Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 741496 - <dev-python/pypy3-7.3.2: multiple vulnerabilities
Summary: <dev-python/pypy3-7.3.2: multiple vulnerabilities
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 752291
Blocks:
  Show dependency tree
 
Reported: 2020-09-10 09:38 UTC by Michał Górny
Modified: 2021-01-09 22:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 09:38:54 UTC
The not-yet-released pypy3.6 version includes all vulnerabilities fixed since CPython v3.6.9rc1.  I'm working on making a patch set.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 19:58:25 UTC
Speaking in CPython commits:

b23c0840ce [3.6] bpo-37228: Fix loop.create_datagram_endpoint()'s usage of SO_REUSEADDR (GH-17311). (GH-17571)
83fc70159b bpo-38576: Disallow control characters in hostnames in http.client (GH-18995) (GH-19002)
69cdeeb93e bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler (GH-18284) (GH-19304)
7df32f844e bpo-39073: validate Address parts to disallow CRLF (GH-19007) (#19224)
f02de961b9 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)


I'm working on getting them fixed upstream.  Either way, the fixes will be part of the upcoming 7.3.2 release.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 19:59:41 UTC
Oh, and these two (that are already fixed in the hg branch):

cfc7ff8d05 [3.6] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (GH-21232)
47a2955589 bpo-39017: Avoid infinite loop in the tarfile module (GH-21454) (#21485)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 21:39:19 UTC
Found a few more:

1789bbdd3e bpo-37461: Fix infinite loop in parsing of specially crafted email headers (GH-14794) (GH-14817)
13a19139b5 bpo-34155: Dont parse domains containing @ (GH-13079) (GH-14826)
1698cacfb9 bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
0716056c49 bpo-38804: Fix REDoS in http.cookiejar (GH-17157) (#17343)
30afc91f5e bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418) (GH-17444)
Comment 4 Reva Denis 2020-10-04 04:05:43 UTC
Well, module 'socket' has no attribute 'sethostname' issue https://bugs.gentoo.org/716998 again reproduces with pypy-7.3.2 and portage 3.0.4-r1
If we fix it we can just stabilize pypy-7.3.2
Comment 5 John Helmert III gentoo-dev Security 2021-01-06 08:48:17 UTC
Maintainers, are these vulnerabilities fixed in 7.3.3 (since it appears to be in the process of being stabled)?
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 10:11:11 UTC
Yes, I'm pretty sure I've got all the backports upstream.
Comment 7 John Helmert III gentoo-dev Security 2021-01-09 21:13:53 UTC
Please cleanup.
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-09 21:59:43 UTC
Removed old versions.
Comment 9 John Helmert III gentoo-dev Security 2021-01-09 22:09:21 UTC
(In reply to Michał Górny from comment #8)
> Removed old versions.

Thanks!