Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802

DoneSubmitted by Leo Famulari.
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Mark H Weaver
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 29 Sep 2018 21:18
(address . bug-guix@gnu.org)
20180929191827.GA17619@jasmine.lan
Here are some bugs that apply to our Python 2.7.14 package.
CVE-2018-1060 (fixed upstream in Python 2.7.15):https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
CVE-2018-1061 (fixed upstream in Python 2.7.15):https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
CVE-2018-14647 (fixed in unreleased CPython commit18b20bad75b4ff0486940fba4ec680e96e70f3a2):https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
CVE-2018-1000802 (fixed in unreleased CPython commitd8b103b8b3ef9644805341216963a64098642435):https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAluvz/8ACgkQJkb6MLrKfwg3/A/+K3kU1Npbdnz751GugCsCuwuDMXmy0vwtKZ+uHtHiF3Z5vgGFOeAxaaglJlV8vUf4zVcBfdX5tlZEga7rBNNvpmU5xAT3stb/jG0LqMtTiRmIG0XIRgZ3L8JAf0DVwObTtLcFXnvSYfqSyrRtBg1XMvWGE5hbHKurloR2Au7zitzwhAzQWEXaOt4riImjtEpEmi30E6l2jJC3OE12zmmPR6pEUlakyo3gphCCiIDXfxUTX/yAX+ml/yKol7s3/O4AoQiPIrH8dqzC3oq8vxnyPZklr0ydcz2XWmc1qMCWBWDuW4A+SFYAVbEuKvaXccFaQ02Kh9VcBGO+kmc9QmBgnciF7UDM9N1vRdTXB+pZFWpGZ9y4sOhq3iNUlgPB6pGTE70IJ+Qh3s2lckkzJ70YBQFDg7bhpRGbujMTaBbMk/vcKXU0zQ0O/T3D5O+vrKJVgPOitV07rF9M6i/01mDJzHBwsPoOMq4Y9hu5Adr/Ede5i5KAq/lXLHtrqur4g9q4W863RAvdO8Dqkf/Zp36p86oj35Dno5/KXYFQaIGyTmTU67SUqWRSDgZcdwkR6snT97bxiK7U61kT/CfcmXphBamU0ObrjU/cVTgWjS3UC9lmd2miGg42Q1c+95QGsVq3sCB5Y8YA4SKC83TRJTOlr9yvROdWfQnDpu+y1i6z9iQ==eaCa-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 3 Oct 2018 22:56
control message for bug #32877
(address . control@debbugs.gnu.org)
87h8i2lpf1.fsf@gnu.org
tags 32877 security
M
M
Marius Bakke wrote on 6 Oct 2018 18:53
Re: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802
87in2fhv8v.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:
Toggle quote (16 lines)> Here are some bugs that apply to our Python 2.7.14 package.>> CVE-2018-1060 (fixed upstream in Python 2.7.15):> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060>> CVE-2018-1061 (fixed upstream in Python 2.7.15):> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061>> CVE-2018-14647 (fixed in unreleased CPython commit> 18b20bad75b4ff0486940fba4ec680e96e70f3a2):> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647>> CVE-2018-1000802 (fixed in unreleased CPython commit> d8b103b8b3ef9644805341216963a64098642435):> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
Here is a patch that should fix these:
From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001From: Marius Bakke <mbakke@fastmail.com>Date: Sat, 6 Oct 2018 18:50:47 +0200Subject: [PATCH] gnu: python2: Add upstream security fixes.
This addresses CVE-2018-{1060,1061,14647,1000802}.
