Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 945845 - <dev-lang/python-{3.13.1,3.12.8,3.11.11,3.10.16,3.9.21,3.8.20_p3}, <dev-lang/pypy-3.10.7.3.17_p4: multiple vulnerabilities
Summary: <dev-lang/python-{3.13.1,3.12.8,3.11.11,3.10.16,3.9.21,3.8.20_p3}, <dev-lang/...
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable]
Keywords:
Depends on: 945852 945848 945849 945850 945851 945853 945876
Blocks:
  Show dependency tree
 
Reported: 2024-12-04 08:18 UTC by Michał Górny
Modified: 2024-12-10 07:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-12-04 08:18:19 UTC
From https://www.python.org/downloads/release/python-3921/ (most of them apply to other versions too):

- gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified.
- gh-124651: Properly quote template strings in venv activation scripts.
- gh-103848: Added checks to ensure that [ bracketed ] hosts found by urllib.parse.urlsplit() are of IPv6 or IPvFuture format.
- gh-95588: Clarified the conflicting advice given in the ast documentation about ast.literal_eval() being “safe” for use on untrusted input while at the same time warning that it can crash the process. The latter statement is true and is deemed unfixable without a large amount of work unsuitable for a bugfix. So we keep the warning and no longer claim that literal_eval is safe.
Comment 1 Larry the Git Cow gentoo-dev 2024-12-07 11:27:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8d345dfd9f4670b75e9b9bc1e4a583590c4fc8c

commit b8d345dfd9f4670b75e9b9bc1e4a583590c4fc8c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-12-07 11:24:18 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-12-07 11:26:46 +0000

    profiles: mask =dev-lang/python-3.12.8 and =dev-lang/python-3.13.1
    
    3.12.8 and 3.13.1 break Mozilla's build system `mach` which is used in
    firefox, thunderbird, and spidermonkey. It's not clear if it's a CPython
    bug or a Mozilla bug (I've informed both sides) but the CVEs fixed in
    these security releases are rather minor indeed, especially when weighed
    against those packages being unbuildable.
    
    LLVM 19 and Rust 1.82.0 got stabled last night together with a default
    change to LLVM 19 which means more users will hit this too as they have
    to rebuild FF and friends.
    
    Done as lesser of two evils after discussion w/ mgorny.
    
    Bug: https://bugs.gentoo.org/945857
    Bug: https://bugs.gentoo.org/945882
    Bug: https://bugs.gentoo.org/946002
    Bug: https://bugs.gentoo.org/945850
    Bug: https://bugs.gentoo.org/945849
    Bug: https://bugs.gentoo.org/945845
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2024-12-07 11:32:30 UTC
I have changed the severity to B2 since the venv vulnerability does allow arbitrary code execution, but only in specific situations that are not the default for python itself.
Comment 3 Larry the Git Cow gentoo-dev 2024-12-10 07:29:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc748f0c28bf1de31edeb0c62de5ce2c4662e2c1

commit dc748f0c28bf1de31edeb0c62de5ce2c4662e2c1
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2024-12-10 07:26:25 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2024-12-10 07:26:25 +0000

    profiles: unmask =dev-lang/python-3.12.8 and =dev-lang/python-3.13.1
    
     - Mozilla stack, both latest stable and unstable, is handled with an upstream
       patch for these python versions.
    
    Bug: https://bugs.gentoo.org/945857
    Bug: https://bugs.gentoo.org/945882
    Bug: https://bugs.gentoo.org/946002
    Bug: https://bugs.gentoo.org/945850
    Bug: https://bugs.gentoo.org/945849
    Bug: https://bugs.gentoo.org/945845
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 profiles/package.mask | 10 ----------
 1 file changed, 10 deletions(-)