Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 774114

Summary: <dev-python/pypy{,3}-{7.3.3_p2-r1,7.3.3_p37_p1-r1}: multiple vulnerabilties
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa? cve]
Package list:
dev-python/pypy-7.3.3_p2-r1 dev-python/pypy-exe-7.3.3_p2 dev-python/pypy-exe-bin-7.3.3_p2 dev-python/pypy3-7.3.3_p37_p1-r1 dev-python/pypy3-exe-7.3.3_p37_p1 dev-python/pypy3-exe-bin-7.3.3_p37_p1
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 787437    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-03 23:14:45 UTC
All versions of pypy and pypy3 except for the newest _p1 are currently vulnerable.

Vulnerabilities applicable to all three branches, by CPython commit message summary:

- bpo-42051: Reject XML entity declarations in plist files (GH-22760) (GH-22801) (GH-22804)
- bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) (GH-22579)
- bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24532) -- warning, this is a breaking change
- bpo-40791: Make compare_digest more constant-time. (GH-23438) -- this one needs to be specially updated for pypy, see below

To pypy3 (both branches) only:

- bpo-42103: Improve validation of Plist files. (GH-22882) (#23117)

I'm not sure yet if we should stabilize the new versions (including pypy3.7 that's alpha upstream) or just drop all to ~arch.
Comment 1 NATTkA bot gentoo-dev 2021-03-03 23:16:54 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-03-04 09:00:53 UTC Comment hidden (obsolete)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-04 11:25:56 UTC
We need to rebuild the executable for constant-time operator hash thing.
Comment 4 NATTkA bot gentoo-dev 2021-03-04 11:28:51 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-03-04 15:00:56 UTC Comment hidden (obsolete)
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-04 15:05:32 UTC
Ok, I see that I've never stable-unmasked pypy3 target, so let's stabilize the new version.  All tests should pass for dev-python/pypy on amd64, no clue about x86, pypy3 is test-restricted.
Comment 7 NATTkA bot gentoo-dev 2021-03-04 15:08:54 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-03-04 15:32:54 UTC Comment hidden (obsolete)
Comment 9 Agostino Sarubbo gentoo-dev 2021-03-05 20:49:03 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-03-05 20:49:57 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-05 21:07:03 UTC
cleaned up.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-01 15:44:23 UTC
New GLSA request filed.
Comment 13 NATTkA bot gentoo-dev 2021-05-12 07:16:27 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-05-24 10:24:35 UTC
Unable to check for sanity:

> no match for package: dev-python/pypy-7.3.3_p2-r1