Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 766189 (CVE-2021-3177) - <dev-lang/python-{2.7.18-r6, 3.6.12-r2, 3.7.9-r2, 3.8.7-r1, 3.9.1-r1}: buffer overflow with malicious floats (CVE-2021-3177)
Summary: <dev-lang/python-{2.7.18-r6, 3.6.12-r2, 3.7.9-r2, 3.8.7-r1, 3.9.1-r1}: buffer...
Status: RESOLVED FIXED
Alias: CVE-2021-3177
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://bugs.python.org/issue42938
Whiteboard: A1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-19 19:23 UTC by John Helmert III (ajak)
Modified: 2021-02-19 15:08 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) gentoo-dev Security 2021-01-19 19:23:49 UTC
CVE-2021-3177 (https://bugs.python.org/issue42938):

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.


Looks like none of the patches linked in the upstream issue have been
released, so please patch.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-01-19 22:06:00 UTC
In case anyone's wondering, 2.7 is affected too.  I'm going to see how hard would it be to adapt the patch.  In the meantime, I'll fix all 3.x versions.
Comment 2 Larry the Git Cow gentoo-dev 2021-01-19 22:06:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afa94fe2afbd6863228b94d9184ffe6190d7a14a

commit afa94fe2afbd6863228b94d9184ffe6190d7a14a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-19 21:59:32 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-19 22:06:06 +0000

    dev-lang/python: Backport CVE-2021-3177 fix to 3.6.12
    
    Bug: https://bugs.gentoo.org/766189
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.6.12-r2.ebuild | 331 ++++++++++++++++++++++++++++++++
 2 files changed, 332 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96cd00de5e0021e3e1a3812982a7fc590ab361a6

commit 96cd00de5e0021e3e1a3812982a7fc590ab361a6
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-19 21:57:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-19 22:06:05 +0000

    dev-lang/python: Backport CVE-2021-3177 fix to 3.7.9
    
    Bug: https://bugs.gentoo.org/766189
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.7.9-r2.ebuild | 317 +++++++++++++++++++++++++++++++++
 2 files changed, 318 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=feb36e92467d2547976489d894944602466989c9

commit feb36e92467d2547976489d894944602466989c9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-19 21:56:12 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-19 22:06:04 +0000

    dev-lang/python: Backport CVE-2021-3177 fix to 3.8.7
    
    Bug: https://bugs.gentoo.org/766189
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                                        | 2 +-
 dev-lang/python/{python-3.8.7.ebuild => python-3.8.7-r1.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67b08d18957ef352601eda27cb72ecc63f25111d

commit 67b08d18957ef352601eda27cb72ecc63f25111d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-19 21:54:37 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-19 22:06:03 +0000

    dev-lang/python: Backport CVE-2021-3177 fix to 3.9.1
    
    Bug: https://bugs.gentoo.org/766189
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                                        | 2 +-
 dev-lang/python/{python-3.9.1.ebuild => python-3.9.1-r1.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e13e61125aba6cb270446b922b810c6eb7c1af9b

commit e13e61125aba6cb270446b922b810c6eb7c1af9b
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-19 21:52:07 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-19 22:06:02 +0000

    dev-lang/python: Backport CVE-2021-3177 fix to 3.10.0a3
    
    Bug: https://bugs.gentoo.org/766189
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                                                | 2 +-
 .../{python-3.10.0_alpha3.ebuild => python-3.10.0_alpha3-r1.ebuild}     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2021-01-20 00:12:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcd672dfa8a4bf786afb13aa4ebeb42870b20524

commit fcd672dfa8a4bf786afb13aa4ebeb42870b20524
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-19 23:00:32 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-20 00:12:08 +0000

