938541 – <dev-util/diffoscope-276: unsafe comparison of Python bytecode files

Bug 938541 - <dev-util/diffoscope-276: unsafe comparison of Python bytecode files

Summary: <dev-util/diffoscope-276: unsafe comparison of Python bytecode files

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [cleanup glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2024-08-27 01:14 UTC by Sam James
Modified:	2024-10-24 18:45 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/python/cpython/issues/121112 https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/371 https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/388
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2024-08-27 01:14:09 UTC

From the 275 release notes:
"""
* Do not call marshal.loads(...) of precompiled Python bytecode as it is
  inherently unsafe. Replace, at least for now, with a brief summary of the
  code section of .pyc files. (Re: reproducible-builds/diffoscope#371)
"""

Comment 1 Larry the Git Cow gentoo-dev

2024-08-27 01:35:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa1428caa6f25cd9c11e163a69525f73da7be75b

commit aa1428caa6f25cd9c11e163a69525f73da7be75b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-08-27 01:16:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-08-27 01:32:35 +0000

    dev-util/diffoscope: add 276
    
    Bug: https://bugs.gentoo.org/938541
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-util/diffoscope/Manifest              |   1 +
 dev-util/diffoscope/diffoscope-276.ebuild | 140 ++++++++++++++++++++++++++++++
 2 files changed, 141 insertions(+)