* gnu/packages/patches/python2-CVE-2018-1000802.patch,gnu/packages/patches/python2-CVE-2018-1060.patch,gnu/packages/patches/python2-CVE-2018-1061.patch,gnu/packages/patches/python2-CVE-2018-14647.patch: New files.* gnu/local.mk (dist_patch_DATA): Register it.* gnu/packages/python.scm (python-2/fixed): New variable.(python-2.7)[replacement]: New field.(python2-minimal): Use PACKAGE/INHERIT.--- gnu/local.mk | 4 ++ .../patches/python2-CVE-2018-1000802.patch | 47 ++++++++++++++ .../patches/python2-CVE-2018-1060.patch | 20 ++++++ .../patches/python2-CVE-2018-1061.patch | 20 ++++++ .../patches/python2-CVE-2018-14647.patch | 61 +++++++++++++++++++ gnu/packages/python.scm | 15 ++++- 6 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/python2-CVE-2018-1000802.patch create mode 100644 gnu/packages/patches/python2-CVE-2018-1060.patch create mode 100644 gnu/packages/patches/python2-CVE-2018-1061.patch create mode 100644 gnu/packages/patches/python2-CVE-2018-14647.patch
Toggle diff (229 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex df16f85db..e77f21db5 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -1067,6 +1067,10 @@ dist_patch_DATA = \ %D%/packages/patches/pygpgme-disable-problematic-tests.patch \ %D%/packages/patches/pyqt-configure.patch \ %D%/packages/patches/pyqt-public-sip.patch \+ %D%/packages/patches/python2-CVE-2018-1060.patch \+ %D%/packages/patches/python2-CVE-2018-1061.patch \+ %D%/packages/patches/python2-CVE-2018-14647.patch \+ %D%/packages/patches/python2-CVE-2018-1000802.patch \ %D%/packages/patches/python-2-deterministic-build-info.patch \ %D%/packages/patches/python-2.7-adjust-tests.patch \ %D%/packages/patches/python-2.7-search-paths.patch \diff --git a/gnu/packages/patches/python2-CVE-2018-1000802.patch b/gnu/packages/patches/python2-CVE-2018-1000802.patchnew file mode 100644index 000000000..0d5bc77c8--- /dev/null+++ b/gnu/packages/patches/python2-CVE-2018-1000802.patch@@ -0,0 +1,47 @@+Fix CVE-2018-1000802:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802++Taken from upstream commit (sans NEWS):+https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435++diff --git a/Lib/shutil.py b/Lib/shutil.py+index 3462f7c5e9..0ab1a06f52 100644+--- a/Lib/shutil.py++++ b/Lib/shutil.py+@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0,+ + return archive_name+ +-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):++def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):+ # XXX see if we want to keep an external call here+ if verbose:+ zipoptions = "-r"+ else:+ zipoptions = "-rq"+- from distutils.errors import DistutilsExecError+- from distutils.spawn import spawn++ cmd = ["zip", zipoptions, zip_filename, base_dir]++ if logger is not None:++ logger.info(' '.join(cmd))++ if dry_run:++ return++ import subprocess+ try:+- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)+- except DistutilsExecError:++ subprocess.check_call(cmd)++ except subprocess.CalledProcessError:+ # XXX really should distinguish between "couldn't find+ # external 'zip' command" and "zip failed".