Bug 26268 - python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422, CVE-2020-26116
Summary: python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
: 26894 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-02-27 22:58 CET by David Walser
Modified: 2020-11-23 13:56 CET (History)
4 users (show)

See Also:
Source RPM: python3-3.8.1-2.mga8.src.rpm, python-2.7.17-3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-02-27 22:58:59 CET
SUSE has issued advisories on February 25 and 27 (today):
http://lists.suse.com/pipermail/sle-security-updates/2020-February/006520.html
http://lists.suse.com/pipermail/sle-security-updates/2020-February/006545.html

Mageia 7 is also affected.
David Walser 2020-02-27 22:59:19 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-28 19:03:21 CET
No registered maintainers for these, so assigning globally; CC'ing a couple of packagers who have committed them recently.

CC: (none) => geiger.david68210, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-02-28 20:22:07 CET
I just remembered there is a Python group.

Assignee: pkg-bugs => python

Comment 3 David Walser 2020-03-02 22:03:31 CET
openSUSE has issued an advisory for this on March 2 (for python3):
https://lists.opensuse.org/opensuse-updates/2020-03/msg00013.html
Comment 4 David Walser 2020-04-23 20:39:14 CEST
Ubuntu has issued an advisory for CVE-2020-8492 on April 21:
https://usn.ubuntu.com/4333-1/

Note that we are not vulnerable to CVE-2019-18348 because it was fixed in glibc.
Comment 5 David Walser 2020-05-26 23:46:51 CEST
openSUSE advisory for python CVE-2019-9674 from May 23:
https://lists.opensuse.org/opensuse-updates/2020-05/msg00109.html
David Walser 2020-07-02 23:25:00 CEST

Blocks: (none) => 26894

Comment 6 Jani Välimaa 2020-07-07 20:44:35 CEST
IIUC there's no real fix for CVE-2019-9674, yet. Only a documentation update. 

Upstream bug report: https://bugs.python.org/issue36260.

CC: (none) => jani.valimaa

Comment 7 David Walser 2020-07-07 21:09:38 CEST
Yes sometimes a documentation update is the only fix we get.
Comment 8 David Walser 2020-07-29 22:54:53 CEST
Ubuntu has issued an advisory on July 22:
https://ubuntu.com/security/notices/USN-4428-1

It adds some new CVEs and we now see that all of them also affect Python 2.7.

CVE-2019-17514 is only a documentation fix, but that's fine.

According to Ubuntu, CVE-2020-15801 that I mentioned below is Windows-specific:
https://bugs.mageia.org/show_bug.cgi?id=26894#c5

I'm not sure if these affect Python 2.7:
BPO-39603
BPO-41288

I'm also closing Bug 26894 and merging it into this one.

So python3 in Cauldron should have all of these fixed, but python (2.7) still needs fixed, as does Mageia 7.

Summary: python/python3 new security issues CVE-2019-9674 and CVE-2020-8492 => python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422

Comment 9 David Walser 2020-07-29 22:55:29 CEST
*** Bug 26894 has been marked as a duplicate of this bug. ***

Blocks: 26894 => (none)

Comment 10 David GEIGER 2020-07-30 08:16:34 CEST
So CVE-2019-9674, CVE-2019-20907 and CVE-2020-8492 are now applied in python-2.7.18-2.mga8.

BPO-39603 and BPO-41288 seems not affect python 2.7
Comment 11 David Walser 2020-07-30 14:50:16 CEST
I added the fix for CVE-2019-17514 in python (2.7) and it looks like CVE-2020-14422 actually does not affect it.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 12 David Walser 2020-10-13 21:04:50 CEST
Fedora has issued an advisory on October 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/

It fixes a new issue, CVE-2020-26116, in Python 2.  It's already fixed in python3 3.8.5 in Cauldron (but will need to be fixed in python3 in Mageia 7 as well).

Whiteboard: (none) => MGA7TOO
Summary: python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422 => python/python3 new security issues CVE-2019-9674, CVE-2019-17514, CVE-2019-20907, CVE-2020-8492, CVE-2020-14422, CVE-2020-26116
Version: 7 => Cauldron

Comment 13 David Walser 2020-10-15 00:23:45 CEST
Ubuntu has issued an advisory for the new issue today (October 14):
https://ubuntu.com/security/notices/USN-4581-1
Comment 14 David Walser 2020-10-20 20:10:56 CEST
RedHat has issued an advisory for python2 today (October 20):
https://access.redhat.com/errata/RHSA-2020:4273
Comment 15 David Walser 2020-10-21 20:29:02 CEST
RedHat has issued an advisory for python3 on October 20:
https://access.redhat.com/errata/RHSA-2020:4299
Comment 16 David Walser 2020-11-04 15:07:44 CET
RedHat has issued an advisory for python3 on November 3:
https://access.redhat.com/errata/RHSA-2020:4433
Comment 17 David GEIGER 2020-11-20 08:58:48 CET
So CVE-2019-9674, CVE-2019-20907, CVE-2020-8492, CVE-2019-17514 and CVE-2020-26116 are now applied in python-2.7.18-1.1.mga7

