Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 779841 (CVE-2021-3426) - <dev-lang/python-{3.6.13_p1,3.7.10_p1,3.8.8_p1,3.9.2_p1}: multiple vulnerabilities
Summary: <dev-lang/python-{3.6.13_p1,3.7.10_p1,3.8.8_p1,3.9.2_p1}: multiple vulnerabil...
Status: RESOLVED FIXED
Alias: CVE-2021-3426
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2020-27619
  Show dependency tree
 
Reported: 2021-04-02 23:22 UTC by Michał Górny
Modified: 2021-05-01 15:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 23:22:28 UTC
From the release notes:

bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.

bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.

bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

=========================

I'm going to backport the patches to the latest releases to fast-stabilize them.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 23:28:14 UTC
(In reply to Michał Górny from comment #0)
> bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and
> gc.get_referents(). Patch by Pablo Galindo.

This one's applicable to py3.8+ only.

The remaining two are applicable to all versions around, most likely including 2.7.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 23:30:27 UTC
I will not be backporting this to py2.7 tonight, so I'll open a separate bug to track it.
Comment 3 NATTkA bot gentoo-dev 2021-04-02 23:32:22 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-04-02 23:44:25 UTC Comment hidden (obsolete)
Comment 5 Rolf Eike Beer 2021-04-03 21:07:22 UTC
sparc stable
Comment 6 Thomas Deutschmann gentoo-dev Security 2021-04-04 16:04:07 UTC
x86 stable
Comment 7 Rolf Eike Beer 2021-04-05 09:16:49 UTC
hppa stable
Comment 8 Sam James archtester gentoo-dev Security 2021-04-06 19:54:05 UTC
ppc done
Comment 9 Sam James archtester gentoo-dev Security 2021-04-07 06:21:25 UTC
arm64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-04-11 11:15:51 UTC
ppc64 done
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-04-11 12:29:55 UTC
amd64 stable
Comment 12 Sam James archtester gentoo-dev Security 2021-04-12 16:42:14 UTC
arm done

all arches done
Comment 13 John Helmert III gentoo-dev Security 2021-04-12 17:18:43 UTC
Please cleanup.
Comment 14 NATTkA bot gentoo-dev 2021-04-12 17:20:21 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 15 Larry the Git Cow gentoo-dev 2021-04-12 20:26:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=834f7d0e6ec7cc60835539a4114edbc4bd0e8930

commit 834f7d0e6ec7cc60835539a4114edbc4bd0e8930
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-04-12 20:23:04 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-04-12 20:26:05 +0000

    dev-lang/python: Remove old
    
    Bug: https://bugs.gentoo.org/779841
    Bug: https://bugs.gentoo.org/779844
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                       |  11 -
 dev-lang/python/python-2.7.18_p7.ebuild        | 358 -------------------------
 dev-lang/python/python-3.10.0_alpha6-r2.ebuild | 350 ------------------------
 dev-lang/python/python-3.6.13.ebuild           | 341 -----------------------
 dev-lang/python/python-3.7.10.ebuild           | 333 -----------------------
 dev-lang/python/python-3.8.8.ebuild            | 339 -----------------------
 dev-lang/python/python-3.9.2.ebuild            | 348 ------------------------
 dev-lang/python/python-3.9.3.ebuild            | 348 ------------------------
 8 files changed, 2428 deletions(-)
Comment 16 Thomas Deutschmann gentoo-dev Security 2021-04-30 23:27:37 UTC
Added to an existing GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2021-05-01 00:01:41 UTC
This issue was resolved and addressed in
 GLSA 202104-04 at https://security.gentoo.org/glsa/202104-04
by GLSA coordinator Thomas Deutschmann (whissi).