Bug 27868 - python3 new security issue CVE-2020-27619
Summary: python3 new security issue CVE-2020-27619
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-18 20:20 CET by David Walser
Modified: 2020-12-29 12:58 CET (History)
5 users (show)

See Also:
Source RPM: python3-3.7.9-1.mga7.src.rpm
CVE: CVE-2020-27619
Status comment:


Attachments

Description David Walser 2020-12-18 20:20:00 CET
SUSE has issued an advisory on December 17:
https://lists.suse.com/pipermail/sle-security-updates/2020-December/008081.html

Mageia 7 is also affected.
David Walser 2020-12-18 20:36:03 CET

Whiteboard: (none) => MGA7TOO
Assignee: bugsquad => python

Comment 1 Nicolas Lécureuil 2020-12-24 09:40:05 CET
Fixed already in the latest python 3.8 from cauldron  ( the fixed commit is https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33 )

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 2 Nicolas Lécureuil 2020-12-24 09:55:45 CET
Fix pushed in updates_testing:

src:
python3-3.7.9-1.1.mga7

Assignee: python => qa-bugs

Comment 3 David Walser 2020-12-24 16:13:51 CET
Advisory:
========================

Updated python3 packages fix security vulnerability:

In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec
tests call eval() on content retrieved via HTTP (CVE-2020-27619).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27619
https://lists.suse.com/pipermail/sle-security-updates/2020-December/008081.html
========================

Updated packages in core/updates_testing:
========================
python3-3.7.9-1.1.mga7
libpython3.7-3.7.9-1.1.mga7
libpython3.7-stdlib-3.7.9-1.1.mga7
libpython3.7-testsuite-3.7.9-1.1.mga7
libpython3-devel-3.7.9-1.1.mga7
python3-docs-3.7.9-1.1.mga7
tkinter3-3.7.9-1.1.mga7
tkinter3-apps-3.7.9-1.1.mga7

from python3-3.7.9-1.1.mga7.src.rpm
Comment 4 Len Lawrence 2020-12-28 11:33:38 CET
mga7, x64

Updated all the packages via MageiaUpdate after trying smem.
$ urpmq --requires smem
python3
python3dist(matplotlib)

$ smem -u --pie=user lcl
That produced a piechart showing that lcl was using 6.29% of memory.

Simple scripts work:
$ python3 fibonacci.py
Fibonacci series for first 13 terms
0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233
The tenth term is 34
[0, 1, 1, 2, 3, 5, 8, 13, 21, 34]
$ python3 sieve.py
q = 2
q = 3
q = 5
[...]
q = 281
q = 283
q = 293
$ python3 button.py
<Created a simple gui with two buttons which produced simple results>

Interactive python3 works.
$ python3
Python 3.7.9 (default, Dec 24 2020, 09:00:40) 
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import itertools

def fib( n ):
    a, b = 0, 1
    for i in range( n ):
        a, b = b, a + b
    return a
..........................
a = fiblist( 13 )
print( "Fibonacci series for first 13 terms" ) 
>>> print( str( a ).strip( '[]' ) )
0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233
>>> print( "The tenth term is %d" % a[9] )
The tenth term is 34
>>> print( list( itertools.islice( fibo( ), 10 ) ) )
[0, 1, 1, 2, 3, 5, 8, 13, 21, 34]
>>> exit( )
$

$ ll /usr/bin/python3
lrwxrwxrwx 1 root root 9 Dec 24 09:01 /usr/bin/python3 -> python3.7*
$ urpmq --whatrequires python3 | sort -u | wc -l
65

This is probably all we need to do for this.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-12-28 22:05:10 CET
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Aurelien Oudelet 2020-12-29 11:01:25 CET
Advisory pushed to SVN.

Keywords: (none) => advisory
CVE: (none) => CVE-2020-27619
CC: (none) => ouaurelien
Source RPM: python3-3.8.6-1.mga8.src.rpm => python3-3.7.9-1.mga7.src.rpm

Comment 7 Mageia Robot 2020-12-29 12:58:48 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0477.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.