Bug 33436 - python3 new security issues CVE-2024-0397, CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043
Summary: python3 new security issues CVE-2024-0397, CVE-2024-4032, CVE-2024-6923, CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 33449
  Show dependency treegraph
 
Reported: 2024-07-25 10:27 CEST by Nicolas Salguero
Modified: 2024-09-27 03:31 CEST (History)
4 users (show)

See Also:
Source RPM: python3-3.10.11-1.2.mga9.src.rpm
CVE: CVE-2024-0397, CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043
Status comment:


Attachments

Description Nicolas Salguero 2024-07-25 10:27:20 CEST
RedHat has issued an advisory on July 23:
https://lwn.net/Articles/983060/
Nicolas Salguero 2024-07-25 10:27:44 CEST

CVE: (none) => CVE-2024-4032
Source RPM: (none) => python3-3.10.11-1.2.mga9.src.rpm

Comment 1 Lewis Smith 2024-07-25 22:31:27 CEST
This page:
 https://nvd.nist.gov/vuln/detail/CVE-2024-4032
lists 6 https://github.com/python/cpython/commit/ links which are patches. They look to be variations on the same theme...

Assignee: bugsquad => python

Comment 2 Nicolas Salguero 2024-09-02 11:00:32 CEST
CVE-2024-6923 was announced here:
https://openwall.com/lists/oss-security/2024/08/01/3

Whiteboard: (none) => MGA9TOO
CVE: CVE-2024-4032 => CVE-2024-4032, CVE-2024-6923
Version: 9 => Cauldron
Summary: python3 new security issue CVE-2024-4032 => python3 new security issues CVE-2024-4032, CVE-2024-6923

Comment 3 Nicolas Salguero 2024-09-02 11:15:05 CEST
CVE-2024-8088 was announced here:
https://openwall.com/lists/oss-security/2024/08/22/1

Summary: python3 new security issues CVE-2024-4032, CVE-2024-6923 => python3 new security issues CVE-2024-4032, CVE-2024-6923, CVE-2024-8088
CVE: CVE-2024-4032, CVE-2024-6923 => CVE-2024-4032, CVE-2024-6923, CVE-2024-8088

Comment 4 Nicolas Salguero 2024-09-05 16:08:39 CEST
CVE-2024-6232 was announced here:
https://www.openwall.com/lists/oss-security/2024/09/03/5

Summary: python3 new security issues CVE-2024-4032, CVE-2024-6923, CVE-2024-8088 => python3 new security issues CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232
CVE: CVE-2024-4032, CVE-2024-6923, CVE-2024-8088 => CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232

Comment 5 Nicolas Salguero 2024-09-08 10:02:34 CEST
Security fixes available in Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20.  See: https://www.openwall.com/lists/oss-security/2024/09/07/3

CVE: CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232 => CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043
Summary: python3 new security issues CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232 => python3 new security issues CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043
Status comment: (none) => Fixed upstream in 3.12.6 and 3.10.15

Comment 6 Nicolas Salguero 2024-09-18 14:20:23 CEST
From bug 33313:

https://www.openwall.com/lists/oss-security/2024/06/17/2
https://www.openwall.com/lists/oss-security/2024/06/17/3

Summary: python3 new security issues CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043 => python3 new security issues CVE-2024-0397, CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043
CVE: CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043 => CVE-2024-0397, CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043

Comment 7 Nicolas Salguero 2024-09-18 14:36:04 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. (CVE-2024-0397)

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. (CVE-2024-4032)

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. (CVE-2024-6923)

When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. (CVE-2024-8088)

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. (CVE-2024-6232)

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. (CVE-2024-7592)

Urlparse insufficient validation leads to open redirect. (CVE-2015-2104)

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. (CVE-2023-27043)

References:
https://www.openwall.com/lists/oss-security/2024/06/17/2
https://www.openwall.com/lists/oss-security/2024/06/17/3
https://lwn.net/Articles/983060/
https://www.openwall.com/lists/oss-security/2024/08/01/3
https://www.openwall.com/lists/oss-security/2024/08/22/1
https://www.openwall.com/lists/oss-security/2024/09/03/5
https://www.openwall.com/lists/oss-security/2024/09/07/3
========================

