Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Mark H Weaver
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 29 Sep 2018 21:18
(address . bug-guix@gnu.org)
20180929191827.GA17619@jasmine.lan
Here are some bugs that apply to our Python 2.7.14 package.

CVE-2018-1060 (fixed upstream in Python 2.7.15):

CVE-2018-1061 (fixed upstream in Python 2.7.15):

CVE-2018-14647 (fixed in unreleased CPython commit
18b20bad75b4ff0486940fba4ec680e96e70f3a2):

CVE-2018-1000802 (fixed in unreleased CPython commit
d8b103b8b3ef9644805341216963a64098642435):
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAluvz/8ACgkQJkb6MLrK
fwg3/A/+K3kU1Npbdnz751GugCsCuwuDMXmy0vwtKZ+uHtHiF3Z5vgGFOeAxaagl
JlV8vUf4zVcBfdX5tlZEga7rBNNvpmU5xAT3stb/jG0LqMtTiRmIG0XIRgZ3L8JA
f0DVwObTtLcFXnvSYfqSyrRtBg1XMvWGE5hbHKurloR2Au7zitzwhAzQWEXaOt4r
iImjtEpEmi30E6l2jJC3OE12zmmPR6pEUlakyo3gphCCiIDXfxUTX/yAX+ml/yKo
l7s3/O4AoQiPIrH8dqzC3oq8vxnyPZklr0ydcz2XWmc1qMCWBWDuW4A+SFYAVbEu
KvaXccFaQ02Kh9VcBGO+kmc9QmBgnciF7UDM9N1vRdTXB+pZFWpGZ9y4sOhq3iNU
lgPB6pGTE70IJ+Qh3s2lckkzJ70YBQFDg7bhpRGbujMTaBbMk/vcKXU0zQ0O/T3D
5O+vrKJVgPOitV07rF9M6i/01mDJzHBwsPoOMq4Y9hu5Adr/Ede5i5KAq/lXLHtr
qur4g9q4W863RAvdO8Dqkf/Zp36p86oj35Dno5/KXYFQaIGyTmTU67SUqWRSDgZc
dwkR6snT97bxiK7U61kT/CfcmXphBamU0ObrjU/cVTgWjS3UC9lmd2miGg42Q1c+
95QGsVq3sCB5Y8YA4SKC83TRJTOlr9yvROdWfQnDpu+y1i6z9iQ=
=eaCa
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 3 Oct 2018 22:56
control message for bug #32877
(address . control@debbugs.gnu.org)
87h8i2lpf1.fsf@gnu.org
tags 32877 security
M
M
Marius Bakke wrote on 6 Oct 2018 18:53
Re: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802
87in2fhv8v.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)
> Here are some bugs that apply to our Python 2.7.14 package.
>
> CVE-2018-1060 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
>
> CVE-2018-1061 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
>
> CVE-2018-14647 (fixed in unreleased CPython commit
> 18b20bad75b4ff0486940fba4ec680e96e70f3a2):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
>
> CVE-2018-1000802 (fixed in unreleased CPython commit
> d8b103b8b3ef9644805341216963a64098642435):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Here is a patch that should fix these:
WDYT?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu46JAACgkQoqBt8qM6
VPqwgQgAqL46w9GCNQFM3SdVVLUkg6MUdk1fLAKXyoEi03dG85lRUEiEZcQvAJnW
dGSe/JU6vr2TsR11HXFrBfOPDWpf1O3ISDF/DmKaZUwhJLuVW5dRWQYkI8uCzNHJ
tkQ/NMzq0lz9jN0oRzb+XAcoKs8xupEyTWY+lEasqBKmsoxnHHAz/AGqkKVBwm9q
ZyAkEK7Kzc04mT5YRzw2T6vdxptOWylMDIR1wfgXdTO6ZxjD+L4BHTeRPySlvjVa
3WvlhWPqkdDtWzeG5OHJ8LB9d6yAjN/9asKyl4s6s8Jsx2PQd5FphcLPcbqxbu2p
Be2njDvE+Q/W5Sa5VFjiLaaCwwMGnA==
=m+AH
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 10 Oct 2018 21:14
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32877@debbugs.gnu.org)
20181010191425.GA22832@jasmine.lan
On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
Toggle quote (16 lines)
> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 18:50:47 +0200
> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>
> This addresses CVE-2018-{1060,1061,14647,1000802}.
>
> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
> gnu/packages/patches/python2-CVE-2018-1060.patch,
> gnu/packages/patches/python2-CVE-2018-1061.patch,
> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-2/fixed): New variable.
> (python-2.7)[replacement]: New field.
> (python2-minimal): Use PACKAGE/INHERIT.

