Bug 32998 - python3 and python new security issues CVE-2023-6597 and CVE-2024-0450
Summary: python3 and python new security issues CVE-2023-6597 and CVE-2024-0450
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-03-21 16:55 CET by Nicolas Salguero
Modified: 2024-03-28 04:54 CET (History)
3 users (show)

See Also:
Source RPM: python3-3.10.11-1.1.mga9.src.rpm, python-2.7.18-15.1.mga9.src.rpm
CVE: CVE-2023-6597, CVE-2024-0450
Status comment:


Attachments

Description Nicolas Salguero 2024-03-21 16:55:53 CET
Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/03/20/5

The link above provides fixed versions and patches. Versions 3.12.x are said to be affected too.

Mageia 9 is also affected.
Nicolas Salguero 2024-03-21 16:56:53 CET

Status comment: (none) => Patches available from upstream
Source RPM: (none) => python3-3.12.2-1.mga10.src.rpm
CVE: (none) => CVE-2023-6597, CVE-2024-0450
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-03-22 21:41:05 CET
There is a lot of info on that page, and various versions mentioned.

Assignee: bugsquad => python

Comment 2 Nicolas Salguero 2024-03-25 16:20:35 CET
Debian has issued an advisory on March 24:
https://lwn.net/Articles/966564/

Python 2.7 is affected by CVE-2024-0450.

Summary: python3 new security issues CVE-2023-6597 and CVE-2024-0450 => python3 and python new security issues CVE-2023-6597 and CVE-2024-0450
Status comment: Patches available from upstream => Patches available from Debian and upstream
Source RPM: python3-3.12.2-1.mga10.src.rpm => python3-3.12.2-1.mga10.src.rpm, python-2.7.18-16.mga10.src.rpm

Comment 3 Nicolas Salguero 2024-03-26 15:51:03 CET
Those CVEs are already fixed in version 3.12.2 so python3 in Cauldron is not affected.
Comment 4 Nicolas Salguero 2024-03-26 16:47:57 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. (CVE-2023-6597)

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. (CVE-2024-0450)

References:
https://www.openwall.com/lists/oss-security/2024/03/20/5
https://lwn.net/Articles/966564/
========================

Updated packages in core/updates_testing:
========================
lib(64)python2.7-2.7.18-15.2.mga9
lib(64)python2.7-stdlib-2.7.18-15.2.mga9
lib(64)python2.7-testsuite-2.7.18-15.2.mga9
lib(64)python-devel-2.7.18-15.2.mga9
python-2.7.18-15.2.mga9
python-docs-2.7.18-15.2.mga9

lib(64)python3.10-3.10.11-1.2.mga9
lib(64)python3.10-stdlib-3.10.11-1.2.mga9
lib(64)python3.10-testsuite-3.10.11-1.2.mga9
lib(64)python3-devel-3.10.11-1.2.mga9
python3-3.10.11-1.2.mga9
python3-docs-3.10.11-1.2.mga9
tkinter3-3.10.11-1.2.mga9
tkinter3-apps-3.10.11-1.2.mga9

from SRPMS:
python-2.7.18-15.2.mga9.src.rpm
python3-3.10.11-1.2.mga9.src.rpm

Assignee: python => qa-bugs
Status comment: Patches available from Debian and upstream => (none)
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Source RPM: python3-3.12.2-1.mga10.src.rpm, python-2.7.18-16.mga10.src.rpm => python3-3.10.11-1.1.mga9.src.rpm, python-2.7.18-15.1.mga9.src.rpm

katnatek 2024-03-26 17:58:51 CET

Keywords: (none) => advisory

Comment 5 katnatek 2024-03-27 02:13:02 CET
RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing python3-3.10.11-1.2.mga9.x86_64.rpm lib64python3.10-stdlib-3.10.11-1.2.mga9.x86_64.rpm tkinter3-3.10.11-1.2.mga9.x86_64.rpm lib64python3.10-3.10.11-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: lib64python3.10       ##################################################################################################
      2/4: python3               ##################################################################################################
      3/4: lib64python3.10-stdlib
                                 ##################################################################################################
      4/4: tkinter3              ##################################################################################################
      1/4: removing tkinter3-3.10.11-1.1.mga9.x86_64
                                 ##################################################################################################  
      2/4: removing lib64python3.10-stdlib-3.10.11-1.1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing python3-3.10.11-1.1.mga9.x86_64
                                 ##################################################################################################
      4/4: removing lib64python3.10-3.10.11-1.1.mga9.x86_64
                                 ##################################################################################################


Test 3 python3 applications without issues
Comment 6 katnatek 2024-03-27 02:24:45 CET
RH mageia 9 x86_64