Updated packages in core/updates_testing:
========================
lib(64)python3.10-3.10.11-1.3.mga9
lib(64)python3-devel-3.10.11-1.3.mga9
lib(64)python3.10-stdlib-3.10.11-1.3.mga9
lib(64)python3.10-testsuite-3.10.11-1.3.mga9
python3-3.10.11-1.3.mga9
python3-docs-3.10.11-1.3.mga9
tkinter3-3.10.11-1.3.mga9
tkinter3-apps-3.10.11-1.3.mga9

from SRPM:
python3-3.10.11-1.3.mga9.src.rpm

Status comment: Fixed upstream in 3.12.6 and 3.10.15 => (none)
Whiteboard: MGA9TOO => (none)
Assignee: python => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 9

katnatek 2024-09-18 18:38:32 CEST

Keywords: (none) => advisory

Comment 8 katnatek 2024-09-21 00:35:16 CEST
RH x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
medium "BDK-Free-x86_64" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-x86_64" is up-to-date


installing lib64python3.10-3.10.11-1.3.mga9.x86_64.rpm python3-3.10.11-1.3.mga9.x86_64.rpm lib64python3.10-stdlib-3.10.11-1.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: python3               ##################################################################################################
      2/3: lib64python3.10-stdlib
                                 ##################################################################################################
      3/3: lib64python3.10       ##################################################################################################
      1/3: removing python3-3.10.11-1.2.mga9.x86_64
                                 ##################################################################################################
      2/3: removing lib64python3.10-3.10.11-1.2.mga9.x86_64
                                 ##################################################################################################
      3/3: removing lib64python3.10-stdlib-3.10.11-1.2.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpmi python3-docs


installing python3-docs-3.10.11-1.3.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-docs          ##################################################################################################

 python3 /usr/share/doc/python3-pyparsing/examples/SimpleCalc.py 
Type in the string to be parsed or 'quit' to exit the program
> 4*89
356
> 90/3
30.0
> 2^10
1024
> a=2
2
> b=3
3
> a*b
6
> a+b
5
> quit
Good bye!

Python applications in my system still works
Comment 9 Morgan Leijström 2024-09-22 21:28:44 CEST
Tested update of installed packages on all systems i tested kernel Bug 33574 
Most mga-64, Plasma
One mga-32, LXDE
No regression noted.

CC: (none) => fri

katnatek 2024-09-23 19:42:04 CEST

Blocks: (none) => 33449

Comment 10 Herman Viaene 2024-09-24 15:44:10 CEST
MGA9-64 server Plasma Wayland on HP-Pavillion
Installed all 8 packages listed in Comment 7, bjut neither the folders used above by katnanek, nor those from the wiki, exist here.
I list here all folders installed

$ ls /usr/share/doc/python3*
/usr/share/doc/python3-astropy:

/usr/share/doc/python3-charset-normalizer:

/usr/share/doc/python3-cups:

/usr/share/doc/python3-curl:

/usr/share/doc/python3-dateutil:

/usr/share/doc/python3-dbus:

/usr/share/doc/python3-distro:

/usr/share/doc/python3-dnf:

/usr/share/doc/python3-dnf-plugins-core:

/usr/share/doc/python3-docs:

/usr/share/doc/python3-gpg:

/usr/share/doc/python3-h5py:

/usr/share/doc/python3-idna:

/usr/share/doc/python3-lxml:

/usr/share/doc/python3-numpy:

/usr/share/doc/python3-packaging:

/usr/share/doc/python3-pillow:

/usr/share/doc/python3-pyatspi:

/usr/share/doc/python3-pybluez:

/usr/share/doc/python3-pyerfa:

/usr/share/doc/python3-pygments:

/usr/share/doc/python3-pyqt5-sip:

/usr/share/doc/python3-reportlab:

/usr/share/doc/python3-requests:

/usr/share/doc/python3-setproctitle:

/usr/share/doc/python3-setuptools:

/usr/share/doc/python3-six:

/usr/share/doc/python3-urllib3:

/usr/share/doc/python3-yaml:

CC: (none) => herman.viaene

Comment 11 katnatek 2024-09-24 18:54:32 CEST
(In reply to Herman Viaene from comment #10)
> MGA9-64 server Plasma Wayland on HP-Pavillion
> Installed all 8 packages listed in Comment 7, bjut neither the folders used
> above by katnanek, nor those from the wiki, exist here.
> I list here all folders installed
> 

Just following previous test by you bug#32998 comment#7

But you are right, the example is part of python3-pyparsing
Comment 12 Herman Viaene 2024-09-25 09:46:06 CEST
Is that one missing from the package list, or does it remain in version 3.0.9?
Comment 13 Herman Viaene 2024-09-25 09:51:42 CEST
Tested with current version of python3-pyparsing
$ python3 /usr/share/doc/python3-pyparsing/examples/SimpleCalc.py 
Type in the string to be parsed or 'quit' to exit the program
> 4 - 5
-1
> 200/3
66.66666666666667
> 5^2
25

Looks OK to me. If the version of python3-pyparsing is OK, then you have my blessing.
Comment 14 katnatek 2024-09-25 18:16:21 CEST
python3-pyparsing is not part of this update

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 15 Thomas Andrews 2024-09-27 02:09:49 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2024-09-27 03:31:53 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0317.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.