OpenSuSE has issued an advisory today (July 11): http://lists.opensuse.org/opensuse-updates/2012-07/msg00022.html Mageia 2 is also affected.
CC: (none) => fundawang
CC: (none) => guillomovitch
Whiteboard: (none) => MGA2TOO
CC: (none) => n54
I found the patch OpenSuSE used to fix this. python-3.2-CVE-2012-2135.patch in python3-3.2.1-5.9.1.src.rpm I also found an upstream patch which added some tests to the built-in testsuite. http://hg.python.org/cpython/raw-rev/118fe0ee6921 Finally, I found some code that's supposed to be a reproducer. k = len(b'\x00\x01\x00\x00'.decode('utf-32be')) for i in range(1000): print(i, ascii((b'\xD8\x00\xDC\x00' * i + b'\xDC\x00' + b'\x00>' * 2).decode('utf-16be', 'ignore')[i * k:])) k = len(b'\x00\x01\x00\x00'.decode('utf-32be')) for i in range(1000): print(i, str((b'\xD8\x00\xDC\x00' * i + b'\xDC\x00' + b'\x00>' * 2).decode('utf-16be', 'ignore')[i * k:])) From the upstream discussion and the Debian bug: http://bugs.python.org/issue14579 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670389
Patched package uploaded for Mageia 2 and Cauldron. Note to QA: there is a built in test suite run during build which was enhanced to check that this is fixed. I also posted what are supposed to be reproducers for the issue (haven't tested them myself) in Comment 1. Advisory: ======================== Updated python3 packages fix security vulnerability: In the utf-16 decoder after calling unicode_decode_call_errorhandler aligned_end is not updated. This may potentially cause data leaks, memory damage, and crash (CVE-2012-2135). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2135 http://lists.opensuse.org/opensuse-updates/2012-07/msg00022.html ======================== Updated packages in core/updates_testing: ======================== python3-3.2.3-1.3.mga2 libpython3.2-3.2.3-1.3.mga2 libpython3-devel-3.2.3-1.3.mga2 python3-docs-3.2.3-1.3.mga2 tkinter3-3.2.3-1.3.mga2 tkinter3-apps-3.2.3-1.3.mga2 from python3-3.2.3-1.3.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO => (none)
Severity: normal => major
Created attachment 2624 [details] test.py script I've put the commands to create the crash in a file. I've recreated the crash on Mageia 2 i586, and will now test the update.
Testing complete on Mageia 2 i586. I'll test Mageia 2 x86-64 shortly.
CC: (none) => davidwhodginsWhiteboard: (none) => MGA2-32-OK
On x86-64, I get the segfault before and after installing the update. Was the patch applied to the x86-64 version? I notice the platform is set to i586 above.
Whiteboard: MGA2-32-OK => MGA2-32-OK feedback
(In reply to comment #5) > On x86-64, I get the segfault before and after installing > the update. > > Was the patch applied to the x86-64 version? I notice > the platform is set to i586 above. Bugzilla always sets it to i586, I don't pay any attention to that. The patches are applied unconditionally.
It looks like OpenSuSE used an older version of the patch proposed upstream. I'll try the newer version tomorrow.
Ignore comment 5. I'd used urpmi to install the update, and missed lib64python3.2. Could someone from the sysadmin team push the srpm python3-3.2.3-1.3.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated python3 packages fix security vulnerability: In the utf-16 decoder after calling unicode_decode_call_errorhandler aligned_end is not updated. This may potentially cause data leaks, memory damage, and crash (CVE-2012-2135). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2135 http://lists.opensuse.org/opensuse-updates/2012-07/msg00022.html https://bugs.mageia.org/show_bug.cgi?id=6759
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA2-32-OK feedback => MGA2-32-OK MGA2-64-OK
Did you try changing ascii to str in the reproducer to see if that works OK too?
(In reply to comment #9) > Did you try changing ascii to str in the reproducer to see if that works OK > too? Missed that. Just tested both i586 and x86 with the updated version, and they both work. I think it's safe to skip confirming it segfaults the release version.
(In reply to comment #10) > (In reply to comment #9) > > Did you try changing ascii to str in the reproducer to see if that works OK > > too? > > Missed that. Just tested both i586 and x86 with the updated version, and > they both work. I think it's safe to skip confirming it segfaults the > release version. Yes, of course. Thanks Dave!
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0208
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED