Bug 26590 - python-typed-ast new security issues CVE-2019-19274 and CVE-2019-19275
Summary: python-typed-ast new security issues CVE-2019-19274 and CVE-2019-19275
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2020-05-05 02:46 CEST by David Walser
Modified: 2020-05-31 15:32 CEST (History)
6 users (show)

See Also:
Source RPM: python-typed-ast-1.3.1-1.mga7.src
CVE:
Status comment:


Attachments

Description David Walser 2020-05-05 02:46:59 CEST
openSUSE has issued an advisory on May 1:
https://lists.opensuse.org/opensuse-updates/2020-05/msg00001.html
Comment 1 Lewis Smith 2020-05-05 09:13:19 CEST
Mystery. I can find no sign of this.
The maintainer DB has:
 python-typed-ast shlomif
 python-typed_ast kekepower
but looking for them with
 http://svnweb.mageia.org/packages/cauldron/python-typed-ast/current/?view=log
 http://svnweb.mageia.org/packages/cauldron/python-typed_ast/current/?view=log
gives
 Unknown location: /cauldron/python-typed-ast/current
 Unknown location: /cauldron/python-typed_ast/current
and I confirmed with another near SRPM name that the system was working OK.
And
 $ urpmq -i python-typed-ast
 $ urpmq -i python-typed_ast
show nothing. Nor do
 $ urpmf python-typed-ast
 $ urpmf python-typed_ast

Over to you! Perhaps there is a simple explanation.

CC: (none) => lewyssmith

Comment 2 Thomas Backlund 2020-05-05 09:26:35 CEST
Removed from cauldron with: "Not needed with python >= 3.8"
http://svnweb.mageia.org/packages/obsolete/python-typed-ast/


so it's a mga7-only thing:
http://svnweb.mageia.org/packages/updates/7/python-typed-ast/

CC: (none) => tmb

Comment 3 Lewis Smith 2020-05-05 09:52:18 CEST
(In reply to Thomas Backlund from comment #2)
Thanks Thomas.
> Removed from cauldron with: "Not needed with python >= 3.8"
> http://svnweb.mageia.org/packages/obsolete/python-typed-ast/
I half suspected something like this.

> so it's a mga7-only thing:
But the urpmq and urpmf commands I tried (comment 1) *were* for Mageia 7 only. I have no Cauldron repo enabled. And rpmdrake (with its super searching) shows nothing for 'python-typed'.
Comment 4 Thomas Backlund 2020-05-05 10:34:09 CEST
Yeah,
for python there is python vs python3 naming...

So srpm is python-typed-ast, but rpm is python3-typed-ast
Comment 5 Thomas Backlund 2020-05-05 10:35:23 CEST
A quick find is to use only part of the name with fuzzy search:

$ urpmq -y typed-ast
python3-typed-ast
Comment 6 David Walser 2020-05-05 14:29:14 CEST
Yeah I missed this initially since it isn't in Cauldron.

Assignee: bugsquad => shlomif

Comment 7 Lewis Smith 2020-05-05 21:03:22 CEST
(In reply to Thomas Backlund from comment #5)
> A quick find is to use only part of the name with fuzzy search:
> $ urpmq -y typed-ast
> python3-typed-ast
Once again, thanks for this info. I expect to use it a lot! That string would, of course, have worked with rpmdrake.
Thanks David for assigning it - I was just about to!
Comment 8 Nicolas Lécureuil 2020-05-22 22:58:14 CEST
Advisory:
This update fixes CVE-2019-19274 and CVE-2019-19275
Fix two out-of-bounds array reads (GH-12641)

References:
https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b

rpms:
python3-typed-ast-1.3.1-1.1.mga7

from:
python-typed-ast-1.3.1-1.1.mga7

Assignee: shlomif => qa-bugs
CC: (none) => mageia

Comment 9 David Walser 2020-05-22 23:20:29 CEST
Advisory:
========================

