Bug 6759 - python3 new security issue CVE-2012-2135
: python3 new security issue CVE-2012-2135
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/506376/
: MGA2-32-OK MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-11 21:58 CEST by David Walser
Modified: 2012-08-12 20:21 CEST (History)
6 users (show)

See Also:
Source RPM: python3-3.2.3-1.mga2.src.rpm
CVE:
Status comment:


Attachments
test.py script (203 bytes, text/plain)
2012-08-09 01:14 CEST, Dave Hodgins
Details

Description David Walser 2012-07-11 21:58:14 CEST
OpenSuSE has issued an advisory today (July 11):
http://lists.opensuse.org/opensuse-updates/2012-07/msg00022.html

Mageia 2 is also affected.
Comment 1 David Walser 2012-08-08 21:28:17 CEST
I found the patch OpenSuSE used to fix this.
python-3.2-CVE-2012-2135.patch in python3-3.2.1-5.9.1.src.rpm

I also found an upstream patch which added some tests to the built-in testsuite.
http://hg.python.org/cpython/raw-rev/118fe0ee6921

Finally, I found some code that's supposed to be a reproducer.

k = len(b'\x00\x01\x00\x00'.decode('utf-32be'))
for i in range(1000):
	print(i, ascii((b'\xD8\x00\xDC\x00' * i + b'\xDC\x00' + b'\x00>' * 2).decode('utf-16be', 'ignore')[i * k:]))

k = len(b'\x00\x01\x00\x00'.decode('utf-32be'))
for i in range(1000):
	print(i, str((b'\xD8\x00\xDC\x00' * i + b'\xDC\x00' + b'\x00>' * 2).decode('utf-16be', 'ignore')[i * k:]))

From the upstream discussion and the Debian bug:
http://bugs.python.org/issue14579
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670389
Comment 2 David Walser 2012-08-08 22:37:48 CEST
Patched package uploaded for Mageia 2 and Cauldron.

Note to QA: there is a built in test suite run during build which was enhanced to check that this is fixed.  I also posted what are supposed to be reproducers for the issue (haven't tested them myself) in Comment 1.

Advisory:
========================

Updated python3 packages fix security vulnerability:

In the utf-16 decoder after calling unicode_decode_call_errorhandler
aligned_end is not updated. This may potentially cause data leaks,
memory damage, and crash (CVE-2012-2135).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2135
http://lists.opensuse.org/opensuse-updates/2012-07/msg00022.html
========================

Updated packages in core/updates_testing:
========================
python3-3.2.3-1.3.mga2
libpython3.2-3.2.3-1.3.mga2
libpython3-devel-3.2.3-1.3.mga2
python3-docs-3.2.3-1.3.mga2
tkinter3-3.2.3-1.3.mga2
tkinter3-apps-3.2.3-1.3.mga2

from python3-3.2.3-1.3.mga2.src.rpm
Comment 3 Dave Hodgins 2012-08-09 01:14:11 CEST
Created attachment 2624 [details]
test.py script

I've put the commands to create the crash in a file.
I've recreated the crash on Mageia 2 i586, and will
now test the update.
Comment 4 Dave Hodgins 2012-08-09 01:18:04 CEST
Testing complete on Mageia 2 i586.

I'll test Mageia 2 x86-64 shortly.
Comment 5 Dave Hodgins 2012-08-09 01:23:38 CEST
On x86-64, I get the segfault before and after installing
the update.

Was the patch applied to the x86-64 version?  I notice
the platform is set to i586 above.
Comment 6 David Walser 2012-08-09 01:28:55 CEST
(In reply to comment #5)
> On x86-64, I get the segfault before and after installing
> the update.
> 
> Was the patch applied to the x86-64 version?  I notice
> the platform is set to i586 above.

Bugzilla always sets it to i586, I don't pay any attention to that.

The patches are applied unconditionally.
Comment 7 David Walser 2012-08-09 01:36:26 CEST
It looks like OpenSuSE used an older version of the patch proposed upstream.

I'll try the newer version tomorrow.
Comment 8 Dave Hodgins 2012-08-09 01:44:11 CEST
Ignore comment 5.  I'd used urpmi to install the update,
and missed lib64python3.2.

Could someone from the sysadmin team push the srpm
python3-3.2.3-1.3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated python3 packages fix security vulnerability:

In the utf-16 decoder after calling unicode_decode_call_errorhandler
aligned_end is not updated. This may potentially cause data leaks,
memory damage, and crash (CVE-2012-2135).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2135
http://lists.opensuse.org/opensuse-updates/2012-07/msg00022.html

https://bugs.mageia.org/show_bug.cgi?id=6759
Comment 9 David Walser 2012-08-09 01:50:58 CEST
Did you try changing ascii to str in the reproducer to see if that works OK too?
Comment 10 Dave Hodgins 2012-08-09 04:50:54 CEST
(In reply to comment #9)
> Did you try changing ascii to str in the reproducer to see if that works OK
> too?

Missed that.  Just tested both i586 and x86 with the updated version, and
they both work.  I think it's safe to skip confirming it segfaults the
release version.
Comment 11 David Walser 2012-08-09 13:03:28 CEST
(In reply to comment #10)
> (In reply to comment #9)
> > Did you try changing ascii to str in the reproducer to see if that works OK
> > too?
> 
> Missed that.  Just tested both i586 and x86 with the updated version, and
> they both work.  I think it's safe to skip confirming it segfaults the
> release version.

Yes, of course.  Thanks Dave!
Comment 12 Thomas Backlund 2012-08-12 20:21:10 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0208

Note You need to log in before you can comment on or make changes to this bug.