Thanks! I did some basic tests and things seem to work.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+T44ACgkQJkb6MLrK
fwhdoA//Qv6eKfCl4lRaKkeuE9Jr56xtFAk72D5jxDh+ARJKUuJl8Re93hEIr8JW
Jrw20qLMq3LY/2fqkCt8A2OqTwVnlHSKszGZzaSKKGTcp9BgA/H/8dX1epQYxS7e
pVSroAmNi2zFPKHt6EDZmxJjXZMehC1H7f1WXxvo1wk9LDoSw6cEYOCf8eDtwMqU
gc/AgIpy5BMQPc4Gn16b/4QZIH0oW2h0c3jzEOVMkwLTQjjRGhISNMtfKL+RERSL
PI+iJ+v/xvjPCk6zFekeDiYoMszVAFGRqkzAqMDy0k2EK4kMxyDGthHdmX0vugyI
n9fV4BHb35H+tJiQxbh5u8UkH2iukJtRDnwFiq3T6fUlpVw+JV8I0wppBR/E1aPw
1ltvm7b4LeTDNdnMLTeBTNRQQeq9WcQ5kTY8XiBcAiQ1FzGq8SmPLDgnJxITm8Az
zBOEVhmkY84ZFWisVrEMvgoE/XALonJSTxOCCVEFJ6p5sqqLMEgHT8azkvC6FzjX
1zxf3MzAxPkOYy7OHASyiqmAEhcouOsOQ0yqtJVl8D9gvQEM/9eh1oyFlXy+jDlm
a898P/YrTAr/XLikvjWl7rT9OsBbfI8WEroi+Ywg9WNxic7DSeDodae9OiZfL65X
gjOQhqaaWTru8OCyAmhnreOf49LhSY7VR6N5R5bp5lel4ZGjz4I=
=KN0+
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 11 Oct 2018 10:03
(name . Leo Famulari)(address . leo@famulari.name)
87o9c0ykol.fsf@netris.org
Leo Famulari <leo@famulari.name> writes:

Toggle quote (19 lines)
> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>>
>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>>
>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-2/fixed): New variable.
>> (python-2.7)[replacement]: New field.
>> (python2-minimal): Use PACKAGE/INHERIT.
>
> Thanks! I did some basic tests and things seem to work.

I added this commit to my private branch a few days ago, along with the
Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
GNOME 3 system and user profile, and everything seems to be working
well.

I think they are both ready to push to master.

Thank you, Marius!

Mark
M
M
Marius Bakke wrote on 17 Oct 2018 20:35
(address . 32877-done@debbugs.gnu.org)
875zy0h14q.fsf@fastmail.com
Mark H Weaver <mhw@netris.org> writes:

Toggle quote (28 lines)
> Leo Famulari <leo@famulari.name> writes:
>
>> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>>> From: Marius Bakke <mbakke@fastmail.com>
>>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>>>
>>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>>>
>>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Register it.
>>> * gnu/packages/python.scm (python-2/fixed): New variable.
>>> (python-2.7)[replacement]: New field.
>>> (python2-minimal): Use PACKAGE/INHERIT.
>>
>> Thanks! I did some basic tests and things seem to work.
>
> I added this commit to my private branch a few days ago, along with the
> Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
> GNOME 3 system and user profile, and everything seems to be working
> well.
>
> I think they are both ready to push to master.

Hi Mark,

Thank you very much for testing. I've pushed these patches now, sorry
for the delay!
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlvHgQUACgkQoqBt8qM6
VPol4AgA1HUzhyxfMSA5KTm9d7NqWUEXy0PtWxoCEMZRdxUK8JZXEBI7ddPd4tZp
WCfkHbMTnRb0oJ3KVoz2nIYEqwzNaCCsYOViU4T2zchVaEhKaP2kzcL6Dv56DOmL
ty2HO0ZCB9ohIN872mkIdyBduv3YqmGEFMpuKYo5khyFM+vHdygNhWCHibKFIbJs
lWcaaCepmbe4Qi7FkczzqTeRXRp7IXJGTy4TKFQ5DblE8rZYNhc01XBHCisufEQu
zE1mVffxNGdgh5p3hQCrF5oTdy44WgxcqvL2S4RwegidlbMKpPjzNpc9jI09cHjq
ETznF9x3hRg5St5gxSF3k+29+5JO0g==
=p/Ew
-----END PGP SIGNATURE-----

Closed
?