Summary: | <dev-lang/python-{2.7.18-r6, 3.6.12-r2, 3.7.9-r2, 3.8.7-r1, 3.9.1-r1}: buffer overflow with malicious floats (CVE-2021-3177) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | bertrand, mgorny, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.python.org/issue42938 | ||
Whiteboard: | A1 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-01-19 19:23:49 UTC
In case anyone's wondering, 2.7 is affected too. I'm going to see how hard would it be to adapt the patch. In the meantime, I'll fix all 3.x versions. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afa94fe2afbd6863228b94d9184ffe6190d7a14a commit afa94fe2afbd6863228b94d9184ffe6190d7a14a Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-01-19 21:59:32 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-01-19 22:06:06 +0000 dev-lang/python: Backport CVE-2021-3177 fix to 3.6.12 Bug: https://bugs.gentoo.org/766189 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.12-r2.ebuild | 331 ++++++++++++++++++++++++++++++++ 2 files changed, 332 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96cd00de5e0021e3e1a3812982a7fc590ab361a6 commit 96cd00de5e0021e3e1a3812982a7fc590ab361a6 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-01-19 21:57:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-01-19 22:06:05 +0000 dev-lang/python: Backport CVE-2021-3177 fix to 3.7.9 Bug: https://bugs.gentoo.org/766189 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.7.9-r2.ebuild | 317 +++++++++++++++++++++++++++++++++ 2 files changed, 318 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=feb36e92467d2547976489d894944602466989c9 commit feb36e92467d2547976489d894944602466989c9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-01-19 21:56:12 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-01-19 22:06:04 +0000 dev-lang/python: Backport CVE-2021-3177 fix to 3.8.7 Bug: https://bugs.gentoo.org/766189 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 +- dev-lang/python/{python-3.8.7.ebuild => python-3.8.7-r1.ebuild} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67b08d18957ef352601eda27cb72ecc63f25111d commit 67b08d18957ef352601eda27cb72ecc63f25111d Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-01-19 21:54:37 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-01-19 22:06:03 +0000 dev-lang/python: Backport CVE-2021-3177 fix to 3.9.1 Bug: https://bugs.gentoo.org/766189 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 +- dev-lang/python/{python-3.9.1.ebuild => python-3.9.1-r1.ebuild} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e13e61125aba6cb270446b922b810c6eb7c1af9b commit e13e61125aba6cb270446b922b810c6eb7c1af9b Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-01-19 21:52:07 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-01-19 22:06:02 +0000 dev-lang/python: Backport CVE-2021-3177 fix to 3.10.0a3 Bug: https://bugs.gentoo.org/766189 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 +- .../{python-3.10.0_alpha3.ebuild => python-3.10.0_alpha3-r1.ebuild} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcd672dfa8a4bf786afb13aa4ebeb42870b20524 commit fcd672dfa8a4bf786afb13aa4ebeb42870b20524 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-01-19 23:00:32 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-01-20 00:12:08 +0000 dev-lang/python: Backport CVE-2021-3177 fix to 2.7.18 Bug: https://bugs.gentoo.org/766189 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-2.7.18-r6.ebuild | 347 ++++++++++++++++++++++++++++++++ 2 files changed, 348 insertions(+) Sanity check failed:
> dev-lang/python-3.6.12-r2
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (41 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
> app-crypt/openpgp-keys-python
> dev-lang/python-2.7.18-r6
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (41 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
> app-crypt/openpgp-keys-python
> dev-lang/python-3.6.12-r2
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (41 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
> app-crypt/openpgp-keys-python
> dev-lang/python-3.7.9-r2
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (41 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
> app-crypt/openpgp-keys-python
> dev-lang/python-3.8.7-r1
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (41 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
> app-crypt/openpgp-keys-python
> dev-lang/python-3.9.1-r1
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (41 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (41 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
> app-crypt/openpgp-keys-python
> dev-lang/python-2.7.18-r6
> bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (41 total)
> app-crypt/openpgp-keys-python
> bdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
> app-crypt/openpgp-keys-python
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=c2262f56e55776bf22a3d3e24bb470acc6292264 commit c2262f56e55776bf22a3d3e24bb470acc6292264 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2021-01-21 11:15:41 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2021-01-21 11:15:41 +0000 dev-lang/python: cleanup/fix vulnerable non-masked versions - bump 3.8.7-r1, 3.9.1-r1 - remove 3.7.8-r2, 3.8.6-r1 Bug: https://bugs.gentoo.org/766189 Package-Manager: Portage-3.0.12.0.2-prefix, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> dev-lang/python/Manifest | 11 +- dev-lang/python/python-3.7.8-r2.ebuild | 447 --------------------- dev-lang/python/python-3.8.6-r1.ebuild | 431 -------------------- ...{python-3.8.7.ebuild => python-3.8.7-r1.ebuild} | 36 +- ...{python-3.9.1.ebuild => python-3.9.1-r1.ebuild} | 2 +- 5 files changed, 4 insertions(+), 923 deletions(-) All sanity-check issues have been resolved sparc already done arm64 done arm done amd64 done ppc64 done This issue was resolved and addressed in GLSA 202101-18 at https://security.gentoo.org/glsa/202101-18 by GLSA coordinator Aaron Bauman (b-man). re-opened for final arches and cleanup ppc done hppa stable s390 done x86 stable Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ffd46762b623fb179b5630dd033cd7d177bc4035 commit ffd46762b623fb179b5630dd033cd7d177bc4035 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-19 08:17:37 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-19 08:22:01 +0000 dev-lang/python: Remove old Bug: https://bugs.gentoo.org/766189 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 11 - dev-lang/python/python-2.7.18-r5.ebuild | 348 ------------------------ dev-lang/python/python-3.10.0_alpha3-r1.ebuild | 334 ----------------------- dev-lang/python/python-3.10.0_alpha4.ebuild | 353 ------------------------- dev-lang/python/python-3.6.12-r1.ebuild | 332 ----------------------- dev-lang/python/python-3.7.9-r1.ebuild | 318 ---------------------- dev-lang/python/python-3.8.6-r1.ebuild | 322 ---------------------- dev-lang/python/python-3.9.0-r1.ebuild | 331 ----------------------- 8 files changed, 2349 deletions(-) Thanks you! Tree is clean. |