Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 908018

Summary: <dev-lang/python-{3.8.17,3.9.17,3.10.12,3.11.4}, <dev-python/pypy3-7.3.12: multiple vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://discuss.python.org/t/python-3-11-4-3-10-12-3-9-17-3-8-17-3-7-17-and-3-12-0-beta-2-are-now-available/27477#security-fixes-in-todays-releases-2
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 908014, 908015, 908016, 908017, 909854    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-06-07 13:48:35 UTC 
These (potentially) affecting us:

3.7 - 3.11: gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329.
3.7 - 3.11: gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified.
3.7 - 3.11: gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler.
3.8 - 3.11: gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().
3.8 - 3.11: gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details.
3.9: gh-102126 : Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to acquire the runtime head lock.
3.9: gh-100892: Fixed a crash due to a race while iterating over thread states in clearing threading.local.

Also potentially affecting Prefix:

3.7 - 3.11: gh-101283 : subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True.

---

I'm not sure what to do about PyPy3.  I don't have time right now to backport all fixes (these and possibly more from previous releases), and I definitely don't want to backport them both to the most recent masked RCs and the previous stable release.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-06-23 06:18:48 UTC 
cleanup done for dev-lang/python.  For dev-python/pypy3, I'd like to wait a while more before stabilizing it.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-27 04:03:29 UTC 
(In reply to Michał Górny from comment #1)
> cleanup done for dev-lang/python.  For dev-python/pypy3, I'd like to wait a
> while more before stabilizing it.

The fixed pypy3 is pypy3-7.3.12, then?
Comment 3 Larry the Git Cow gentoo-dev 2024-05-04 06:00:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=665ec86173a28118d28182d8381d593988f1adac

commit 665ec86173a28118d28182d8381d593988f1adac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 05:59:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 06:00:31 +0000

    [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/884653
    Bug: https://bugs.gentoo.org/897958
    Bug: https://bugs.gentoo.org/908018
    Bug: https://bugs.gentoo.org/912976
    Bug: https://bugs.gentoo.org/919475
    Bug: https://bugs.gentoo.org/927299
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)