Bug 30572 - python, python3 new security issue CVE-2015-20107
Summary: python, python3 new security issue CVE-2015-20107
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 30848
Blocks: 30043
  Show dependency treegraph
 
Reported: 2022-06-20 19:46 CEST by David Walser
Modified: 2022-10-13 22:06 CEST (History)
5 users (show)

See Also:
Source RPM: python-2.7.18-7.3.mga8, python3-3.8.12-1.mga8
CVE:
Status comment:

Attachments
Eratosthenes Sieve for python2 (961 bytes, text/plain)
2022-10-10 01:04 CEST, Len Lawrence 		Details
View All Add an attachment (proposed patch, testcase, etc.)

David Walser 2022-06-20 19:46:58 CEST

Status comment: (none) => Patches available from Fedora
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-07-14 19:08:19 CEST 
Ubuntu has issued an advisory for this today (July 14):
https://ubuntu.com/security/notices/USN-5519-1
David Walser 2022-09-14 00:07:08 CEST

Depends on: (none) => 30848

Comment 2 Jani Välimaa 2022-10-04 07:55:37 CEST 
Python3 fixed in cauldron with python3-3.10.6-1.mga9.

https://svnweb.mageia.org/packages?view=revision&revision=1876729

Python fixed in cauldron with python-2.7.18-13.mga9.

https://svnweb.mageia.org/packages?view=revision&revision=1894587

Source RPM: python-2.7.18-11.mga9.src.rpm, python3-3.10.5-1.mga9.src.rpm => python-2.7.18-7.3.mga8, python3-3.8.12-1.mga8
Version: Cauldron => 8
CC: (none) => jani.valimaa
Whiteboard: MGA8TOO => (none)

Comment 3 Jani Välimaa 2022-10-04 10:05:57 CEST 
Pushed python-2.7.18-7.4.mga8 including fixes from bug 30043 and python3-3.8.14-1.1.mga8 to mga8 core/updates_testing.

Python3 update is handled in bug 30848.

SRPMS:
python-2.7.18-7.4.mga8

RPMS:
lib(64)python2.7-2.7.18-7.4.mga8
lib(64)python2.7-stdlib-2.7.18-7.4.mga8
lib(64)python2.7-testsuite-2.7.18-7.4.mga8
lib(64)python-devel-2.7.18-7.4.mga8
python-2.7.18-7.4.mga8
python-docs-2.7.18-7.4.mga8
tkinter-2.7.18-7.4.mga8
tkinter-apps-2.7.18-7.4.mga8

Blocks: (none) => 30043

David Walser 2022-10-04 13:18:25 CEST

Assignee: python => qa-bugs
Status comment: Patches available from Fedora => (none)

Comment 4 David Walser 2022-10-06 14:36:59 CEST 
Python 2.x is also vulnerable to CVE-2021-28861, we should fix that here too.

SUSE has issued an advisory for this on October 4:
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012483.html

Keywords: (none) => feedback

Comment 5 David Walser 2022-10-06 14:41:56 CEST 
(In reply to David Walser from comment #4)
> Python 2.x is also vulnerable to CVE-2021-28861, we should fix that here too.
> 
> SUSE has issued an advisory for this on October 4:
> https://lists.suse.com/pipermail/sle-security-updates/2022-October/012483.
> html

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AOHEWJI4EPENRFNUSCXL2KZG7QSBH2MJ/
Comment 6 Jani Välimaa 2022-10-09 09:09:24 CEST 
Pushed python-2.7.18-7.5.mga8 to core/updates_testing including fixes from bug 30043 and fixes for CVE-2021-28861 from SUSE.

SRPMS:
python-2.7.18-7.5.mga8

RPMS:
lib(64)python2.7-2.7.18-7.5.mga8
lib(64)python2.7-stdlib-2.7.18-7.5.mga8
lib(64)python2.7-testsuite-2.7.18-7.5.mga8
lib(64)python-devel-2.7.18-7.5.mga8
python-2.7.18-7.5.mga8
python-docs-2.7.18-7.5.mga8
tkinter-2.7.18-7.5.mga8
tkinter-apps-2.7.18-7.5.mga8
David Walser 2022-10-09 12:27:38 CEST

Keywords: feedback => (none)

Comment 7 Len Lawrence 2022-10-09 23:59:33 CEST 
mga8, x64

Nothing much seems to depend on python 2.7.18 currently, just python itself and lsb.  youtube-dl has presumably been converted to python 3.
$ file /usr/bin/youtube-dl
/usr/bin/youtube-dl: a /usr/bin/env python3 script executable (binary data)

Checked out a couple of learner scripts - they worked fine.

Updated using the list in comment 6.  Clean installation.
The ttk script failed to find the tkinter package, possibly because it did not address it properly but the simple functionality script worked fine.

Difficult to know just how to test this so these tests shall have to suffice.
Leaving it without an OK in case somebody has a better idea.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2022-10-10 00:27:05 CEST 
$ python2 try.py
ImportError: No module named Tkinter

try:
    import tkinter
except ImportError:
    import Tkinter
    tkinter = Tkinter
    del Tkinter

exit()
Comment 9 David Walser 2022-10-10 00:29:06 CEST 
Did you install tkinter?
Comment 10 Len Lawrence 2022-10-10 01:04:55 CEST 
Created attachment 13417 [details]
Eratosthenes Sieve for python2
Comment 11 Len Lawrence 2022-10-10 01:33:10 CEST 
You are correct David - missed a step, drakrpm-update after qarepo.
Getting too old and senile for this job.  Just lost my reply as well.

Fixed that and now Eratosthenes Sieve works but there is still trouble with tkinter (which is definitely there now)  try.py now works - no exception raised.  The module needs to be addressed as Tkinter but submodules like ttk cannot be found.  This is a programming problem - I don't know python so cannot take it any further but would suggest that this should not hold up the update.
Len Lawrence 2022-10-10 09:15:49 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 12 Thomas Andrews 2022-10-10 13:53:42 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-13 20:53:34 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 13 Mageia Robot 2022-10-13 22:06:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0367.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.