Found numerous references to /usr/lib/python2.7 and /lib64/libpython2.7.so.1.0. Tried displaycal without really knowing what to do - profiling, calibration curves and tone response. The trace showed libpython2.7 and /usr/lib64/python2.7/site*. OK for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Should be OK for 32-bit, too. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0165.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED