Bug 30051 - python-rencode new security issue CVE-2021-40839
Summary: python-rencode new security issue CVE-2021-40839
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-02-15 14:34 CET by David Walser
Modified: 2022-05-12 12:25 CEST (History)
6 users (show)

See Also:
Source RPM: python-rencode-1.0.6-4.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-02-15 14:34:43 CET
Fedora has issued an advisory today (February 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/

Mageia 8 is also affected.
David Walser 2022-02-15 14:36:00 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Fedora

Comment 1 Nicolas Lécureuil 2022-05-03 09:13:50 CEST
pushed by papoteur in mga8:


src.rpm:
        - python-rencode-1.0.6-2.1.mga8

Status comment: Patch available from Fedora => (none)
Assignee: python => qa-bugs
CC: (none) => mageia

Nicolas Lécureuil 2022-05-03 09:14:01 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 papoteur 2022-05-03 09:37:35 CEST
I don't know how to test it.
This package is used by deluge, a bittorrent client.

CC: (none) => yves.brungard_mageia

Comment 3 David Walser 2022-05-03 15:06:03 CEST
RPM:
python3-rencode-1.0.6-2.1.mga8
Comment 4 Herman Viaene 2022-05-11 14:04:57 CEST
MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
Took hint from papoteur, put a trace on deluge and used this one to access a torrent download file from LibreOffice.org.
$ strace -o ptyhrencodetxt deluge

That worked OK and in thetrace file I found multiple references to the python3-rencode files.
OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2022-05-11 14:16:57 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Dave Hodgins 2022-05-11 23:09:05 CEST
Advisory committed to svn as ...
type: security
subject: Updated python-rencode packages fix security vulnerability
CVE:
 - CVE-2021-40839
src:
  8:
   core:
     - python-rencode-1.0.6-2.1.mga8
description: |
  The rencode package through 1.0.6 for Python allows an infinite loop in
  typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that
  consumes CPU and memory. (CVE-2021-40839)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30051
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-05-12 12:25:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0167.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.