openSUSE has issued an advisory on May 1: https://lists.opensuse.org/opensuse-updates/2020-05/msg00001.html
Mystery. I can find no sign of this. The maintainer DB has: python-typed-ast shlomif python-typed_ast kekepower but looking for them with http://svnweb.mageia.org/packages/cauldron/python-typed-ast/current/?view=log http://svnweb.mageia.org/packages/cauldron/python-typed_ast/current/?view=log gives Unknown location: /cauldron/python-typed-ast/current Unknown location: /cauldron/python-typed_ast/current and I confirmed with another near SRPM name that the system was working OK. And $ urpmq -i python-typed-ast $ urpmq -i python-typed_ast show nothing. Nor do $ urpmf python-typed-ast $ urpmf python-typed_ast Over to you! Perhaps there is a simple explanation.
CC: (none) => lewyssmith
Removed from cauldron with: "Not needed with python >= 3.8" http://svnweb.mageia.org/packages/obsolete/python-typed-ast/ so it's a mga7-only thing: http://svnweb.mageia.org/packages/updates/7/python-typed-ast/
CC: (none) => tmb
(In reply to Thomas Backlund from comment #2) Thanks Thomas. > Removed from cauldron with: "Not needed with python >= 3.8" > http://svnweb.mageia.org/packages/obsolete/python-typed-ast/ I half suspected something like this. > so it's a mga7-only thing: But the urpmq and urpmf commands I tried (comment 1) *were* for Mageia 7 only. I have no Cauldron repo enabled. And rpmdrake (with its super searching) shows nothing for 'python-typed'.
Yeah, for python there is python vs python3 naming... So srpm is python-typed-ast, but rpm is python3-typed-ast
A quick find is to use only part of the name with fuzzy search: $ urpmq -y typed-ast python3-typed-ast
Yeah I missed this initially since it isn't in Cauldron.
Assignee: bugsquad => shlomif
(In reply to Thomas Backlund from comment #5) > A quick find is to use only part of the name with fuzzy search: > $ urpmq -y typed-ast > python3-typed-ast Once again, thanks for this info. I expect to use it a lot! That string would, of course, have worked with rpmdrake. Thanks David for assigning it - I was just about to!
Advisory: This update fixes CVE-2019-19274 and CVE-2019-19275 Fix two out-of-bounds array reads (GH-12641) References: https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b rpms: python3-typed-ast-1.3.1-1.1.mga7 from: python-typed-ast-1.3.1-1.1.mga7
CC: (none) => mageiaAssignee: shlomif => qa-bugs
Advisory: ======================== Updated python-typed-ast package fixes security vulnerabilities: typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code (CVE-2019-19274). typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code (CVE-2019-19275). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19275 https://lists.opensuse.org/opensuse-updates/2020-05/msg00001.html
CC: lewyssmith => (none)
MGA7-64 Plasma on Lenovo B50 No installation isssues. No previous update to refer to. # urpmq --whatrequires python3-typed-ast python3-astroid python3-mypy python3-typed-ast That in't much help # urpmq --whatrequires-recursive python3-typed-ast python3-astroid python3-mypy python3-pylint python3-typed-ast spyder spyder-autopep8 syntastic-python Spyder is according MCC "Scientific Python Development Environment" and syntastic-python a "syntax checker for python". That'ss all beyond me. Clean install is all I can say.
CC: (none) => herman.viaene
@Herman, replying to comment 10: Just taking a look at the CVEs to see if there is anything we can do to test the issues. Noting that address sanitization is involved, so this may come to nothing.
CC: (none) => tarazed25
mga7, x86_64 Before update: CVE-2019-19274 https://bugs.python.org/issue36495 The prescription there involves a rebuild with clang and ASAN. Simply running the test commands returned nothing, rather than the expected ABORTs. (I do not understand the -c arguments.) $ python3 -c 'def foo(f, *args, kw=None): pass' $ python3 -c 'def foo(f, **kws): pass' And valgrind does not find anything. So pursuing the PoC path is not fruitful. Back to you Herman.
Clean install it is then.
Whiteboard: (none) => MGA7-64-OK
Running spyder is probably the best way to test this bug. $ spyder3 examples_tkvlc.py generated a fullscreen gui workspace with the code listed in one panel. Another panel provides tutorial help. Looks like this might take some time. Leaving Herman's OK in place.
Updated and ran spyder3 against examples_tkvlc.py. The interface is functional. An evaluation of the code returned messages related to coding conventions (nitpicking), refactoring (2), 8 warnings and 4 errors (related to importing packages). It all looks good. Backed out and ran it under trace and exercized a few functions including the tutorial. run failed as expected because modules like vlc could not be found. Ran the static code evaluation again. $ grep typed_ast spyder.trace stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 16 stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/PKG-INFO", {st_mode=S_IFREG|0644, st_size=1277, ...}) = 0 openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/PKG-INFO", O_RDONLY|O_CLOEXEC) = 16 stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/namespace_packages.txt", 0x7fff1e8d86d0) = -1 ENOENT (No such file or directory) stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 16 stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/PKG-INFO", {st_mode=S_IFREG|0644, st_size=1277, ...}) = 0 openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/PKG-INFO", O_RDONLY|O_CLOEXEC) = 16 So that confirms that the package under test is being used.
When you two collaborate to test an update, it's a thing of beauty. Validating. Advisory in Comment 9.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0249.html
Status: NEW => RESOLVEDResolution: (none) => FIXED