Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 793833 - <dev-lang/python-{2.7.18_p11,3.6.13_p5,3.7.10_p6,3.8.10_p2,3.9.5_p2,3.10.0_beta2}, <dev-python/pypy-7.3.4_p1, <dev-python/pypy3-{7.3.4_p2,7.3.5_rc3_p1}: multiple vulnerabilities
Summary: <dev-lang/python-{2.7.18_p11,3.6.13_p5,3.7.10_p6,3.8.10_p2,3.9.5_p2,3.10.0_be...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-02 07:15 UTC by Michał Górny
Modified: 2021-09-20 16:26 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/python-2.7.18_p11 dev-python/pypy-7.3.4_p1 amd64 x86
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 07:15:03 UTC
Will investigate applicable versions shortly.


1. bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916)

   Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.


2. bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099)

   Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes
   parsing even more strict. Like socket.inet_pton() any leading zero
   is now treated as invalid input.


3. bpo-43998: Default to TLS 1.2 and increase cipher suite security (GH-25778)

   The ssl module now has more secure default settings. Ciphers without forward
   secrecy or SHA-1 MAC are disabled by default. Security level 2 prohibits
   weak RSA, DH, and ECC keys with less than 112 bits of security.
   :class:`~ssl.SSLContext` defaults to minimum protocol version TLS 1.2.
   Settings are based on Hynek Schlawack's research.


and possibly:

4. bpo-43650: Fix MemoryError on zip.read in shutil._unpack_zipfile for large files (GH-25058)

   `shutil.unpack_archive()` tries to read the whole file into memory, making no use of any kind of smaller buffer. Process crashes for really large files: I.e. archive: ~1.7G, unpacked: ~10G. Before the crash it can easily take away all available RAM on smaller systems. Had to pull the code form `zipfile.Zipfile.extractall()` to fix this
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 08:10:23 UTC
Applicable:

3.10.0b2: (none)
3.9.5_p1: 1 3 4
3.8.10_p1: 1 3 4
3.7.10_p4: 1 2* 3 4
[to be continued]

* the 'bigger' regression in IPv4 addr parsing was added in 3.8 but I've backported making it even more strict now

I'm working on patches for 3.7 now; also need to wait for 3.7 cleanup on my system to complete as leftover packages break CPython's test suite x_x.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 09:10:24 UTC
3.6.13_p4: 1 2* 3+ 4
2.7.18_p10: 1+ 3+

pypy3 7.3.5_rc3: 1 2* 3+ 4
pypy 7.3.5_rc3: 1+ 3+

+ I am not going to backport this patch as it's too much effort for little gain
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 09:36:06 UTC
Let's skip the earlier revision where applicable and stabilize newest revisions for all versions.
Comment 4 Sam James archtester gentoo-dev Security 2021-06-02 22:44:19 UTC
arm done
Comment 5 Sam James archtester gentoo-dev Security 2021-06-03 00:41:23 UTC
arm64 done
Comment 6 Rolf Eike Beer archtester 2021-06-03 16:56:48 UTC
sparc stable
Comment 7 Rolf Eike Beer archtester 2021-06-05 11:49:44 UTC
hppa stable
Comment 8 Sam James archtester gentoo-dev Security 2021-06-11 05:36:57 UTC
ppc done
Comment 9 Sam James archtester gentoo-dev Security 2021-06-12 00:31:40 UTC
amd64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-06-12 00:32:02 UTC
x86 done
Comment 11 Sam James archtester gentoo-dev Security 2021-06-15 19:40:40 UTC
ppc64 done

all arches done
Comment 12 John Helmert III gentoo-dev Security 2021-06-16 01:56:41 UTC
Thank you! Please cleanup.
Comment 13 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-16 11:16:26 UTC
Cleanups pushed.
Comment 14 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-19 18:52:11 UTC
So I've eventually backported it to Python 2.7, and I'm testing it now.  Once done, should I reuse this bug to stabilize Python 2.7 and PyPy, or file another one?
Comment 15 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-19 19:23:09 UTC
Sam said to reuse!
Comment 16 NATTkA bot gentoo-dev 2021-06-19 19:28:26 UTC Comment hidden (obsolete)
Comment 17 Rolf Eike Beer archtester 2021-06-20 15:46:00 UTC
sparc done
Comment 18 Sam James archtester gentoo-dev Security 2021-06-21 19:04:05 UTC
arm64 done
Comment 19 Sam James archtester gentoo-dev Security 2021-06-22 19:38:01 UTC
arm done
Comment 20 Sam James archtester gentoo-dev Security 2021-06-24 21:51:05 UTC
ppc done
Comment 21 Sam James archtester gentoo-dev Security 2021-06-24 21:51:22 UTC
ppc64 done
Comment 22 Rolf Eike Beer archtester 2021-06-25 18:43:41 UTC
hppa stable
Comment 23 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 14:04:52 UTC
stabilized
Comment 24 NATTkA bot gentoo-dev 2021-09-03 07:00:34 UTC Comment hidden (obsolete)
Comment 25 NATTkA bot gentoo-dev 2021-09-20 16:24:38 UTC
Unable to check for sanity:

> no match for package: dev-lang/python-2.7.18_p11