Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 793833

Summary: <dev-lang/python-{2.7.18_p11,3.6.13_p5,3.7.10_p6,3.8.10_p2,3.9.5_p2,3.10.0_beta2} <dev-python/pypy-7.3.4_p1 <dev-python/pypy3-{7.3.4_p2,7.3.5_rc3_p1}: multiple vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+]
Package list:
dev-lang/python-2.7.18_p11 dev-python/pypy-7.3.4_p1 amd64 x86
 Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 07:15:03 UTC 
Will investigate applicable versions shortly.


1. bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916)

   Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.


2. bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099)

   Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes
   parsing even more strict. Like socket.inet_pton() any leading zero
   is now treated as invalid input.


3. bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)

   The ssl module now has more secure default settings. Ciphers without forward
   secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
   weak RSA, DH, and ECC keys with less than 112 bits of security.
   :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
   Settings are based on Hynek Schlawack's research.


and possibly:

4. bpo-43650: Fix MemoryError on zip.read in shutil._unpack_zipfile for large files (GH-25058)

   `shutil.unpack_archive()` tries to read the whole file into memory, making no use of any kind of smaller buffer. Process crashes for really large files: I.e. archive: ~1.7G, unpacked: ~10G. Before the crash it can easily take away all available RAM on smaller systems. Had to pull the code form `zipfile.Zipfile.extractall()` to fix this
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 08:10:23 UTC 
Applicable:

3.10.0b2: (none)
3.9.5_p1: 1 3 4
3.8.10_p1: 1 3 4
3.7.10_p4: 1 2* 3 4
[to be continued]

* the 'bigger' regression in IPv4 addr parsing was added in 3.8 but I've backported making it even more strict now

I'm working on patches for 3.7 now; also need to wait for 3.7 cleanup on my system to complete as leftover packages break CPython's test suite x_x.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 09:10:24 UTC 
3.6.13_p4: 1 2* 3+ 4
2.7.18_p10: 1+ 3+

pypy3 7.3.5_rc3: 1 2* 3+ 4
pypy 7.3.5_rc3: 1+ 3+

+ I am not going to backport this patch as it's too much effort for little gain
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 09:36:06 UTC 
Let's skip the earlier revision where applicable and stabilize newest revisions for all versions.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 22:44:19 UTC 
arm done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 00:41:23 UTC 
arm64 done
Comment 6 Rolf Eike Beer archtester 2021-06-03 16:56:48 UTC 
sparc stable
Comment 7 Rolf Eike Beer archtester 2021-06-05 11:49:44 UTC 
hppa stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-11 05:36:57 UTC 
ppc done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 00:31:40 UTC 
amd64 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 00:32:02 UTC 
x86 done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-15 19:40:40 UTC 
ppc64 done

all arches done
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-16 01:56:41 UTC 
Thank you! Please cleanup.
Comment 13 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-16 11:16:26 UTC 
Cleanups pushed.
Comment 14 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-19 18:52:11 UTC 
So I've eventually backported it to Python 2.7, and I'm testing it now.  Once done, should I reuse this bug to stabilize Python 2.7 and PyPy, or file another one?
Comment 15 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-19 19:23:09 UTC 
Sam said to reuse!
Comment 16 NATTkA bot gentoo-dev 2021-06-19 19:28:26 UTC Comment hidden (obsolete)
Comment 17 Rolf Eike Beer archtester 2021-06-20 15:46:00 UTC 
sparc done
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-21 19:04:05 UTC 
arm64 done
Comment 19 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-22 19:38:01 UTC 
arm done
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-24 21:51:05 UTC 
ppc done
Comment 21 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-24 21:51:22 UTC 
ppc64 done
Comment 22 Rolf Eike Beer archtester 2021-06-25 18:43:41 UTC 
hppa stable
Comment 23 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 14:04:52 UTC 
stabilized
Comment 24 NATTkA bot gentoo-dev 2021-09-03 07:00:34 UTC Comment hidden (obsolete)
Comment 25 NATTkA bot gentoo-dev 2021-09-20 16:24:38 UTC 
Unable to check for sanity:

> no match for package: dev-lang/python-2.7.18_p11
Comment 26 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-19 01:15:17 UTC 
GLSA requested
Comment 27 Larry the Git Cow gentoo-dev 2023-05-03 09:31:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1

commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:12:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:45 +0000

    [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787260
    Bug: https://bugs.gentoo.org/793833
    Bug: https://bugs.gentoo.org/811165
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/835443
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Bug: https://bugs.gentoo.org/876815
    Bug: https://bugs.gentoo.org/877851
    Bug: https://bugs.gentoo.org/878385
    Bug: https://bugs.gentoo.org/880629
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)