Fedora has issued an advisory today (January 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/ The fix will be included in the upcoming 3.8.8 release. Python 2.x is also affected. The worst effects of this are mitigated by our compiler options, so I think we can wait to fix this until 3.8.8 (and a patch for Python 2.x) is available. Mageia 7 is also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOO
Assignee: bugsquad => python
python3 is fixed on cauldron
CC: (none) => mageia
Fix for python3 pushed on mga7: src: python3-3.7.9-1.2.mga7
patch for python 2 pushed in cauldron: python-2.7.18-7.mga8
build ok in cauldron
Version: Cauldron => 7Whiteboard: MGA8TOO, MGA7TOO => (none)
pushed into mga7 too: python-2.7.18-1.2.mga7
Assignee: python => qa-bugs
Advisory: ======================== Updated python and python3 packages fix security vulnerability: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability (CVE-2021-3177). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/ ======================== Updated packages in core/updates_testing: ======================== python-2.7.18-1.2.mga7 libpython2.7-2.7.18-1.2.mga7 libpython2.7-stdlib-2.7.18-1.2.mga7 libpython2.7-testsuite-2.7.18-1.2.mga7 libpython-devel-2.7.18-1.2.mga7 python-docs-2.7.18-1.2.mga7 tkinter-2.7.18-1.2.mga7 tkinter-apps-2.7.18-1.2.mga7 python3-3.7.9-1.2.mga7 libpython3.7-3.7.9-1.2.mga7 libpython3.7-stdlib-3.7.9-1.2.mga7 libpython3.7-testsuite-3.7.9-1.2.mga7 libpython3-devel-3.7.9-1.2.mga7 python3-docs-3.7.9-1.2.mga7 tkinter3-3.7.9-1.2.mga7 tkinter3-apps-3.7.9-1.2.mga7 from SRPMS: python-2.7.18-1.2.mga7.src.rpm python3-3.7.9-1.2.mga7.src.rpm
mga7, x86_64 There is a PoC for the CVE which has been checked before the updates. It causes an ABORT for both python2.7 and python3.7, as expected. Full report tomorrow.
CC: (none) => tarazed25
CVE-2021-3177 https://bugs.python.org/issue42938 $ python >>> from ctypes import * >>> c_double.from_param(1e300) *** buffer overflow detected ***: python terminated Aborted (core dumped) $ python3 >>> from ctypes import * >>> c_double.from_param(1e300) *** buffer overflow detected ***: python3 terminated Aborted (core dumped) Updated all the packages. - lib64python-devel-2.7.18-1.2.mga7.x86_64 - lib64python2.7-2.7.18-1.2.mga7.x86_64 - lib64python2.7-stdlib-2.7.18-1.2.mga7.x86_64 - lib64python2.7-testsuite-2.7.18-1.2.mga7.x86_64 - lib64python3-devel-3.7.9-1.2.mga7.x86_64 - lib64python3.7-3.7.9-1.2.mga7.x86_64 - lib64python3.7-stdlib-3.7.9-1.2.mga7.x86_64 - lib64python3.7-testsuite-3.7.9-1.2.mga7.x86_64 - python-2.7.18-1.2.mga7.x86_64 - python-docs-2.7.18-1.2.mga7.noarch - python3-3.7.9-1.2.mga7.x86_64 - python3-docs-3.7.9-1.2.mga7.noarch - tkinter-2.7.18-1.2.mga7.x86_64 - tkinter-apps-2.7.18-1.2.mga7.x86_64 - tkinter3-3.7.9-1.2.mga7.x86_64 - tkinter3-apps-3.7.9-1.2.mga7.x86_64 Checked the PoC. $ python >>> from ctypes import * >>> c_double.from_param(1e300) <cparam 'd' (1e+300)> >>> exit() $ python3 >>> from ctypes import * >>> c_double.from_param(1e300) <cparam 'd' (1e+300)> >>> exit() Good result. A very large number of packages use python at some stage, including virtualbox, but running a trace on VirtualBox yields nothing. $ strace -o perf.trace perf test $ grep python perf.trace write(2, "19: 'import perf' in python "..., 69) = 69 $ cat scribus.trace | grep python | grep lib64 [...] stat("/usr/lib64/python2.7/lib-dynload/cStringIO", 0x7ffe91df6aa0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/lib64/python2.7/lib-dynload/cStringIO.so", O_RDONLY) = 20 openat(AT_FDCWD, "/usr/lib64/python2.7/lib-dynload/cStringIO.so", O_RDONLY|O_CLOEXEC) = 21 Given how ubiquitous python is and the fact that nothing has broken down since the updates we can let this go.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory commited to SVN.
CC: (none) => ouaurelienCVE: (none) => CVE-2021-3177Source RPM: python3-3.8.7-1.mga8.src.rpm, python-2.7.18-6.mga8.src.rpm => python3-3.7.9-1.1.mga7.src.rpm, python-2.7.18-1.1.mga7.src.rpmKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0064.html
Status: NEW => RESOLVEDResolution: (none) => FIXED