Test install current, update to testing and remove python packages

LC_ALL=C urpmi python lib64python2.7-testsuite lib64python-devel lib64python2.7-stdlib python-docs
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  python2-rpm-macros             3.10         6.mga9        noarch  
(medium "Core Updates (distrib3)")
  lib64python-devel              2.7.18       15.1.mga9     x86_64  
  lib64python2.7                 2.7.18       15.1.mga9     x86_64  
  lib64python2.7-stdlib          2.7.18       15.1.mga9     x86_64  
  lib64python2.7-testsuite       2.7.18       15.1.mga9     x86_64  
  python                         2.7.18       15.1.mga9     x86_64  
  python-docs                    2.7.18       15.1.mga9     noarch  
93MB of additional disk space will be used.
17MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python2-rpm-macros-3.10-6.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/python-2.7.18-15.1.mga9.x86_64.rpm             
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python-devel-2.7.18-15.1.mga9.x86_64.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/python-docs-2.7.18-15.1.mga9.noarch.rpm        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64python2.7-2.7.18-15.1.mga9.x86_64.rpm     
installing lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64.rpm lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64.rpm python2-rpm-macros-3.10-6.mga9.noarch.rpm python-2.7.18-15.1.mga9.x86_64.rpm lib64python2.7-2.7.18-15.1.mga9.x86_64.rpm python-docs-2.7.18-15.1.mga9.noarch.rpm lib64python-devel-2.7.18-15.1.mga9.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##################################################################################################
      1/7: python2-rpm-macros    ##################################################################################################
      2/7: python                ##################################################################################################
      3/7: lib64python2.7        ##################################################################################################
      4/7: lib64python2.7-stdlib ##################################################################################################
      5/7: lib64python2.7-testsuite
                                 ##################################################################################################
      6/7: python-docs           ##################################################################################################
      7/7: lib64python-devel     ##################################################################################################

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
medium "BDK-Free-x86_64" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-x86_64" is up-to-date
medium "MLO_core (MLO1)" is up-to-date
medium "MLO_nonfree (MLO2)" is up-to-date
medium "MLO_tainted (MLO3)" is up-to-date


installing python-2.7.18-15.2.mga9.x86_64.rpm lib64python2.7-stdlib-2.7.18-15.2.mga9.x86_64.rpm lib64python2.7-testsuite-2.7.18-15.2.mga9.x86_64.rpm lib64python2.7-2.7.18-15.2.mga9.x86_64.rpm python-docs-2.7.18-15.2.mga9.noarch.rpm lib64python-devel-2.7.18-15.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/6: lib64python2.7        ##################################################################################################
      2/6: python                ##################################################################################################
      3/6: lib64python2.7-stdlib ##################################################################################################
      4/6: lib64python2.7-testsuite
                                 ##################################################################################################
      5/6: python-docs           ##################################################################################################
      6/6: lib64python-devel     ##################################################################################################
      1/6: removing lib64python-devel-2.7.18-15.1.mga9.x86_64
                                 ##################################################################################################
      2/6: removing python-docs-2.7.18-15.1.mga9.noarch
                                 ##################################################################################################
      3/6: removing lib64python2.7-testsuite-2.7.18-15.1.mga9.x86_64
                                 ##################################################################################################
      4/6: removing lib64python2.7-stdlib-2.7.18-15.1.mga9.x86_64
                                 ##################################################################################################
      5/6: removing python-2.7.18-15.1.mga9.x86_64
                                 ##################################################################################################
      6/6: removing lib64python2.7-2.7.18-15.1.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpme $(rpm -qa|grep 2.7.18-15.2)
removing lib64python-devel-2.7.18-15.2.mga9.x86_64 lib64python2.7-2.7.18-15.2.mga9.x86_64 lib64python2.7-stdlib-2.7.18-15.2.mga9.x86_64 lib64python2.7-testsuite-2.7.18-15.2.mga9.x86_64 python-2.7.18-15.2.mga9.x86_64 python-docs-2.7.18-15.2.mga9.noarch
removing package lib64python-devel-2.7.18-15.2.mga9.x86_64
      1/6: removing lib64python-devel-2.7.18-15.2.mga9.x86_64
                                 ##################################################################################################
removing package python-docs-2.7.18-15.2.mga9.noarch
      2/6: removing python-docs-2.7.18-15.2.mga9.noarch
                                 ##################################################################################################
removing package lib64python2.7-testsuite-2.7.18-15.2.mga9.x86_64
      3/6: removing lib64python2.7-testsuite-2.7.18-15.2.mga9.x86_64
                                 ##################################################################################################
removing package lib64python2.7-stdlib-2.7.18-15.2.mga9.x86_64
      4/6: removing lib64python2.7-stdlib-2.7.18-15.2.mga9.x86_64
                                 ##################################################################################################
removing package python-2.7.18-15.2.mga9.x86_64
      5/6: removing python-2.7.18-15.2.mga9.x86_64
                                 ##################################################################################################
removing package lib64python2.7-2.7.18-15.2.mga9.x86_64
      6/6: removing lib64python2.7-2.7.18-15.2.mga9.x86_64
                                 ##################################################################################################
writing /var/lib/rpm/installed-through-deps.list

The following package:
  python2-rpm-macros-3.10-6.mga9.noarch
is now orphaned, if you wish to remove it, you can use "urpme --auto-orphans"

LC_ALL=C urpme python2-rpm-macros
removing python2-rpm-macros-3.10-6.mga9.noarch
removing package python2-rpm-macros-3.10-6.mga9.noarch
      1/1: removing python2-rpm-macros-3.10-6.mga9.noarch
                                 ##################################################################################################
Comment 7 Herman Viaene 2024-03-27 15:06:08 CET
MGA9-64 Plasma wayland on HP-Pavillion
No installation issues.
Following wiki with the remark the files have been moved.
$ python /usr/share/doc/python3-pyparsing/examples/SimpleCalc.py 
Type in the string to be parsed or 'quit' to exit the program
> 123 + 456         
579
> a=2
2
> b=3
3
> a*b
6
> quit
Good bye!

$ python3 /usr/share/doc/python3-pyparsing/examples/SimpleCalc.py 
Type in the string to be parsed or 'quit' to exit the program
> 123 + 456
579
> a=2
2
> b=3
3
> a*b
6
> quit
Good bye!

OK for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2024-03-28 00:50:32 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 9 Mageia Robot 2024-03-28 04:54:11 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0096.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.