Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 728668 (CVE-2020-14422)

Summary: <dev-lang/python-{3.6.11-r1, 3.7.8-r1, 3.8.3-r1}: Multiple vulnerabilities (CVE-2020-14422)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check-
Hardware: All   
OS: Linux   
URL: https://bugs.python.org/issue41004
See Also: https://bugs.gentoo.org/show_bug.cgi?id=707822
https://bugs.gentoo.org/show_bug.cgi?id=730662
Whiteboard: A3 [glsa+ cve]
Package list:
dev-lang/python-3.6.11-r1 dev-lang/python-3.7.8-r1 dev-lang/python-3.8.3-r1
Runtime testing required: ---
Bug Depends on: 732498    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 14:50:43 UTC
Description:
"Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created."

Bug: https://bugs.python.org/issue41004
PR: https://github.com/python/cpython/pull/20956
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 18:55:34 UTC
Another vulnerability has been reported.

"Email module incorrect handling of CR and LF newline characters in Address objects."

Bug: https://bugs.python.org/issue39073

Python 3.6 patch: https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90
Python 3.7 patch: https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb
Python 3.8 patch: https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 19:48:30 UTC
Both are resolved in 3.9.0b4.

Both are queued for 3.8.4 final, I'll backport them in the meantime.

CRLF bug is fixed already in 3.7.8 and 3.6.11, I'll backport the ipaddress fix.

ipaddress does not exist in 2.7, and the relevant email class doesn't seem to exist either.
Comment 3 Larry the Git Cow gentoo-dev 2020-07-04 19:51:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3095f51cda2c13d8289c53966bd9f4ac354e5d73

commit 3095f51cda2c13d8289c53966bd9f4ac354e5d73
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-04 19:49:43 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-04 19:50:56 +0000

    dev-lang/python: Backport CVE-2020-14422 & emailaddr CRLF fixes
    
    Bug: https://bugs.gentoo.org/728668
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                                          | 6 +++---
 dev-lang/python/{python-3.6.11.ebuild => python-3.6.11-r1.ebuild} | 2 +-
 dev-lang/python/{python-3.7.8.ebuild => python-3.7.8-r1.ebuild}   | 2 +-
 dev-lang/python/{python-3.8.3.ebuild => python-3.8.3-r1.ebuild}   | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-05 13:53:40 UTC
amd64 done
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-06 07:35:16 UTC
ppc64 stable
Comment 6 Rolf Eike Beer archtester 2020-07-06 16:51:31 UTC
sparc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-08 07:49:12 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-07-09 09:09:13 UTC
x86 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-11 11:53:58 UTC
arm64 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-16 22:32:57 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-07-20 06:52:34 UTC
s390 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 16:12:38 UTC
Fixed versions:
* dev-lang/python-3.6.11-r1
* dev-lang/python-3.7.8-r1
* dev-lang/python-3.8.3-r1

Python 2.x unclear if affected. Finishing stabilisation in bug 732498.
Comment 13 NATTkA bot gentoo-dev 2020-07-22 15:33:05 UTC
Unable to check for sanity:

> dependent bug #732498 is missing keywords
Comment 14 Larry the Git Cow gentoo-dev 2020-08-02 02:46:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b56771127f16adedc71c66627bd4a5b7804af9

commit b6b56771127f16adedc71c66627bd4a5b7804af9
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-08-02 02:45:31 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-08-02 02:46:01 +0000

    dev-lang/python: drop vulnerable
    
    Bug: https://bugs.gentoo.org/732498
    Bug: https://bugs.gentoo.org/728668
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-lang/python/Manifest                |  12 --
 dev-lang/python/python-2.7.18.ebuild    | 366 --------------------------------
 dev-lang/python/python-3.6.10-r2.ebuild | 357 -------------------------------
 dev-lang/python/python-3.6.11-r1.ebuild | 357 -------------------------------
 dev-lang/python/python-3.7.7-r2.ebuild  | 343 ------------------------------
 dev-lang/python/python-3.7.8-r1.ebuild  | 343 ------------------------------
 dev-lang/python/python-3.8.2-r2.ebuild  | 346 ------------------------------
 dev-lang/python/python-3.8.3-r1.ebuild  | 346 ------------------------------
 dev-lang/python/python-3.8.4.ebuild     | 346 ------------------------------
 9 files changed, 2816 deletions(-)
Comment 15 NATTkA bot gentoo-dev 2020-08-02 02:48:51 UTC
Unable to check for sanity:

> no match for package: dev-lang/python-3.6.11-r1
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-08-02 03:21:34 UTC
This issue was resolved and addressed in
 GLSA 202008-01 at https://security.gentoo.org/glsa/202008-01
by GLSA coordinator Sam James (sam_c).
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-02 03:25:37 UTC
(hppa did the newer bug).