Bug 5843 - python new security issues CVE-2012-0876, oCERT-2011-003, CVE-2012-0845, CVE-2011-3389, CVE-2011-4944
: python new security issues CVE-2012-0876, oCERT-2011-003, CVE-2012-0845, CV...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1TOO MGA2-32-OK MGA1-32-OK mga1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-05-11 03:12 CEST by David Walser
Modified: 2012-07-19 01:41 CEST (History)
7 users (show)

See Also:
Source RPM: python-2.7.1-6.1.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-05-11 03:12:14 CEST
These issues were fixed in Python 2.7.3, which was pushed in Cauldron, according to Funda Wang.
Comment 1 David Walser 2012-05-30 21:35:03 CEST
There's also CVE-2011-4944, which also affects Cauldron/Mageia 2 (fixed upstream in 2.7.4).  OpenSuSE has issued an advisory for these today (May 30):
http://lists.opensuse.org/opensuse-updates/2012-05/msg00048.html

Note that oCERT-2011-003 is also known as CVE-2012-1150.
Comment 2 Oliver Burger 2012-06-18 13:48:38 CEST
@Cauldron:
According to what I found
- CVE-2012-0845
- CVE-2011-3389
- CVE-2012-1150
are fixed upstream.

I added an upstream patch for CVE-2011-4944

So this leaves CVE-2012-0876, but according to my findings, CVE-2012-0876 is an expat bug, not a python one,

I will have to look at 1 and 2, if I understand this report correctly, this bug affects both of them as well, does it?

Any comments?
Comment 3 Oliver Burger 2012-06-18 13:59:51 CEST
According to http://bugs.python.org/issue14234 we should build python with
"--with-system-expat"
This should fix CVE-2012-0876.

At the moment we don't, comments on that?
Comment 4 David Walser 2012-06-18 14:48:06 CEST
(In reply to comment #2)
> @Cauldron:
> According to what I found
> - CVE-2012-0845
> - CVE-2011-3389
> - CVE-2012-1150
> are fixed upstream.

in Python 2.7.3, yes.  We have 2.7.1 in Mageia 1, so those need fixed there.

> I added an upstream patch for CVE-2011-4944

Great :D

> I will have to look at 1 and 2, if I understand this report correctly, this bug
> affects both of them as well, does it?

Yes.

(In reply to comment #3)
> According to http://bugs.python.org/issue14234 we should build python with
> "--with-system-expat"
> This should fix CVE-2012-0876.
> 
> At the moment we don't, comments on that?

Yes, we should build against system libraries wherever possible.
Comment 5 Antoine Pitrou 2012-06-18 22:14:43 CEST
(In reply to comment #3)
> According to http://bugs.python.org/issue14234 we should build python with
> "--with-system-expat"
> This should fix CVE-2012-0876.

Yes, this should be enough assuming the system expat itself is not vulnerable :-))
Comment 6 David Walser 2012-06-18 22:36:32 CEST
(In reply to comment #5)
> (In reply to comment #3)
> > According to http://bugs.python.org/issue14234 we should build python with
> > "--with-system-expat"
> > This should fix CVE-2012-0876.
> 
> Yes, this should be enough assuming the system expat itself is not vulnerable
> :-))

Fixed April 3rd:
https://ml.mageia.org/l/arc/updates-announce/2012-04/msg00002.html

Mageia 2 was Cauldron at the time, which was upgraded to expat 2.1.0 to fix it.
Comment 7 Oliver Burger 2012-06-19 09:57:50 CEST
Submitted for Cauldron, will work on updates for 1 and 2.
Comment 8 Oliver Burger 2012-06-19 15:47:49 CEST
Fixed for Mga2
Comment 9 David Walser 2012-06-19 17:41:08 CEST
(In reply to comment #8)
> Fixed for Mga2

Thanks.  Saving the package list for later.

python-2.7.3-2.1.mga2
libpython2.7-2.7.3-2.1.mga2
libpython-devel-2.7.3-2.1.mga2
python-docs-2.7.3-2.1.mga2
tkinter-2.7.3-2.1.mga2
tkinter-apps-2.7.3-2.1.mga2

from python-2.7.3-2.1.mga2.src.rpm
Comment 10 David Walser 2012-06-20 18:49:45 CEST
Mandriva has issued an advisory for these issues today:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:097

We should be able to steal any remaining needed patches from their SVN.
Comment 11 David Walser 2012-07-10 02:25:12 CEST
Patched package for Mageia 1 uploaded.

I also added a small patch to the configure script from rhel6 that mdv added, in both Mageia 1 and Mageia 2 (so 2's update was rebuilt).

It turns out that CVE-2012-0876 was already fixed in Python 2.7.3, but it's good we built it against system expat anyway.

One nice thing about Python is it has a test suite that runs during the build, so that fact that it passed bodes well for this update being good.

The most complicated patch by far is the CVE-2012-1150 one, as it's huge and touches a lot of files.  Hopefully there are PoCs out there for some of these, and one for this one would be really nice.  If not, if there's anything out there that stress tests the Python dictionary implementation, that would be a good test.

Otherwise, since the test suite passed, basic testing is probably OK.

Advisory (Mageia 2):
========================

Updated python packages fix security vulnerability:

A race condition was found in the way the Python distutils module
set file permissions during the creation of the .pypirc file. If a
local user had access to the home directory of another user who is
running distutils, they could use this flaw to gain access to that
user's .pypirc file, which can contain usernames and passwords for
code repositories (CVE-2011-4944).

