Bug 31140 - python-twisted new security issue CVE-2022-39348
Summary: python-twisted new security issue CVE-2022-39348
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-11-16 18:01 CET by David Walser
Modified: 2023-02-27 21:28 CET (History)
5 users (show)

See Also:
Source RPM: python-twisted-22.4.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-11-16 18:01:33 CET 
SUSE has issued an advisory on November 15:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012932.html

The issue is fixed upstream in 22.10.0rc1:
https://github.com/twisted/twisted/security/advisories/GHSA-vg46-2rrj-3647

Mageia 8 is also affected.
David Walser 2022-11-16 18:01:51 CET

Status comment: (none) => Fixed upstream in 22.10.0rc1
Whiteboard: (none) => MGA8TOO

Comment 2 David Walser 2022-11-29 13:53:39 CET 
Debian-LTS has issued an advisory for this on November 28:
https://www.debian.org/lts/security/2022/dla-3212
Comment 3 papoteur 2023-02-15 09:56:14 CET 
Cauldron is updated with 22.10.0

CC: (none) => yves.brungard_mageia
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 papoteur 2023-02-15 10:22:20 CET 
Submitted:
python3-twisted+tls-22.10.0-1.mga8
python3-twisted-22.10.0-1.mga8

Source:
python-twisted-22.10.0-1.mga8

Assignee: python => qa-bugs
Status comment: Fixed upstream in 22.10.0rc1 => (none)
Source RPM: python-twisted-22.4.0-1.mga9.src.rpm => (none)

David Walser 2023-02-15 15:25:26 CET

Source RPM: (none) => python-twisted-22.4.0-1.mga8.src.rpm

Comment 5 Len Lawrence 2023-02-21 01:57:27 CET 
Mageia8, x86_64

Updated the two packages and referring to bug 30067 played around with kajongg.  The only problem there was the unauthorized login and wrong username.  noethys launches fine - everything in French so not at all sure what it is about.  It seems to be some sort of management tool for projects and organisations.  There was a list of members.

$ syncevolution --help
syncevolution: error while loading shared libraries: libopenobex.so.2: cannot open shared object file: No such file or directory

$ sudo urpmi libopenobex
lib64openobex2-1.7.2-4.mga8
$ syncevolution --help
List and manipulate databases:
  syncevolution --print-databases|--create-database|--remove-database [<properties>] [<config> <store>]

This is all unfamiliar territory but the dependent applications open and run but they are not really being tested, apart from kajongg.

A tentative OK for this.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 6 Len Lawrence 2023-02-21 03:01:10 CET 
Having to remove the OK because kajongg has stopped working.
$ kajongg
  File "/usr/bin/kajongg", line 169, in <module>
    parseOptions()
  File "/usr/bin/kajongg", line 140, in parseOptions
    from query import initDb
  File "/usr/share/kajongg/query.py", line 36, in <module>
    from log import logInfo, logWarning, logException, logError, logDebug, id4
  File "/usr/share/kajongg/log.py", line 34, in <module>
    from dialogs import Sorry, Information, NoPrompt
  File "/usr/share/kajongg/dialogs.py", line 26, in <module>
    from twisted.internet.defer import Deferred, succeed
  File "/usr/lib/python3.8/site-packages/twisted/internet/defer.py", line 42, in <module>
    from typing_extensions import Literal, ParamSpec, Protocol
ImportError: cannot import name 'ParamSpec' from 'typing_extensions' (/usr/lib/python3.8/site-packages/typing_extensions.py)

Whiteboard: MGA8-64-OK => (none)

Comment 7 papoteur 2023-02-21 07:51:40 CET 
Hello Len
I don't reproduce your error, but I have another one, when quitting a play:
 kajongg
Unhandled Error
Traceback (most recent call last):
Failure: twisted.cred.error.UnauthorizedLogin: b'&&SERVER&&Wrong username: %1&&SERVER&&Yves&&SERVER&&'

which implies twisted :(

From within a python console, 
from typing_extensions import Literal, ParamSpec, Protocol
is working fine. Which version of python3-typing_extensions do you have?
Comment 8 papoteur 2023-02-21 08:16:33 CET 
(In reply to papoteur from comment #7)
> Hello Len
> I don't reproduce your error, but I have another one, when quitting a play:
>  kajongg
> Unhandled Error
> Traceback (most recent call last):
> Failure: twisted.cred.error.UnauthorizedLogin: b'&&SERVER&&Wrong username:
> %1&&SERVER&&Yves&&SERVER&&' of python3-typing_extensions do you have?

In fact, the problem is that I didn't defined an account. This is badly managed by kajongg, but this is not a defect of twisted.
Comment 9 Len Lawrence 2023-02-21 09:33:13 CET 
Replying to papoteur, comments 7 and 8.
Neither did I define an account so I saw the same exit message.

$ rpm -q python3-typing_extensions
python3-typing_extensions-3.7.4-4.mga8

Sounds like there is nothing fundamentally wrong so the OK goes back.  Thanks Yves.
Len Lawrence 2023-02-21 09:33:56 CET

Whiteboard: (none) => MGA8-64-OK

Comment 10 papoteur 2023-02-21 10:12:33 CET 
Advisory:
=================
Fix for CVE-2022-39348:
When the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
=================
Comment 11 Thomas Andrews 2023-02-21 16:43:00 CET 
Validating. Advisory in Comment 10.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-25 20:23:04 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2023-02-27 21:28:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0061.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.