    dev-lang/python: Backport CVE-2021-3177 fix to 2.7.18
    
    Bug: https://bugs.gentoo.org/766189
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-2.7.18-r6.ebuild | 347 ++++++++++++++++++++++++++++++++
 2 files changed, 348 insertions(+)
Comment 4 NATTkA bot gentoo-dev 2021-01-21 10:57:05 UTC Comment hidden (obsolete)
Comment 5 Larry the Git Cow gentoo-dev 2021-01-21 11:15:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/proj/prefix.git/commit/?id=c2262f56e55776bf22a3d3e24bb470acc6292264

commit c2262f56e55776bf22a3d3e24bb470acc6292264
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-01-21 11:15:41 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-01-21 11:15:41 +0000

    dev-lang/python: cleanup/fix vulnerable non-masked versions
    
    - bump 3.8.7-r1, 3.9.1-r1
    - remove 3.7.8-r2, 3.8.6-r1
    
    Bug: https://bugs.gentoo.org/766189
    Package-Manager: Portage-3.0.12.0.2-prefix, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 dev-lang/python/Manifest                           |  11 +-
 dev-lang/python/python-3.7.8-r2.ebuild             | 447 ---------------------
 dev-lang/python/python-3.8.6-r1.ebuild             | 431 --------------------
 ...{python-3.8.7.ebuild => python-3.8.7-r1.ebuild} |  36 +-
 ...{python-3.9.1.ebuild => python-3.9.1-r1.ebuild} |   2 +-
 5 files changed, 4 insertions(+), 923 deletions(-)
Comment 6 NATTkA bot gentoo-dev 2021-01-21 11:29:37 UTC Comment hidden (obsolete)
Comment 7 Rolf Eike Beer 2021-01-22 14:42:01 UTC
sparc already done
Comment 8 Sam James archtester gentoo-dev Security 2021-01-23 02:40:57 UTC
arm64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-01-23 02:42:02 UTC
arm done
Comment 10 Sam James archtester gentoo-dev Security 2021-01-24 19:25:21 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-01-24 22:00:11 UTC
ppc64 done
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:00:47 UTC
This issue was resolved and addressed in
 GLSA 202101-18 at https://security.gentoo.org/glsa/202101-18
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2021-01-25 00:01:50 UTC
re-opened for final arches and cleanup
Comment 14 Sam James archtester gentoo-dev Security 2021-01-27 22:44:43 UTC
ppc done
Comment 15 Rolf Eike Beer 2021-02-05 09:51:01 UTC
hppa stable
Comment 16 Sam James archtester gentoo-dev Security 2021-02-05 21:35:43 UTC
s390 done
Comment 17 Thomas Deutschmann gentoo-dev Security 2021-02-19 01:14:11 UTC
x86 stable
Comment 18 NATTkA bot gentoo-dev 2021-02-19 01:17:00 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 19 John Helmert III (ajak) gentoo-dev Security 2021-02-19 01:41:01 UTC
Please cleanup.
Comment 20 Larry the Git Cow gentoo-dev 2021-02-19 08:22:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ffd46762b623fb179b5630dd033cd7d177bc4035

commit ffd46762b623fb179b5630dd033cd7d177bc4035
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-19 08:17:37 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-19 08:22:01 +0000

    dev-lang/python: Remove old
    
    Bug: https://bugs.gentoo.org/766189
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                       |  11 -
 dev-lang/python/python-2.7.18-r5.ebuild        | 348 ------------------------
 dev-lang/python/python-3.10.0_alpha3-r1.ebuild | 334 -----------------------
 dev-lang/python/python-3.10.0_alpha4.ebuild    | 353 -------------------------
 dev-lang/python/python-3.6.12-r1.ebuild        | 332 -----------------------
 dev-lang/python/python-3.7.9-r1.ebuild         | 318 ----------------------
 dev-lang/python/python-3.8.6-r1.ebuild         | 322 ----------------------
 dev-lang/python/python-3.9.0-r1.ebuild         | 331 -----------------------
 8 files changed, 2349 deletions(-)
Comment 21 John Helmert III (ajak) gentoo-dev Security 2021-02-19 15:08:05 UTC
Thanks you! Tree is clean.