+ raise ExecError, \+@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):+ zipfile = None+ + if zipfile is None:+- _call_external_zip(base_dir, zip_filename, verbose, dry_run)++ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)+ else:+ if logger is not None:+ logger.info("creating '%s' and adding '%s' to it",diff --git a/gnu/packages/patches/python2-CVE-2018-1060.patch b/gnu/packages/patches/python2-CVE-2018-1060.patchnew file mode 100644index 000000000..5eb7ccfbc--- /dev/null+++ b/gnu/packages/patches/python2-CVE-2018-1060.patch@@ -0,0 +1,20 @@+Fix CVE-2018-1060:+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060++Taken from upstream commit (sans test and NEWS):+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2++diff --git a/Lib/poplib.py b/Lib/poplib.py+index b91e5f72d2ca..a238510b38fc 100644+--- a/Lib/poplib.py++++ b/Lib/poplib.py+@@ -274,7 +274,7 @@ def rpop(self, user):+ return self._shortcmd('RPOP %s' % user)+ + +- timestamp = re.compile(r'\+OK.*(<[^>]+>)')++ timestamp = re.compile(br'\+OK.[^<]*(<.*>)')+ + def apop(self, user, secret):+ """Authorisation+diff --git a/gnu/packages/patches/python2-CVE-2018-1061.patch b/gnu/packages/patches/python2-CVE-2018-1061.patchnew file mode 100644index 000000000..6caab24b4--- /dev/null+++ b/gnu/packages/patches/python2-CVE-2018-1061.patch@@ -0,0 +1,20 @@+Fix CVE-2018-1061:++https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061++Taken from upstream commit (sans test and NEWS):+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2++diff --git a/Lib/difflib.py b/Lib/difflib.py+index 1c6fbdbedcb7..788a92df3f89 100644+--- a/Lib/difflib.py++++ b/Lib/difflib.py+@@ -1103,7 +1103,7 @@ def _qformat(self, aline, bline, atags, btags):+ + import re+ +-def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):++def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):+ r"""+ Return 1 for ignorable line: iff `line` is blank or contains a single '#'.+diff --git a/gnu/packages/patches/python2-CVE-2018-14647.patch b/gnu/packages/patches/python2-CVE-2018-14647.patchnew file mode 100644index 000000000..6226b06ac--- /dev/null+++ b/gnu/packages/patches/python2-CVE-2018-14647.patch@@ -0,0 +1,61 @@+Fix CVE-2018-14647:+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647+https://bugs.python.org/issue34623++Taken from upstream:+https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2++diff --git a/Include/pyexpat.h b/Include/pyexpat.h+index 5340ef5fa3..3fc5fa54da 100644+--- a/Include/pyexpat.h++++ b/Include/pyexpat.h+@@ -3,7 +3,7 @@+ + /* note: you must import expat.h before importing this module! */+ +-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"+ + struct PyExpat_CAPI +@@ -43,6 +43,8 @@ struct PyExpat_CAPI+ XML_Parser parser, XML_UnknownEncodingHandler handler,+ void *encodingHandlerData);+ void (*SetUserData)(XML_Parser parser, void *userData);++ /* might be none for expat < 2.1.0 */++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);+ /* always add new stuff to the end! */+ };+ +diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c+index f7f992dd3a..b38e0ab329 100644+--- a/Modules/_elementtree.c++++ b/Modules/_elementtree.c+@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw)+ PyErr_NoMemory();+ return NULL;+ }++ /* expat < 2.1.0 has no XML_SetHashSalt() */++ if (EXPAT(SetHashSalt) != NULL) {++ EXPAT(SetHashSalt)(self->parser,++ (unsigned long)_Py_HashSecret.prefix);++ }+ + ALLOC(sizeof(XMLParserObject), "create expatparser");+ +diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c+index 2b4d31293c..1f8c0d70a5 100644+--- a/Modules/pyexpat.c++++ b/Modules/pyexpat.c+@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void)+ capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler;+ capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler;+ capi.SetUserData = XML_SetUserData;++#if XML_COMBINED_VERSION >= 20100++ capi.SetHashSalt = XML_SetHashSalt;++#else++ capi.SetHashSalt = NULL;++#endif+ + /* export using capsule */+ capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);diff --git a/gnu/packages/python.scm b/gnu/packages/python.scmindex e64193dce..4d9bad9bc 100644--- a/gnu/packages/python.scm+++ b/gnu/packages/python.scm@@ -148,6 +148,7 @@ (package (name "python2") (version "2.7.14")+ (replacement python-2/fixed) (source (origin (method url-fetch)@@ -344,6 +345,18 @@ data types.") ;; Current 2.x version. (define-public python-2 python-2.7) +(define python-2/fixed+ (package+ (inherit python-2)+ (source (origin+ (inherit (package-source python-2))+ (patches (append+ (origin-patches (package-source python-2))+ (search-patches "python2-CVE-2018-1060.patch"+ "python2-CVE-2018-1061.patch"+ "python2-CVE-2018-14647.patch"+ "python2-CVE-2018-1000802.patch")))))))+ (define-public python2-called-python ;; Both 2.x and 3.x used to be called "python". In commit ;; a7714d42de2c3082f3609d1e63c83d703fb39cf9 (March 2018), we renamed the@@ -482,7 +495,7 @@ data types.") ;; Python (Tk -> libxcb -> Python.) (define-public python2-minimal- (package (inherit python-2)+ (package/inherit python-2 (name "python2-minimal") (outputs '("out")) -- 2.19.0
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu46JAACgkQoqBt8qM6VPqwgQgAqL46w9GCNQFM3SdVVLUkg6MUdk1fLAKXyoEi03dG85lRUEiEZcQvAJnWdGSe/JU6vr2TsR11HXFrBfOPDWpf1O3ISDF/DmKaZUwhJLuVW5dRWQYkI8uCzNHJtkQ/NMzq0lz9jN0oRzb+XAcoKs8xupEyTWY+lEasqBKmsoxnHHAz/AGqkKVBwm9qZyAkEK7Kzc04mT5YRzw2T6vdxptOWylMDIR1wfgXdTO6ZxjD+L4BHTeRPySlvjVa3WvlhWPqkdDtWzeG5OHJ8LB9d6yAjN/9asKyl4s6s8Jsx2PQd5FphcLPcbqxbu2pBe2njDvE+Q/W5Sa5VFjiLaaCwwMGnA===m+AH-----END PGP SIGNATURE-----
L
L
Leo Famulari wrote on 10 Oct 2018 21:14
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32877@debbugs.gnu.org)
20181010191425.GA22832@jasmine.lan
On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
Toggle quote (16 lines)> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001> From: Marius Bakke <mbakke@fastmail.com>> Date: Sat, 6 Oct 2018 18:50:47 +0200> Subject: [PATCH] gnu: python2: Add upstream security fixes.> > This addresses CVE-2018-{1060,1061,14647,1000802}.> > * gnu/packages/patches/python2-CVE-2018-1000802.patch,> gnu/packages/patches/python2-CVE-2018-1060.patch,> gnu/packages/patches/python2-CVE-2018-1061.patch,> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.> * gnu/local.mk (dist_patch_DATA): Register it.> * gnu/packages/python.scm (python-2/fixed): New variable.> (python-2.7)[replacement]: New field.> (python2-minimal): Use PACKAGE/INHERIT.
Thanks! I did some basic tests and things seem to work.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+T44ACgkQJkb6MLrKfwhdoA//Qv6eKfCl4lRaKkeuE9Jr56xtFAk72D5jxDh+ARJKUuJl8Re93hEIr8JWJrw20qLMq3LY/2fqkCt8A2OqTwVnlHSKszGZzaSKKGTcp9BgA/H/8dX1epQYxS7epVSroAmNi2zFPKHt6EDZmxJjXZMehC1H7f1WXxvo1wk9LDoSw6cEYOCf8eDtwMqUgc/AgIpy5BMQPc4Gn16b/4QZIH0oW2h0c3jzEOVMkwLTQjjRGhISNMtfKL+RERSLPI+iJ+v/xvjPCk6zFekeDiYoMszVAFGRqkzAqMDy0k2EK4kMxyDGthHdmX0vugyIn9fV4BHb35H+tJiQxbh5u8UkH2iukJtRDnwFiq3T6fUlpVw+JV8I0wppBR/E1aPw1ltvm7b4LeTDNdnMLTeBTNRQQeq9WcQ5kTY8XiBcAiQ1FzGq8SmPLDgnJxITm8AzzBOEVhmkY84ZFWisVrEMvgoE/XALonJSTxOCCVEFJ6p5sqqLMEgHT8azkvC6FzjX1zxf3MzAxPkOYy7OHASyiqmAEhcouOsOQ0yqtJVl8D9gvQEM/9eh1oyFlXy+jDlma898P/YrTAr/XLikvjWl7rT9OsBbfI8WEroi+Ywg9WNxic7DSeDodae9OiZfL65XgjOQhqaaWTru8OCyAmhnreOf49LhSY7VR6N5R5bp5lel4ZGjz4I==KN0+-----END PGP SIGNATURE-----