Updated python-typed-ast package fixes security vulnerabilities:

typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An
attacker with the ability to cause a Python interpreter to parse Python source
(but not necessarily execute it) may be able to crash the interpreter process.
This could be a concern, for example, in a web-based service that parses (but
does not execute) Python code (CVE-2019-19274).

typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An
attacker with the ability to cause a Python interpreter to parse Python source
(but not necessarily execute it) may be able to crash the interpreter process.
This could be a concern, for example, in a web-based service that parses (but
does not execute) Python code (CVE-2019-19275).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19275
https://lists.opensuse.org/opensuse-updates/2020-05/msg00001.html
Lewis Smith 2020-05-23 14:14:07 CEST

CC: lewyssmith => (none)

Comment 10 Herman Viaene 2020-05-24 14:15:30 CEST
MGA7-64 Plasma on Lenovo B50
No installation isssues.
No previous update to refer to.
# urpmq --whatrequires python3-typed-ast
python3-astroid
python3-mypy
python3-typed-ast
That in't much help

# urpmq --whatrequires-recursive python3-typed-ast
python3-astroid
python3-mypy
python3-pylint
python3-typed-ast
spyder
spyder-autopep8
syntastic-python

Spyder is according MCC "Scientific Python Development Environment​" and syntastic-python a "syntax checker for python".
That'ss all beyond me. Clean install is all I can say.

CC: (none) => herman.viaene

Comment 11 Len Lawrence 2020-05-31 08:25:32 CEST
@Herman, replying to comment 10:

Just taking a look at the CVEs to see if there is anything we can do to test the issues.  Noting that address sanitization is involved, so this may come to nothing.

CC: (none) => tarazed25

Comment 12 Len Lawrence 2020-05-31 09:14:19 CEST
mga7, x86_64

Before update:

CVE-2019-19274
https://bugs.python.org/issue36495
The prescription there involves a rebuild with clang and ASAN.
Simply running the test commands returned nothing, rather than the expected ABORTs.  (I do not understand the -c arguments.)
$ python3 -c 'def foo(f, *args, kw=None): pass'
$ python3 -c 'def foo(f, **kws): pass'
And valgrind does not find anything.

So pursuing the PoC path is not fruitful.
Back to you Herman.
Comment 13 Herman Viaene 2020-05-31 09:32:16 CEST
Clean install it is then.

Whiteboard: (none) => MGA7-64-OK

Comment 14 Len Lawrence 2020-05-31 09:37:58 CEST
Running spyder is probably the best way to test this bug.  

$ spyder3 examples_tkvlc.py
generated a fullscreen gui workspace with the code listed in one panel.  Another panel provides tutorial help.  Looks like this might take some time.

Leaving Herman's OK in place.
Comment 15 Len Lawrence 2020-05-31 11:59:36 CEST
Updated and ran spyder3 against examples_tkvlc.py.
The interface is functional.  An evaluation of the code returned messages related to coding conventions (nitpicking), refactoring (2), 8 warnings and 4 errors (related to importing packages).  It all looks good.

Backed out and ran it under trace and exercized a few functions including the tutorial.  run failed as expected because modules like vlc could not be found. Ran the static code evaluation again.

$ grep typed_ast spyder.trace
stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 16
stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/PKG-INFO", {st_mode=S_IFREG|0644, st_size=1277, ...}) = 0
openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/PKG-INFO", O_RDONLY|O_CLOEXEC) = 16
stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/namespace_packages.txt", 0x7fff1e8d86d0) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 16
stat("/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/PKG-INFO", {st_mode=S_IFREG|0644, st_size=1277, ...}) = 0
openat(AT_FDCWD, "/usr/lib64/python3.7/site-packages/typed_ast-1.3.1-py3.7.egg-info/PKG-INFO", O_RDONLY|O_CLOEXEC) = 16

So that confirms that the package under test is being used.
Comment 16 Thomas Andrews 2020-05-31 15:32:48 CEST
When you two collaborate to test an update, it's a thing of beauty.

Validating. Advisory in Comment 9.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.