** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public ** hawking, feel free to add other python maintainers if needed... just keep this confidential Could someone please check if 2.4 is affected by these issues too. David Remahl of Apple Product Security reports the following: [...] We have identified a number of integer overflow security issues in the core python library (dealing with some of the basic types). I also found an integer overflow issue in the strop module and one in hashlib (leading to unreliable cryptographic digest results). Additionally, a number of issues that are expected to be resolved by <http://bugs.python.org/issue2620> were identified in this audit. These issues are detailed in the files attached below. Patches and test cases are included. Note that some issues only affect certain architectures, e.g. 32/64 bit or 2/4 byte unicode. 2.5.2 and 2.6b1 are vulnerable to varying extents (see patches for details). 3.0a has not been investigated, nor have 2.4 and earlier releases. Some of the test cases need to be run with regrtest.py -M <large value>. A new test decorator (precisionbigmemtest) was created because of the need to have bigmem tests that take a specific size value, not just the largest size that can be accommodated. The following CVE names have been assigned by Apple: CVE-2008-2315: Multiple integer overflows in python core (stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule) CVE-2008-2316: Partial hashlib hashing of data exceeding 4GB (_hashopenssl) Also included in this message are patches for some non-security bugs that were encountered during the audit. They have no test cases and have received little testing. Caveat emptor. [...] Note that one of the issues is in the same code snippet that was touched in PSF-2006-001 (CVE-2006-4980). The Python Security Response Team was notified of these issues recently and they have acknowledged that they received the message.
Created attachment 159416 [details, diff] CVE-2008-2315 patch 2.5
Created attachment 159418 [details, diff] CVE-2008-2315 patch trunk
Created attachment 159420 [details, diff] CVE-2008-2316 patch 2.5
Created attachment 159422 [details, diff] CVE-2008-2316 patch trunk
Created attachment 159424 [details, diff] misc fixes 2.5
Created attachment 159426 [details, diff] misc fixes trunk
*** Bug 230589 has been marked as a duplicate of this bug. ***
An ebuild will be attached as soon as I get back home. I'm away for guadec right now, hopefully I'll be back on tuesday or wednesday. That's like 16th of this month I guess.
thanks Ali Should we CC another python maintainer to speed things up?
Created attachment 160652 [details, diff] CVE-2008-2315-release25-maint.diff Fixes an indentation error in Lib/tests/test_seq.py Please have a look and make sure that it does the right thing.
Created attachment 160655 [details] python-2.5.2-r6.ebuild Ebuild that applies the attached patches. I'll move the patches from files/ to our patchset after disclosure.
(In reply to comment #9) > thanks Ali > > Should we CC another python maintainer to speed things up? > Next time, please CC python@gentoo.org ;)
(In reply to comment #12) > Next time, please CC python@gentoo.org ;) > ^ That was fail :-]. CC'ing dev-zero because I'll be on vacation till 15th August. I'm not sure if he's available though. @dev-zero: Please CC pythonhead if you don't have time @security: ^ Please do so if he doesn't respond :)
Created attachment 161580 [details, diff] python-2.4.4-CVE-2008-2315.patch
Created attachment 161588 [details] python-2.4.4-r7-overlay.tar.gz I took the liberty of of putting together the patches from bug 232137 and this bug, apply them all to our current stable and wrap it up in an overlay. The python team will probably put these patches into a new gentoo patch tarball. I understood that we are not going to backport these patches to 2.3 anymore, ending its life in the tree?
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : tsunam
looks good on ppc64
Shouldn't this be -r14? -r13 is the latest stable....
Good on sparc for python-2.4.4-r7. But current stable is -2.4.4-r13 on sparc. So I guess I echo Comment #18.
Created attachment 161617 [details] python-overlay.tar.gz (In reply to comment #18) > Shouldn't this be -r14? -r13 is the latest stable.... Sorry, my bad. I'm attaching a new tarball that also includes =python/python-2.4.4-r14 =python/python-2.5.2-r6 for stable.
python-2.4.4-r14 and python-2.5.2-r6 are both good on sparc.
alpha/ia64/x86 is good as well
Both are OK for HPPA.
python-2.4.4-r14 and python-2.5.2-r6 are both good on ppc64
Embargo deadline is 1700 UTC tomorrow. Python team, who will be around to commit the new version?
(In reply to comment #25) > Embargo deadline is 1700 UTC tomorrow. Python team, who will be around to > commit the new version? > I have ssh access to my home box so I can do it if noone else does. I'll try to be around at that time tomorrow.
booth ok for ppc
Added patches to our patchsets. Rev.bumped to python-2.4.4-r14 (using python-gentoo-patches-2.4.4-r11.tar.bz2) and python-2.5.2-r6 (using python-gentoo-patches-2.5.2-r6.tar.bz2). Tests passed for the rev.bumped packages on my amd64. Added amd64 keyword as well. Committed with the following keywords: 2.4: alpha amd64 hppa ia64 ppc ppc64 sparc x86 2.5: alpha amd64 hppa ia64 ppc ppc64 x86
(In reply to comment #28) > Added patches to our patchsets. > > Rev.bumped to python-2.4.4-r14 (using python-gentoo-patches-2.4.4-r11.tar.bz2) > and python-2.5.2-r6 (using python-gentoo-patches-2.5.2-r6.tar.bz2). > > Tests passed for the rev.bumped packages on my amd64. Added amd64 keyword as > well. > > Committed with the following keywords: > 2.4: alpha amd64 hppa ia64 ppc ppc64 sparc x86 > 2.5: alpha amd64 hppa ia64 ppc ppc64 x86 > Also sparc for 2.5
Arches, please test and mark stable: =dev-lang/python-2.4.4-r14 =dev-lang/python-2.5.2-r6 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Missing keywords: "arm m68k s390 sh"
GLSA 200807-16