Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 741496

Summary: <dev-python/pypy3-7.3.2: multiple vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=741560
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 752291    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 09:38:54 UTC 
The not-yet-released pypy3.6 version includes all vulnerabilities fixed since CPython v3.6.9rc1.  I'm working on making a patch set.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 19:58:25 UTC 
Speaking in CPython commits:

b23c0840ce [3.6] bpo-37228: Fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR (GH-17311). (GH-17571)
83fc70159b bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) (GH-19002)
69cdeeb93e bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
7df32f844e bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
f02de961b9 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)


I'm working on getting them fixed upstream.  Either way, the fixes will be part of the upcoming 7.3.2 release.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 19:59:41 UTC 
Oh, and these two (that are already fixed in the hg branch):

cfc7ff8d05 [3.6] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (GH-21232)
47a2955589 bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 21:39:19 UTC 
Found a few more:

1789bbdd3e bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (GH-14817)
13a19139b5 bpo-34155: Dont parse domains containing @ (GH-13079) (GH-14826)
1698cacfb9 bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
0716056c49 bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17343)
30afc91f5e bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418) (GH-17444)
Comment 4 Reva Denis 2020-10-04 04:05:43 UTC 
Well, module 'socket' has no attribute 'sethostname' issue https://bugs.gentoo.org/716998 again reproduces with pypy-7.3.2 and portage 3.0.4-r1
If we fix it we can just stabilize pypy-7.3.2
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 08:48:17 UTC 
Maintainers, are these vulnerabilities fixed in 7.3.3 (since it appears to be in the process of being stabled)?
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 10:11:11 UTC 
Yes, I'm pretty sure I've got all the backports upstream.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-09 21:13:53 UTC 
Please cleanup.
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-09 21:59:43 UTC 
Removed old versions.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-09 22:09:21 UTC 
(In reply to Michał Górny from comment #8)
> Removed old versions.

Thanks!
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:25:58 UTC 
Package list is empty or all packages have requested keywords.