M
M
Mark H Weaver wrote on 11 Oct 2018 10:03
(name . Leo Famulari)(address . leo@famulari.name)
87o9c0ykol.fsf@netris.org
Leo Famulari <leo@famulari.name> writes:
Toggle quote (19 lines)> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001>> From: Marius Bakke <mbakke@fastmail.com>>> Date: Sat, 6 Oct 2018 18:50:47 +0200>> Subject: [PATCH] gnu: python2: Add upstream security fixes.>> >> This addresses CVE-2018-{1060,1061,14647,1000802}.>> >> * gnu/packages/patches/python2-CVE-2018-1000802.patch,>> gnu/packages/patches/python2-CVE-2018-1060.patch,>> gnu/packages/patches/python2-CVE-2018-1061.patch,>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.>> * gnu/local.mk (dist_patch_DATA): Register it.>> * gnu/packages/python.scm (python-2/fixed): New variable.>> (python-2.7)[replacement]: New field.>> (python2-minimal): Use PACKAGE/INHERIT.>> Thanks! I did some basic tests and things seem to work.
I added this commit to my private branch a few days ago, along with thePython-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSDGNOME 3 system and user profile, and everything seems to be workingwell.
I think they are both ready to push to master.
Thank you, Marius!
Mark
M
M
Marius Bakke wrote on 17 Oct 2018 20:35
(address . 32877-done@debbugs.gnu.org)
875zy0h14q.fsf@fastmail.com
Mark H Weaver <mhw@netris.org> writes:
Toggle quote (28 lines)> Leo Famulari <leo@famulari.name> writes:>>> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:>>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001>>> From: Marius Bakke <mbakke@fastmail.com>>>> Date: Sat, 6 Oct 2018 18:50:47 +0200>>> Subject: [PATCH] gnu: python2: Add upstream security fixes.>>> >>> This addresses CVE-2018-{1060,1061,14647,1000802}.>>> >>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,>>> gnu/packages/patches/python2-CVE-2018-1060.patch,>>> gnu/packages/patches/python2-CVE-2018-1061.patch,>>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.>>> * gnu/local.mk (dist_patch_DATA): Register it.>>> * gnu/packages/python.scm (python-2/fixed): New variable.>>> (python-2.7)[replacement]: New field.>>> (python2-minimal): Use PACKAGE/INHERIT.>>>> Thanks! I did some basic tests and things seem to work.>> I added this commit to my private branch a few days ago, along with the> Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD> GNOME 3 system and user profile, and everything seems to be working> well.>> I think they are both ready to push to master.
Hi Mark,
Thank you very much for testing. I've pushed these patches now, sorryfor the delay!
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlvHgQUACgkQoqBt8qM6VPol4AgA1HUzhyxfMSA5KTm9d7NqWUEXy0PtWxoCEMZRdxUK8JZXEBI7ddPd4tZpWCfkHbMTnRb0oJ3KVoz2nIYEqwzNaCCsYOViU4T2zchVaEhKaP2kzcL6Dv56DOmLty2HO0ZCB9ohIN872mkIdyBduv3YqmGEFMpuKYo5khyFM+vHdygNhWCHibKFIbJslWcaaCepmbe4Qi7FkczzqTeRXRp7IXJGTy4TKFQ5DblE8rZYNhc01XBHCisufEQuzE1mVffxNGdgh5p3hQCrF5oTdy44WgxcqvL2S4RwegidlbMKpPjzNpc9jI09cHjqETznF9x3hRg5St5gxSF3k+29+5JO0g===p/Ew-----END PGP SIGNATURE-----
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 32877@debbugs.gnu.org