Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728668 (CVE-2020-14422) - <dev-lang/python-{3.6.11-r1, 3.7.8-r1, 3.8.3-r1}: Multiple vulnerabilities (CVE-2020-14422)
Summary: <dev-lang/python-{3.6.11-r1, 3.7.8-r1, 3.8.3-r1}: Multiple vulnerabilities (C...
Status: RESOLVED FIXED
Alias: CVE-2020-14422
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.python.org/issue41004
Whiteboard: A3 [glsa+ cve]
Keywords: CC-ARCHES
Depends on: CVE-2019-20907
Blocks:
  Show dependency tree
 
Reported: 2020-06-18 14:50 UTC by Sam James
Modified: 2020-08-02 03:25 UTC (History)
2 users (show)

See Also:
Package list:
dev-lang/python-3.6.11-r1 dev-lang/python-3.7.8-r1 dev-lang/python-3.8.3-r1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 14:50:43 UTC
Description:
"Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created."

Bug: https://bugs.python.org/issue41004
PR: https://github.com/python/cpython/pull/20956
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 18:55:34 UTC
Another vulnerability has been reported.

"Email module incorrect handling of CR and LF newline characters in Address objects."

Bug: https://bugs.python.org/issue39073

Python 3.6 patch: https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90
Python 3.7 patch: https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb
Python 3.8 patch: https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-04 19:48:30 UTC
Both are resolved in 3.9.0b4.

Both are queued for 3.8.4 final, I'll backport them in the meantime.

CRLF bug is fixed already in 3.7.8 and 3.6.11, I'll backport the ipaddress fix.

ipaddress does not exist in 2.7, and the relevant email class doesn't seem to exist either.
Comment 3 Larry the Git Cow gentoo-dev 2020-07-04 19:51:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3095f51cda2c13d8289c53966bd9f4ac354e5d73

commit 3095f51cda2c13d8289c53966bd9f4ac354e5d73
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-04 19:49:43 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-04 19:50:56 +0000

    dev-lang/python: Backport CVE-2020-14422 & emailaddr CRLF fixes
    
    Bug: https://bugs.gentoo.org/728668
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                                          | 6 +++---
 dev-lang/python/{python-3.6.11.ebuild => python-3.6.11-r1.ebuild} | 2 +-
 dev-lang/python/{python-3.7.8.ebuild => python-3.7.8-r1.ebuild}   | 2 +-
 dev-lang/python/{python-3.8.3.ebuild => python-3.8.3-r1.ebuild}   | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-05 13:53:40 UTC
amd64 done
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-06 07:35:16 UTC
ppc64 stable
Comment 6 Rolf Eike Beer archtester 2020-07-06 16:51:31 UTC
sparc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-08 07:49:12 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-07-09 09:09:13 UTC
x86 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-11 11:53:58 UTC
arm64 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-16 22:32:57 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-07-20 06:52:34 UTC
s390 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 16:12:38 UTC
Fixed versions:
* dev-lang/python-3.6.11-r1
* dev-lang/python-3.7.8-r1
* dev-lang/python-3.8.3-r1

Python 2.x unclear if affected. Finishing stabilisation in bug 732498.
Comment 13 NATTkA bot gentoo-dev 2020-07-22 15:33:05 UTC
Unable to check for sanity:

> dependent bug #732498 is missing keywords
Comment 14 Larry the Git Cow gentoo-dev 2020-08-02 02:46:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b56771127f16adedc71c66627bd4a5b7804af9

commit b6b56771127f16adedc71c66627bd4a5b7804af9
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-08-02 02:45:31 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-08-02 02:46:01 +0000

    dev-lang/python: drop vulnerable
    
    Bug: https://bugs.gentoo.org/732498
    Bug: https://bugs.gentoo.org/728668
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-lang/python/Manifest                |  12 --
 dev-lang/python/python-2.7.18.ebuild    | 366 --------------------------------
 dev-lang/python/python-3.6.10-r2.ebuild | 357 -------------------------------
 dev-lang/python/python-3.6.11-r1.ebuild | 357 -------------------------------
 dev-lang/python/python-3.7.7-r2.ebuild  | 343 ------------------------------
 dev-lang/python/python-3.7.8-r1.ebuild  | 343 ------------------------------
 dev-lang/python/python-3.8.2-r2.ebuild  | 346 ------------------------------
 dev-lang/python/python-3.8.3-r1.ebuild  | 346 ------------------------------
 dev-lang/python/python-3.8.4.ebuild     | 346 ------------------------------
 9 files changed, 2816 deletions(-)
Comment 15 NATTkA bot gentoo-dev 2020-08-02 02:48:51 UTC
Unable to check for sanity:

> no match for package: dev-lang/python-3.6.11-r1
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-08-02 03:21:34 UTC
This issue was resolved and addressed in
 GLSA 202008-01 at https://security.gentoo.org/glsa/202008-01
by GLSA coordinator Sam James (sam_c).
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-02 03:25:37 UTC
(hppa did the newer bug).