Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 774114 - dev-python/pypy{,3}: multiple vulnerabilties
Summary: dev-python/pypy{,3}: multiple vulnerabilties
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-03 23:14 UTC by Michał Górny
Modified: 2021-03-05 21:07 UTC (History)
1 user (show)

See Also:
Package list:
dev-python/pypy-7.3.3_p2-r1 dev-python/pypy-exe-7.3.3_p2 dev-python/pypy-exe-bin-7.3.3_p2 dev-python/pypy3-7.3.3_p37_p1-r1 dev-python/pypy3-exe-7.3.3_p37_p1 dev-python/pypy3-exe-bin-7.3.3_p37_p1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-03 23:14:45 UTC
All versions of pypy and pypy3 except for the newest _p1 are currently vulnerable.

Vulnerabilities applicable to all three branches, by CPython commit message summary:

- bpo-42051: Reject XML entity declarations in plist files (GH-22760) (GH-22801) (GH-22804)
- bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) (GH-22579)
- bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24532) -- warning, this is a breaking change
- bpo-40791: Make compare_digest more constant-time. (GH-23438) -- this one needs to be specially updated for pypy, see below

To pypy3 (both branches) only:

- bpo-42103: Improve validation of Plist files. (GH-22882) (#23117)


I'm not sure yet if we should stabilize the new versions (including pypy3.7 that's alpha upstream) or just drop all to ~arch.
Comment 1 NATTkA bot gentoo-dev 2021-03-03 23:16:54 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-03-04 09:00:53 UTC Comment hidden (obsolete)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-04 11:25:56 UTC
We need to rebuild the executable for constant-time operator hash thing.
Comment 4 NATTkA bot gentoo-dev 2021-03-04 11:28:51 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-03-04 15:00:56 UTC Comment hidden (obsolete)
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-04 15:05:32 UTC
Ok, I see that I've never stable-unmasked pypy3 target, so let's stabilize the new version.  All tests should pass for dev-python/pypy on amd64, no clue about x86, pypy3 is test-restricted.
Comment 7 NATTkA bot gentoo-dev 2021-03-04 15:08:54 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-03-04 15:32:54 UTC
All sanity-check issues have been resolved
Comment 9 Agostino Sarubbo gentoo-dev 2021-03-05 20:49:03 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-03-05 20:49:57 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-05 21:07:03 UTC
cleaned up.