These issues were fixed in Python 2.7.3, which was pushed in Cauldron, according to Funda Wang.
Assignee: bugsquad => misc
There's also CVE-2011-4944, which also affects Cauldron/Mageia 2 (fixed upstream in 2.7.4). OpenSuSE has issued an advisory for these today (May 30): http://lists.opensuse.org/opensuse-updates/2012-05/msg00048.html Note that oCERT-2011-003 is also known as CVE-2012-1150.
Summary: python new security issues CVE-2012-0876, oCERT-2011-003, CVE-2012-0845, CVE-2011-3389 => python new security issues CVE-2012-0876, oCERT-2011-003, CVE-2012-0845, CVE-2011-3389, CVE-2011-4944
CC: (none) => misc
Version: 1 => 2Whiteboard: (none) => MGA1TOO
@Cauldron: According to what I found - CVE-2012-0845 - CVE-2011-3389 - CVE-2012-1150 are fixed upstream. I added an upstream patch for CVE-2011-4944 So this leaves CVE-2012-0876, but according to my findings, CVE-2012-0876 is an expat bug, not a python one, I will have to look at 1 and 2, if I understand this report correctly, this bug affects both of them as well, does it? Any comments?
CC: (none) => oliver.bgr
According to http://bugs.python.org/issue14234 we should build python with "--with-system-expat" This should fix CVE-2012-0876. At the moment we don't, comments on that?
(In reply to comment #2) > @Cauldron: > According to what I found > - CVE-2012-0845 > - CVE-2011-3389 > - CVE-2012-1150 > are fixed upstream. in Python 2.7.3, yes. We have 2.7.1 in Mageia 1, so those need fixed there. > I added an upstream patch for CVE-2011-4944 Great :D > I will have to look at 1 and 2, if I understand this report correctly, this bug > affects both of them as well, does it? Yes. (In reply to comment #3) > According to http://bugs.python.org/issue14234 we should build python with > "--with-system-expat" > This should fix CVE-2012-0876. > > At the moment we don't, comments on that? Yes, we should build against system libraries wherever possible.
(In reply to comment #3) > According to http://bugs.python.org/issue14234 we should build python with > "--with-system-expat" > This should fix CVE-2012-0876. Yes, this should be enough assuming the system expat itself is not vulnerable :-))
CC: (none) => pitrou
(In reply to comment #5) > (In reply to comment #3) > > According to http://bugs.python.org/issue14234 we should build python with > > "--with-system-expat" > > This should fix CVE-2012-0876. > > Yes, this should be enough assuming the system expat itself is not vulnerable > :-)) Fixed April 3rd: https://ml.mageia.org/l/arc/updates-announce/2012-04/msg00002.html Mageia 2 was Cauldron at the time, which was upgraded to expat 2.1.0 to fix it.
Submitted for Cauldron, will work on updates for 1 and 2.
Status: NEW => ASSIGNEDAssignee: misc => oliver.bgr
Fixed for Mga2
(In reply to comment #8) > Fixed for Mga2 Thanks. Saving the package list for later. python-2.7.3-2.1.mga2 libpython2.7-2.7.3-2.1.mga2 libpython-devel-2.7.3-2.1.mga2 python-docs-2.7.3-2.1.mga2 tkinter-2.7.3-2.1.mga2 tkinter-apps-2.7.3-2.1.mga2 from python-2.7.3-2.1.mga2.src.rpm
Mandriva has issued an advisory for these issues today: http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:097 We should be able to steal any remaining needed patches from their SVN.