Additionally, python has been built against the system expat and ffi
libraries, to avoid any future issues with those.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944
http://lists.opensuse.org/opensuse-updates/2012-05/msg00048.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:097
========================

Advisory (Mageia 1):
========================

Updated python packages fix security vulnerabilities:

The _ssl module would always disable the CBC IV attack countermeasure
(CVE-2011-3389).

A race condition was found in the way the Python distutils module
set file permissions during the creation of the .pypirc file. If a
local user had access to the home directory of another user who is
running distutils, they could use this flaw to gain access to that
user's .pypirc file, which can contain usernames and passwords for
code repositories (CVE-2011-4944).

A flaw was found in the way the Python SimpleXMLRPCServer module
handled clients disconnecting prematurely. A remote attacker could
use this flaw to cause excessive CPU consumption on a server using
SimpleXMLRPCServer (CVE-2012-0845).

Hash table collisions CPU usage DoS for the embedded copy of expat
(CVE-2012-0876).

A denial of service flaw was found in the implementation of associative
arrays (dictionaries) in Python. An attacker able to supply a large
number of inputs to a Python application (such as HTTP POST request
parameters sent to a web application) that are used as keys when
inserting data into an array could trigger multiple hash function
collisions, making array operations take an excessive amount of
CPU time. To mitigate this issue, randomization has been added to
the hash function to reduce the chance of an attacker successfully
causing intentional collisions (CVE-2012-1150).

Additionally, python has been built against the system expat and ffi
libraries, to avoid any future issues with those.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1150
http://lists.opensuse.org/opensuse-updates/2012-05/msg00048.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:097
========================

Updated packages in core/updates_testing:
========================
python-2.7.1-6.2.mga1
libpython2.7-2.7.1-6.2.mga1
libpython-devel-2.7.1-6.2.mga1
python-docs-2.7.1-6.2.mga1
tkinter-2.7.1-6.2.mga1
tkinter-apps-2.7.1-6.2.mga1
python-2.7.3-2.2.mga2
libpython2.7-2.7.3-2.2.mga2
libpython-devel-2.7.3-2.2.mga2
python-docs-2.7.3-2.2.mga2
tkinter-2.7.3-2.2.mga2
tkinter-apps-2.7.3-2.2.mga2

from SRPMS:
python-2.7.1-6.2.mga1.src.rpm
python-2.7.3-2.2.mga2.src.rpm
Comment 12 Dave Hodgins 2012-07-11 23:09:35 CEST
I think minimal testing is appropriate given the above comments.

Running idle from the tkinter-apps, and then having it run
print "Hello World"
is enough to show that python/tkinter are installed ok, and appear to
be working.

Testing complete on Mageia 2 i586.

I'll test Mageia 1 i586 shortly.
Comment 13 Dave Hodgins 2012-07-11 23:19:59 CEST
Testing complete on Mageia 1 i586.
Comment 14 Antoine Pitrou 2012-07-11 23:29:40 CEST
(In reply to comment #11)
> 
> The most complicated patch by far is the CVE-2012-1150 one, as it's huge and
> touches a lot of files.  Hopefully there are PoCs out there for some of these,
> and one for this one would be really nice.

The patch doesn't alter default behaviour (i.e. predictability of hashes), for compatibility reasons. By passing the -R flag on the command-line, you enable randomized hashes. Example (with a freshly compiled 64-bit 2.6 Python):

$ python2.6 -c "print hash('a')"
12416037344
$ python2.6 -c "print hash('a')"
12416037344

$ python2.6 -R -c "print hash('a')"
-5405731566704323130
$ python2.6 -R -c "print hash('a')"
-7554114005484610474
$ python2.6 -R -c "print hash('a')"
-4114695861840400465

Another way to enable hash randomization is to use the PYTHONHASHSEED=random environment variable:

$ PYTHONHASHSEED=random python2.6 -c "print hash('a')"
-1520395172601019512
$ PYTHONHASHSEED=random python2.6 -c "print hash('a')"
-2190436581504082743
$ PYTHONHASHSEED=random python2.6 -c "print hash('a')"
-7599574951110094912

PYTHONHASHSEED can also be set to an integer, in order to force a given hash seed (e.g. as a local secret):

$ PYTHONHASHSEED=1234 python2.6 -c "print hash('a')"
6875756269939927444
$ PYTHONHASHSEED=1234 python2.6 -c "print hash('a')"
6875756269939927444
$ PYTHONHASHSEED=12345 python2.6 -c "print hash('a')"
-4173664862093156208
$ PYTHONHASHSEED=12345 python2.6 -c "print hash('a')"
-4173664862093156208

> If not, if there's anything out
> there that stress tests the Python dictionary implementation, that would be a
> good test.

The dictionary implementation is used for attribute storage, it is quite well stress-tested by both the regression test suite, and any other Python software.
Comment 15 claire robinson 2012-07-16 18:01:03 CEST
Testing complete mga1 64

PoC for CVE-2012-0845 mga1 here:
https://bugzilla.redhat.com/show_bug.cgi?id=789790

after the ^C python takes full CPU %.

For the others there are no details other than 'readily available tools'.

Basic testing plus confirmed the above is fixed.
Comment 16 claire robinson 2012-07-16 18:21:23 CEST
Testing complete mga2 64

Validating

Advisory and srpms for mga1 & 2 in comment 11

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Note You need to log in before you can comment on or make changes to this bug.