Bug 28020 - python-py new security issue CVE-2020-29651
Summary: python-py new security issue CVE-2020-29651
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
: 28139 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-01-06 00:14 CET by David Walser
Modified: 2021-02-08 18:59 CET (History)
5 users (show)

See Also:
Source RPM: python-py-1.8.0-1.mga7.src.rpm
CVE: CVE-2020-29651
Status comment:


Attachments

Description David Walser 2021-01-06 00:14:33 CET
Fedora has issued an advisory today (January 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/

The issue is fixed upstream in 1.10.0.

Mageia 7 is also affected.
David Walser 2021-01-06 00:14:46 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 1.10.0

Comment 1 Nicolas Lécureuil 2021-01-06 01:45:04 CET
fixed in cauldron and new rpm pushed in mga7

src:
     python-py-1.8.0-1.1.mga7

CC: (none) => mageia
Assignee: python => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 2 David Walser 2021-01-06 01:57:22 CET
Advisory:
========================

Updated python-py packages fix security vulnerability:

A denial of service via regular expression in the py.path.svnwc component of
python-py through 1.9.0 could be used by attackers to cause a compute-time
denial of service attack by supplying malicious input to the blame
functionality (CVE-2020-29651).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29651
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/
========================

Updated packages in core/updates_testing:
========================
python2-py-1.8.0-1.1.mga7
python3-py-1.8.0-1.1.mga7
python-py-doc-1.8.0-1.1.mga7

from python-py-1.8.0-1.1.mga7.src.rpm

Status comment: Fixed upstream in 1.10.0 => (none)

Comment 3 Zombie Ryushu 2021-01-17 11:54:24 CET
*** Bug 28139 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Aurelien Oudelet 2021-02-04 19:03:10 CET

Source RPM: python3-py-1.9.0-1.mga8.src.rpm => python-py-1.8.0-1.mga7.src.rpm
CVE: (none) => CVE-2020-29651
CC: (none) => ouaurelien

Comment 4 Len Lawrence 2021-02-05 15:39:06 CET
mga7, x86

CVE-2020-29651
https://github.com/pytest-dev/py/issues/256
This page describes an exploit using a regular expression on the string "1"*5000 which precipitates catastrophic backtracking.
Not enough detail for the uninitiated so we sahll have to let it go.

Updated the three packages.

python-py is a development support library.
Documentation at file:///usr/share/doc/python-py-doc/html/index.html
There are examples of the use of the API in one of the chapters. e.g.
$ python2
>>> import py
>>> p1 = py.path.local( '/foo/bar' )
>>> p2 = p1.join( 'baz/qux' )
>>> p2 == py.path.local( '/foo/bar/baz/qux' )
True
>>> sep = py.path.local.sep
>>> p2.join( p2.bestrelpath( p1 ) ) == p1
True
>>> p3 = p1 / 'baz/qux'
>>> p2 == p3
True
>>> p4 = p1 + ".py"
>>> p4.basename == "bar.py"
True
>>> p4.ext == ".py"
True
>>> p4.purebasename == "bar"
True
>>> print( p4.purebasename )
bar
>>> exit( )

The same instructions supplied to python3 as a script produced the same results.
Elementary stuff but as far as we go.  Giving this a pass.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2021-02-05 17:59:09 CET
Validating. Advisory and packages in Comment 2.
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-02-07 18:16:10 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0071.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 Mageia Robot 2021-02-08 18:59:23 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0071.html

Note You need to log in before you can comment on or make changes to this bug.