CC: (none) => n54
Patched package for Mageia 1 uploaded. I also added a small patch to the configure script from rhel6 that mdv added, in both Mageia 1 and Mageia 2 (so 2's update was rebuilt). It turns out that CVE-2012-0876 was already fixed in Python 2.7.3, but it's good we built it against system expat anyway. One nice thing about Python is it has a test suite that runs during the build, so that fact that it passed bodes well for this update being good. The most complicated patch by far is the CVE-2012-1150 one, as it's huge and touches a lot of files. Hopefully there are PoCs out there for some of these, and one for this one would be really nice. If not, if there's anything out there that stress tests the Python dictionary implementation, that would be a good test. Otherwise, since the test suite passed, basic testing is probably OK. Advisory (Mageia 2): ======================== Updated python packages fix security vulnerability: A race condition was found in the way the Python distutils module set file permissions during the creation of the .pypirc file. If a local user had access to the home directory of another user who is running distutils, they could use this flaw to gain access to that user's .pypirc file, which can contain usernames and passwords for code repositories (CVE-2011-4944). Additionally, python has been built against the system expat and ffi libraries, to avoid any future issues with those. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944 http://lists.opensuse.org/opensuse-updates/2012-05/msg00048.html http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:097 ======================== Advisory (Mageia 1): ======================== Updated python packages fix security vulnerabilities: The _ssl module would always disable the CBC IV attack countermeasure (CVE-2011-3389). A race condition was found in the way the Python distutils module set file permissions during the creation of the .pypirc file. If a local user had access to the home directory of another user who is running distutils, they could use this flaw to gain access to that user's .pypirc file, which can contain usernames and passwords for code repositories (CVE-2011-4944). A flaw was found in the way the Python SimpleXMLRPCServer module handled clients disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU consumption on a server using SimpleXMLRPCServer (CVE-2012-0845). Hash table collisions CPU usage DoS for the embedded copy of expat (CVE-2012-0876). A denial of service flaw was found in the implementation of associative arrays (dictionaries) in Python. An attacker able to supply a large number of inputs to a Python application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions (CVE-2012-1150). Additionally, python has been built against the system expat and ffi libraries, to avoid any future issues with those. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1150 http://lists.opensuse.org/opensuse-updates/2012-05/msg00048.html http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:097 ======================== Updated packages in core/updates_testing: ======================== python-2.7.1-6.2.mga1 libpython2.7-2.7.1-6.2.mga1 libpython-devel-2.7.1-6.2.mga1 python-docs-2.7.1-6.2.mga1 tkinter-2.7.1-6.2.mga1 tkinter-apps-2.7.1-6.2.mga1 python-2.7.3-2.2.mga2 libpython2.7-2.7.3-2.2.mga2 libpython-devel-2.7.3-2.2.mga2 python-docs-2.7.3-2.2.mga2 tkinter-2.7.3-2.2.mga2 tkinter-apps-2.7.3-2.2.mga2 from SRPMS: python-2.7.1-6.2.mga1.src.rpm python-2.7.3-2.2.mga2.src.rpm
Assignee: oliver.bgr => qa-bugs
I think minimal testing is appropriate given the above comments. Running idle from the tkinter-apps, and then having it run print "Hello World" is enough to show that python/tkinter are installed ok, and appear to be working. Testing complete on Mageia 2 i586. I'll test Mageia 1 i586 shortly.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO MGA2-32-OK
Testing complete on Mageia 1 i586.
Whiteboard: MGA1TOO MGA2-32-OK => MGA1TOO MGA2-32-OK MGA1-32-OK
(In reply to comment #11) > > The most complicated patch by far is the CVE-2012-1150 one, as it's huge and > touches a lot of files. Hopefully there are PoCs out there for some of these, > and one for this one would be really nice. The patch doesn't alter default behaviour (i.e. predictability of hashes), for compatibility reasons. By passing the -R flag on the command-line, you enable randomized hashes. Example (with a freshly compiled 64-bit 2.6 Python): $ python2.6 -c "print hash('a')" 12416037344 $ python2.6 -c "print hash('a')" 12416037344 $ python2.6 -R -c "print hash('a')" -5405731566704323130 $ python2.6 -R -c "print hash('a')" -7554114005484610474 $ python2.6 -R -c "print hash('a')" -4114695861840400465 Another way to enable hash randomization is to use the PYTHONHASHSEED=random environment variable: $ PYTHONHASHSEED=random python2.6 -c "print hash('a')" -1520395172601019512 $ PYTHONHASHSEED=random python2.6 -c "print hash('a')" -2190436581504082743 $ PYTHONHASHSEED=random python2.6 -c "print hash('a')" -7599574951110094912 PYTHONHASHSEED can also be set to an integer, in order to force a given hash seed (e.g. as a local secret): $ PYTHONHASHSEED=1234 python2.6 -c "print hash('a')" 6875756269939927444 $ PYTHONHASHSEED=1234 python2.6 -c "print hash('a')" 6875756269939927444 $ PYTHONHASHSEED=12345 python2.6 -c "print hash('a')" -4173664862093156208 $ PYTHONHASHSEED=12345 python2.6 -c "print hash('a')" -4173664862093156208 > If not, if there's anything out > there that stress tests the Python dictionary implementation, that would be a > good test. The dictionary implementation is used for attribute storage, it is quite well stress-tested by both the regression test suite, and any other Python software.
Testing complete mga1 64 PoC for CVE-2012-0845 mga1 here: https://bugzilla.redhat.com/show_bug.cgi?id=789790 after the ^C python takes full CPU %. For the others there are no details other than 'readily available tools'. Basic testing plus confirmed the above is fixed.
Whiteboard: MGA1TOO MGA2-32-OK MGA1-32-OK => MGA1TOO MGA2-32-OK MGA1-32-OK mga1-64-OK
Testing complete mga2 64 Validating Advisory and srpms for mga1 & 2 in comment 11 Could sysadmin please push from core/updates_testing to core/updates Thanks!
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateHardware: i586 => AllWhiteboard: MGA1TOO MGA2-32-OK MGA1-32-OK mga1-64-OK => MGA1TOO MGA2-32-OK MGA1-32-OK mga1-64-OK mga2-64-OK
Update pushed: Mageia 1: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0169 Mageia 2: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0170
CC: (none) => tmbResolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED