Bug 26273 - pycharm-community new security issue CVE-2019-14958
Summary: pycharm-community new security issue CVE-2019-14958
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Stig-Ørjan Smelror
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-29 01:16 CET by Kristoffer Grundström
Modified: 2021-07-01 18:22 CEST (History)
3 users (show)

See Also:
Source RPM: pycharm-community-2019.1.1-2.mga7.src.rpm
CVE: CVE-2019-14958
Status comment: Fixed upstream in 2019.2, needs to be built from source rather than shipping pre-built binaries


Attachments
New spec file for pycharm-community (6.34 KB, text/plain)
2020-02-29 01:17 CET, Kristoffer Grundström
Details
Here's the whole building procedure and the warnings/errors (18.19 KB, text/plain)
2020-02-29 01:18 CET, Kristoffer Grundström
Details
Build log for 2020.3 (18.52 KB, application/x-troff-man)
2020-12-20 08:09 CET, Kristoffer Grundström
Details

Description Kristoffer Grundström 2020-02-29 01:16:58 CET
Description of problem: I took the liberty of updating this wonderful package. I installed it OK, started it OK and even though I have some minor difficulties to get the R interpreter working when the GUI is up I feel that it's safe to update it.

Version-Release number of selected component (if applicable): 2019.3.3
Comment 1 Kristoffer Grundström 2020-02-29 01:17:29 CET
Created attachment 11524 [details]
New spec file for pycharm-community

CC: (none) => hamnisdude

Comment 2 Kristoffer Grundström 2020-02-29 01:18:21 CET
Created attachment 11525 [details]
Here's the whole building procedure and the warnings/errors
Comment 3 Kristoffer Grundström 2020-02-29 01:20:52 CET
The plugin versions needs to be updated as well.

When it comes to Revision in the changelog and Build ID numbers I didn't know what to type.
Comment 4 Kristoffer Grundström 2020-02-29 12:29:02 CET
Here's what's new in this version:

Interactive widgets for Jupyter notebooks, MongoDB support, and code assistance for all Python 3.8 features are here.
Comment 5 Lewis Smith 2020-02-29 20:30:40 CET
Thank you for notifying the more recent package (2019.3.3); and for all your preparatory work. I am not sure how this stands with our 'version' policy:
 https://wiki.mageia.org/en/Updates_policy#Version_Policy
We do provide new versions per se as updates if they are backward compatible and do not introduce any compatability problems; more importantly, if they incorporate bug fixes.

Up to the packager to decide whether to do this at all (but why not?); and as an update to our latest version, or a backport.

 https://www.jetbrains.com/pycharm/whatsnew/
Please note that features marked PRO ONLY are supported only in PyCharm Professional Edition [that is, *not* this community one]:
 Jupyter PRO ONLY
 Database Support PRO ONLY
 Web development PRO ONLY
which does not deride the many 'community' improvements noted there; and presumably others accumulated since our version 2019.1.1.
I found no mention of bug fixes, but there must be some!

Assigning to Stig as the active maintainer. Please re-assign if this displeases.

Assignee: bugsquad => smelror
Source RPM: pycharm-community => pycharm-community-2019.1.1-2.mga7.src.rpm

Comment 6 Zombie Ryushu 2020-12-19 19:35:23 CET
JetBrains PyCharm before 2019.2 was allocating a buffer of unknown size for one of the connection processes. In a very specific situation, it could lead to a remote invocation of an OOM error message because of Uncontrolled Memory Allocation.

CVE: (none) => CVE-2019-14958
QA Contact: (none) => security
CC: (none) => zombie_ryushu
Component: RPM Packages => Security

Zombie Ryushu 2020-12-19 19:35:35 CET

URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2019-14958

Comment 7 David Walser 2020-12-19 20:17:43 CET
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14958

Severity: normal => major
Summary: Update pycharm-community to latest release => pycharm-community new security issue CVE-2019-14958
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=23645
CC: (none) => mageia

Comment 8 Kristoffer Grundström 2020-12-20 08:09:33 CET
Created attachment 12123 [details]
Build log for 2020.3

Attachment 11525 is obsolete: 0 => 1

David Walser 2020-12-28 18:31:27 CET

Status comment: (none) => Fixed upstream in 2019.2, needs to be built from source rather than shipping pre-built binaries

Comment 9 David Walser 2021-07-01 18:22:00 CEST
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.