And also CVE-2020-26116 now applied in python-2.7.18-5.mga8
Comment 18 David GEIGER 2020-11-20 09:32:10 CET
New python3-3.7.9-1.mga7 should also fix all security issues.
Comment 19 David Walser 2020-11-20 16:54:17 CET
Package list below.  Advisory to come later.

python-2.7.18-1.1.mga7
libpython2.7-2.7.18-1.1.mga7
libpython2.7-stdlib-2.7.18-1.1.mga7
libpython2.7-testsuite-2.7.18-1.1.mga7
libpython-devel-2.7.18-1.1.mga7
python-docs-2.7.18-1.1.mga7
tkinter-2.7.18-1.1.mga7
tkinter-apps-2.7.18-1.1.mga7
python3-3.7.9-1.mga7
libpython3.7-3.7.9-1.mga7
libpython3.7-stdlib-3.7.9-1.mga7
libpython3.7-testsuite-3.7.9-1.mga7
libpython3-devel-3.7.9-1.mga7
python3-docs-3.7.9-1.mga7
tkinter3-3.7.9-1.mga7
tkinter3-apps-3.7.9-1.mga7

from SRPMS:
python-2.7.18-1.1.mga7.src.rpm
python3-3.7.9-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: python => qa-bugs

Comment 20 David Walser 2020-11-20 17:05:07 CET
Advisory:
========================

Updated python and python3 packages fix security vulnerabilities:

It was discovered that incorrectly handled certain ZIP files. An attacker
could possibly use this issue to cause a denial of service (CVE-2019-9674).

It was discovered that Python documentation had a misleading information. A
security issue could be possibly caused by wrong assumptions of this
information (CVE-2019-17514).

It was discovered that Python incorrectly handled certain TAR archives. An
attacker could possibly use this issue to cause a denial of service
(CVE-2019-20907).

It was discovered that Python incorrectly handled certain HTTP requests. An
attacker could possibly use this issue to cause a denial of service
(CVE-2020-8492).

It was discovered that Python incorrectly handled certain IP values. An
attacker could possibly use this issue to cause a denial of service
(CVE-2020-14422).

It was discovered that Python incorrectly handled certain character sequences.
A remote attacker could possibly use this issue to perform CRLF injection
(CVE-2020-26116).

The CVE-2020-14422 issue only affected python3.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116
https://ubuntu.com/security/notices/USN-4428-1
https://ubuntu.com/security/notices/USN-4333-1
https://ubuntu.com/security/notices/USN-4581-1
Comment 21 Herman Viaene 2020-11-23 11:50:23 CET
MGA7-64 MATE on Peaq C1011
Installation: I had to remove python2-numpy-f2py and python3-numpy-f2py, as these where blocking the installation of this lot (probably left-overs from other tests). But that could thus occur in "real life".
Continuing tests later.

CC: (none) => herman.viaene

Comment 22 Herman Viaene 2020-11-23 13:32:25 CET
Looked into the testsuite files and went for:
$ cd /usr/lib64/python2.7/test/
Many of those py-files doe not give any feedback when ruuning at the CLI, but some do:
$ python2 pystone.py
Pystone(1.1) time for 50000 passes = 1.61624
This machine benchmarks at 30936 pystones/second

$ python2 regrtest.py
== CPython 2.7.18 (default, Nov 20 2020, 06:51:30) [GCC 8.4.0]
==   Linux-5.7.19-desktop-3.mga7-x86_64-with-mageia-7-Official little-endian
==   /tmp/test_python_31973
== CPU count: 4
Run tests sequentially
0:00:00 load avg: 0.00 [  1/404] test_grammar
0:00:00 load avg: 0.00 [  2/404] test_opcodes
0:00:00 load avg: 0.00 [  3/404] test_dict
0:00:00 load avg: 0.00 [  4/404] test_builtin
0:00:00 load avg: 0.00 [  5/404] test_exceptions
0:00:01 load avg: 0.00 [  6/404] test_types
and that goes on and on.... Interrupted with CTRL-C and got:
== Tests result: INTERRUPTED ==

Test suite interrupted by signal SIGINT.
294 tests omitted:
    test_dircache test_dis test_distutils test_dl test_docxmlrpc
    test_dumbdbm test_dummy_thread test_dummy_threading test_email
and a long list ...., but finally
97 tests OK.

