Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198373 - dev-lang/python =2.3.* < 2.3.6-r4 Potential issues in embedded PCRE
Summary: dev-lang/python =2.3.* < 2.3.6-r4 Potential issues in embedded PCRE
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27543/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-07 17:05 UTC by Robert Buchholz (RETIRED)
Modified: 2011-10-20 04:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
python-CVE-2006-7228-pcre.patch (python-CVE-2006-7228-pcre.patch,1.89 KB, patch)
2007-12-11 21:55 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
python-CVE-2007-2052-strxfrm-obo.patch (python-CVE-2007-2052-strxfrm-obo.patch,545 bytes, patch)
2007-12-11 21:55 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 17:05:16 UTC
Python in the 2.3 slot ships a copy of PCRE which might be vulnerable to several security issues as pointed out in bug #198198.

Python herd, are you aware which version of PCRE python 2.3 is shipping?
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 00:47:07 UTC
Python herd, please advise.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:52:10 UTC
(In reply to comment #1)
> Python herd, please advise.
> 

*ping*
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-11 21:55:00 UTC
Created attachment 138282 [details, diff]
python-CVE-2006-7228-pcre.patch
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-11 21:55:16 UTC
Created attachment 138283 [details, diff]
python-CVE-2007-2052-strxfrm-obo.patch
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-12-11 21:57:23 UTC
Python herd, I attached a backported patch for the PCRE issue, courtesy of RedHat.
I also attached a patch to fix bug 177804 for python 2.3, which it currently is affected by.

Please either include those patches in 2.3 or we should declare the 2.3 not security supported anymore by a mask and GLSA.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-19 02:31:44 UTC
Rerating B2 as Python 2.3 obviously is not used by many people anymore.

Python herd, please advise.
Comment 7 Ali Polatel (RETIRED) gentoo-dev 2008-01-04 09:35:34 UTC
(In reply to comment #6)
> Rerating B2 as Python 2.3 obviously is not used by many people anymore.
> 
> Python herd, please advise.
> 

Sorry for the late reply and thanks for the patches. python2.3 is not maintained upstream and we certainly don't want to keep it in our tree anymore.
Waiting your call to proceed with masking.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-01-04 13:31:15 UTC
(In reply to comment #7)
> Sorry for the late reply and thanks for the patches. python2.3 is not
> maintained upstream and we certainly don't want to keep it in our tree anymore.
> Waiting your call to proceed with masking.

If it does not break any dependencies, please mask it. We'll probably send a maskglsa afterwards.
Comment 9 Ali Polatel (RETIRED) gentoo-dev 2008-01-07 18:34:49 UTC
# Ali Polatel <hawking@gentoo.org> (07 Jan 2008)
# Old, unmaintained version. Will be removed in 30 days.
=dev-lang/python-2.3*

Done.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-01-07 19:01:17 UTC
Thanks, we'll maskglsa this.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-01-07 22:14:18 UTC
Ali Polatel writes:
> Appearently there are some packages which I missed are broken due to
> masking this, unmasked for now. Sorry for the inconvenience and thanks
> again to mr_bones_.

Does this mean you'll bump the ebuild with the attached patches?
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 17:50:47 UTC
Ali, we'll either have to patch or mask this. Please apply the patches attached to this bug.
Comment 13 Ali Polatel (RETIRED) gentoo-dev 2008-01-22 23:35:13 UTC
python-2.3.6-r4 is in the tree with the patches included.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-01-23 00:03:46 UTC
Arches, please test and mark stable:
=dev-lang/python-2.3.6-r4
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Comment 15 Brent Baude (RETIRED) gentoo-dev 2008-01-23 01:13:33 UTC
ppc done
Comment 16 Brent Baude (RETIRED) gentoo-dev 2008-01-23 01:14:36 UTC
I'm getting failed tests on this with ppc64.  Anyone aware of busticated tests in previous versions?

213 tests OK.
2 tests failed:
    test_openpty test_socket
32 tests skipped:
    test_aepack test_al test_audioop test_bsddb185 test_bsddb3 test_cd
    test_cl test_curses test_dl test_email_codecs test_gl test_imageop
    test_imgfile test_linuxaudiodev test_macfs test_macostools
    test_nis test_normalization test_ossaudiodev test_pep277
    test_plistlib test_pty test_rgbimg test_scriptpackages
    test_socket_ssl test_socketserver test_sunaudiodev test_timeout
    test_unicode_file test_urllibnet test_winreg test_winsound
4 skips unexpected on linux2:
    test_audioop test_pty test_rgbimg test_imageop
make: *** [test] Error 1
 * 

I can provide ppc64 access should someone like to poke this.

Comment 17 Jeroen Roovers gentoo-dev 2008-01-23 05:48:25 UTC
Stable for HPPA.
Comment 18 Christian Faulhammer (RETIRED) gentoo-dev 2008-01-23 07:21:35 UTC
On x86, several "issues":

2.) bsddb test fails if Python is built with USE=nothreads (disable it, please)...I mean USE="nothreads berkdb" will not work.

x86 stable
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2008-01-23 07:35:06 UTC
(In reply to comment #18)
> On x86, several "issues":

 It was one issue in the end...
Comment 20 Raúl Porcel (RETIRED) gentoo-dev 2008-01-23 12:32:01 UTC
alpha/ia64/sparc stable
Comment 21 Peter Weller (RETIRED) gentoo-dev 2008-01-23 18:07:36 UTC
amd64 done.
Comment 22 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-25 16:46:20 UTC
  23 Jan 2008; Brent Baude <ranger@gentoo.org> python-2.3.6-r4.ebuild:
  Marking python-2.3.6-r4 ppc for bug 198373
Comment 23 Markus Rothe (RETIRED) gentoo-dev 2008-01-25 20:05:41 UTC
ppc64 stable
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 19:51:16 UTC
GLSA 200802-10.