Quoting from MITRE: ------Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in_ctypes/callproc.c, which may lead to remote code execution in certainPython applications that accept floating-point numbers as untrustedinput, as demonstrated by a 1e300 argument to c_double.from_param. Thisoccurs because sprintf is used unsafely. ------https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 There is not yet an upstream release to fix the issue in the 3.8 seriesthat we distribute. I believe there are patches we can cherry-pick. Cansomebody find them? I assume that Python is considered to be "graft-able". Can anyoneconfirm? The upstream bug report:https://bugs.python.org/issue42938
I pushed a fix for Python 3.9 in commitf08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1. But, we use Python 3.8 for everything, and my patch (attached) fails toapply for some reason. It does work when I apply the new bug fix patch"by hand" onto the Guix source code for our current python-3.8 package.
From 3cc80457d26c725da61307755716db18ff88d28e Mon Sep 17 00:00:00 2001From: Leo Famulari <email@example.com>Date: Fri, 19 Feb 2021 18:09:57 -0500Subject: [PATCH] gnu: Python: Fix CVE-2021-3177. * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.* gnu/local.mk (dist_patch_DATA): Add it.* gnu/packages/python.scm (python-3.8)[replacement]: New field.(python-3.8/fixed): New variable.--- gnu/local.mk | 1 + .../patches/python-3.8-CVE-2021-3177.patch | 194 ++++++++++++++++++ gnu/packages/python.scm | 8 + 3 files changed, 203 insertions(+) create mode 100644 gnu/packages/patches/python-3.8-CVE-2021-3177.patch
On Fri, Feb 19, 2021 at 06:12:58PM -0500, Leo Famulari wrote:
Toggle quote (4 lines)> But, we use Python 3.8 for everything, and my patch (attached) fails to> apply for some reason. It does work when I apply the new bug fix patch> "by hand" onto the Guix source code for our current python-3.8 package.
More weirdness: When I apply the patch to the python-3.8 package (thatis, without setting up a grafted replacement), it works. So I amdefinitely doing something wrong here.
You can keep (inherit …) because the effect of ‘package/inherit’ is justto preserve replacements, which is unnecessary here. Apart from that, the Guix side of things LGTM. Thanks for working on it! Ludo’.