| Summary: | <dev-lang/python-{3.8.13_p8, 3.9.13_p6, 3.10.6_p4, 3.11.0_rc1_p2}, dev-python/pypy{,3}: Denial of service via abuse of bignum int type | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | normal | CC: | mgorny, python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://github.com/python/cpython/issues/95778 https://foss.heptapod.net/pypy/pypy/-/issues/3805 |
||
| Whiteboard: | A3 [ebuild] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 868240, 868243, 868246, 868555, 868558, 868561 | ||
| Bug Blocks: | |||
|
Description
Sam James
2022-09-03 04:31:54 UTC
That looks like a humongous thing to backport... Oh, I see that there are backports for 3.11 and 3.10 already. That's good. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02aa8f369458eafa0cb6f41d988ed5d8d5d91539 commit 02aa8f369458eafa0cb6f41d988ed5d8d5d91539 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-03 09:12:55 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-03 09:36:58 +0000 dev-lang/python: Backport bignum vuln. fix to 3.8.13_p7 Bug: https://bugs.gentoo.org/868150 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.13_p7.ebuild | 348 ++++++++++++++++++++++++++++++++ 2 files changed, 349 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=52dec296c93128dcad53c35c3bcc3444513914d8 commit 52dec296c93128dcad53c35c3bcc3444513914d8 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-03 09:02:13 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-03 09:36:57 +0000 dev-lang/python: Backport bignum vuln. fix to 3.9.13_p5 Bug: https://bugs.gentoo.org/868150 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.9.13_p5.ebuild | 402 ++++++++++++++++++++++++++++++++ 2 files changed, 403 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b5c58a4edb18b0e05698cc34976f69fb3686660 commit 9b5c58a4edb18b0e05698cc34976f69fb3686660 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-03 08:55:16 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-03 09:36:56 +0000 dev-lang/python: Backport bignum vuln. fix to 3.10.6_p3 Bug: https://bugs.gentoo.org/868150 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.10.6_p3.ebuild | 407 ++++++++++++++++++++++++++++++++ 2 files changed, 408 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0604f03d329ad2dc5d8c3a2893cf3de071c0f60 commit f0604f03d329ad2dc5d8c3a2893cf3de071c0f60 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-03 08:40:55 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-03 09:36:56 +0000 dev-lang/python: Backport bignum vuln. fix to 3.11.0_rc1_p1 Bug: https://bugs.gentoo.org/868150 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.11.0_rc1_p1.ebuild | 481 ++++++++++++++++++++++++++++ 2 files changed, 482 insertions(+) Did pypy ever get fixed versions here? (In reply to John Helmert III from comment #4) > Did pypy ever get fixed versions here? No. I think at least part of the problem was fixed in hg but it didn't make it to a release yet. The issue falls very much into the "debated" thing. |