13 tests skipped:
    test_aepack test_al test_applesingle test_bsddb185 test_bsddb3
    test_cd test_cl test_codecmaps_cn test_codecmaps_hk
    test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_curses
Those skips are all expected on linux2.

Total duration: 1 min 52 sec
Tests result: INTERRUPTED
Did one more
$ python2 sortperf.py
 i    2**i  *sort  \sort  /sort  3sort  +sort  %sort  ~sort  =sort  !sort
15   32768   0.03   0.00   0.00   0.00   0.00   0.01   0.01   0.00   0.01
16   65536   0.07   0.01   0.01   0.01   0.01   0.01   0.03   0.01   0.02
17  131072   0.16   0.02   0.02   0.02   0.02   0.03   0.06   0.02   0.04
18  262144   0.39   0.04   0.04   0.04   0.04   0.07   0.13   0.04   0.09
19  524288   0.88   0.09   0.08   0.09   0.09   0.14   0.27   0.08   0.18
20 1048576   1.96   0.18   0.18   0.18   0.18   0.30   0.56   0.17   0.37

No idea what it means, but at least it colmpletes normally.
Having a look at python3 now.
Comment 23 Herman Viaene 2020-11-23 13:56:59 CET
$ cd /usr/lib64/python3.7/test/

$ python3 final_a.py 
x = a
final_b.x = b
shutil.rmtree = rmtree
len = len
x = a
final_b.x = b
shutil.rmtree = rmtree
len = len
x = b
final_a.x = a
shutil.rmtree = rmtree
len = len
x = b
final_a.x = a
shutil.rmtree = rmtree
len = len
x = a
final_b.x = b
shutil.rmtree = rmtree
len = len
x = a
final_b.x = b
shutil.rmtree = rmtree
len = len

$ python3 regrtest.py 
== CPython 3.7.9 (default, Nov 20 2020, 08:02:31) [GCC 8.4.0]
== Linux-5.7.19-desktop-3.mga7-x86_64-with-mageia-7-Official little-endian
== cwd: /tmp/test_python_960
== CPU count: 4
== encodings: locale=UTF-8, FS=utf-8
0:00:00 load avg: 0.71 Run tests sequentially
0:00:00 load avg: 0.71 [  1/416] test_grammar
0:00:00 load avg: 0.71 [  2/416] test_opcodes
0:00:00 load avg: 0.71 [  3/416] test_dict
0:00:01 load avg: 0.71 [  4/416] test_builtin
0:00:02 load avg: 0.71 [  5/416] test_exceptions
0:00:05 load avg: 0.73 [  6/416] test_types
0:00:05 load avg: 0.73 [  7/416] test_unittest
0:00:14 load avg: 0.85 [  8/416] test_doctest
**********************************************************************
File "/usr/lib64/python3.7/test/test_doctest.py", line 2237, in test.test_doctest.test_DocFileSuite
Failed example:
    suite = doctest.DocFileSuite('test_doctest.txt',
                                 'test_doctest2.txt',
                                 'test_doctest4.txt',
                                 package='test')
and some more, stopped again with CTRL-C and get at the end
8 tests OK.

2 tests failed:
    test_doctest test_support

Total duration: 20.6 sec
Tests result: FAILURE, INTERRUPTED

$ python3 test_abc.py 
................................................
----------------------------------------------------------------------
Ran 48 tests in 0.044s

OK

$ python3 test_abstract_numbers.py
...
----------------------------------------------------------------------
Ran 3 tests in 0.002s

OK

$ python3 sortperf.py 
 i    2**i  *sort  \sort  /sort  3sort  +sort  %sort  ~sort  =sort  !sort
15   32768   0.01   0.00   0.00   0.00   0.00   0.00   0.01   0.00   0.00 
16   65536   0.03   0.01   0.01   0.01   0.01   0.01   0.01   0.00   0.00 
17  131072   0.08   0.01   0.01   0.02   0.01   0.02   0.02   0.00   0.01 
18  262144   0.19   0.03   0.03   0.03   0.03   0.05   0.04   0.01   0.01 
19  524288   0.45   0.06   0.06   0.06   0.06   0.10   0.08   0.01   0.02 
20 1048576   1.05   0.13   0.12   0.13   0.13   0.21   0.16   0.02   0.04 

I guess even with the failures, the thing is working quite well, but I wonder whether  we can let this go as is with the installation issue I found.

Note You need to log in before you can comment on or make changes to this bug.