Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 759928 - <dev-lang/python-{2.7.18-r5,3.6.12-r1,3.7.9-r1,3.8.6-r1,3.9.0-r1}: Multiple vulnerabilities
Summary: <dev-lang/python-{2.7.18-r5,3.6.12-r1,3.7.9-r1,3.8.6-r1,3.9.0-r1}: Multiple v...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords: CC-ARCHES
Depends on:
Blocks: CVE-2020-26116
  Show dependency tree
 
Reported: 2020-12-14 08:13 UTC by Sam James
Modified: 2021-01-25 00:00 UTC (History)
2 users (show)

See Also:
Package list:
dev-lang/python-2.7.18-r5 dev-lang/python-3.6.12-r1 dev-lang/python-3.7.9-r1 dev-lang/python-3.8.6-r1 dev-lang/python-3.9.0-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-14 08:13:09 UTC
* bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

URL: https://bugs.python.org/issue42103

* bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.

URL: https://bugs.python.org/issue42051

* bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.

URL: https://bugs.python.org/issue40791

The latter bug is not mentioned in the 3.7.x release notes.
Comment 1 Larry the Git Cow gentoo-dev 2020-12-14 11:12:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e0543eea856397adc374bca528168179ef006d3

commit 7e0543eea856397adc374bca528168179ef006d3
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-14 10:35:52 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-14 11:12:10 +0000

    dev-lang/python: Backport security fixes to 3.6.12
    
    Bug: https://bugs.gentoo.org/759928
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.6.12-r1.ebuild | 365 ++++++++++++++++++++++++++++++++
 2 files changed, 366 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c446bebe8431bd445c4399d7cce80bfae34b6fbc

commit c446bebe8431bd445c4399d7cce80bfae34b6fbc
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-14 10:32:11 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-14 11:12:09 +0000

    dev-lang/python: Backport security fixes to 3.9.0
    
    Bug: https://bugs.gentoo.org/759928
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.9.0-r1.ebuild | 331 +++++++++++++++++++++++++++++++++
 2 files changed, 332 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15efabfeb80aee4b02aa97d1ea24a477ced9be12

commit 15efabfeb80aee4b02aa97d1ea24a477ced9be12
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-14 10:30:26 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-14 11:12:08 +0000

    dev-lang/python: Backport security fixes to 3.8.6-r1
    
    Bug: https://bugs.gentoo.org/759928
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.8.6-r1.ebuild | 355 +++++++++++++++++++++++++++++++++
 2 files changed, 356 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5668e86447b97b15276b7123f77fe320041f6994

commit 5668e86447b97b15276b7123f77fe320041f6994
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-14 10:04:50 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-14 11:12:07 +0000

    dev-lang/python: Backport security fixes to 3.7.9-r1
    
    Bug: https://bugs.gentoo.org/759928
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.7.9-r1.ebuild | 351 +++++++++++++++++++++++++++++++++
 2 files changed, 352 insertions(+)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-14 11:14:09 UTC
I'm still working on 2.7 backport.  Let's stabilize all of them once it's done.
Comment 3 NATTkA bot gentoo-dev 2020-12-14 11:16:51 UTC Comment hidden (obsolete)
Comment 4 Larry the Git Cow gentoo-dev 2020-12-14 12:29:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d090edd7ee7d0db0dcbe7dd4a11699e03d0141ef

commit d090edd7ee7d0db0dcbe7dd4a11699e03d0141ef
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-14 12:12:19 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-14 12:28:54 +0000

    dev-lang/python: Backport security fixes to 2.7.18-r5
    
    Bug: https://bugs.gentoo.org/759928
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-2.7.18-r5.ebuild | 369 ++++++++++++++++++++++++++++++++
 2 files changed, 370 insertions(+)
Comment 5 NATTkA bot gentoo-dev 2020-12-14 12:32:56 UTC
All sanity-check issues have been resolved
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-14 20:19:15 UTC
x86 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 08:04:46 UTC
I'll unCC prefix as they bumped already (very quickly) to avoid noise on the alias.

https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=328cea82f46a45f4f805074ddae6d216627eba0f
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 12:29:18 UTC
arm{,64} stable
Comment 9 Rolf Eike Beer archtester 2020-12-16 21:29:36 UTC
hppa stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-16 23:10:43 UTC
ppc done
Comment 11 Rolf Eike Beer archtester 2020-12-20 12:28:58 UTC
sparc stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-02 22:32:48 UTC
amd64 done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-04 03:33:54 UTC
ppc64 done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-04 03:45:17 UTC
s390 is running now (manually b/c of hangs)
Comment 15 Larry the Git Cow gentoo-dev 2021-01-04 09:45:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d87bc85c543ce07379c1cebc5006bae8a607589

commit 1d87bc85c543ce07379c1cebc5006bae8a607589
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-04 09:44:55 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-04 09:45:47 +0000

    dev-lang/python: Remove old
    
    Bug: https://bugs.gentoo.org/759928
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |  11 -
 dev-lang/python/python-2.7.18-r4.ebuild | 369 --------------------------------
 dev-lang/python/python-3.6.11-r2.ebuild | 365 -------------------------------
 dev-lang/python/python-3.6.12.ebuild    | 365 -------------------------------
 dev-lang/python/python-3.7.8-r2.ebuild  | 351 ------------------------------
 dev-lang/python/python-3.7.9.ebuild     | 351 ------------------------------
 dev-lang/python/python-3.8.4-r1.ebuild  | 346 ------------------------------
 dev-lang/python/python-3.8.5.ebuild     | 355 ------------------------------
 dev-lang/python/python-3.8.6.ebuild     | 355 ------------------------------
 dev-lang/python/python-3.9.0.ebuild     | 331 ----------------------------
 10 files changed, 3199 deletions(-)
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 03:08:58 UTC
s390 done

all arches done
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:00:43 UTC
This issue was resolved and addressed in
 GLSA 202101-18 at https://security.gentoo.org/glsa/202101-18
by GLSA coordinator Aaron Bauman (b-man).