From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 06 10:51:17 2018 Received: (at 32878) by debbugs.gnu.org; 6 Oct 2018 14:51:17 +0000 Received: from localhost ([127.0.0.1]:38749 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g8nvF-00059o-II for submit@debbugs.gnu.org; Sat, 06 Oct 2018 10:51:16 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:35275) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g8nvD-00059g-Eb for 32878@debbugs.gnu.org; Sat, 06 Oct 2018 10:51:12 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 390CB220E4; Sat, 6 Oct 2018 10:51:11 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sat, 06 Oct 2018 10:51:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm1; bh=FhYg8vtWKknlxlykyKDHgOQf7w 0SsjwTPkT29WCD2t8=; b=G+JIrKY2q2bxYV446eBp3G7ieuBCZY1Tjg6/yoeS/g c33G6KB9wmPp3JGmGz2YLWTeesOCsQsd4QhZhN9H/AgDa2bSmD7exC1E9m1Qyuho BBsEopl1xG8PaOv36jEaHwwUc5emY4SQA0k/JQ3nWjVdAgmFEdi7CrkPoM/Y5Ujl +5trVvMbYOI8csYPBYN/O9z2KsmoBCXgVoo8/OZmioeM9CdPxZ+R64fZNfiqGnBl BJ2+bVq8v3PB7Nn53MwvXGzagqEYB4yKYk5FvD7rRp0gHnxYJysHR7+HbBAPBa2o QH+REmEboUcuCzY8SKdFSNsekXqZ6QfazzWLX4zH9I5Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=FhYg8v tWKknlxlykyKDHgOQf7w0SsjwTPkT29WCD2t8=; b=nfZYJ1bM04L/+Wp4dbbpyr tss4eAJUzrEjpcWvxu8FnS9h9uz+FhGdJVuA3nVvGYFCeeX9v9KHoHFhH9imb7hg BEv3gKUwXROGaL/9tt4kYW28mxHLhqoWaUr73ED1XH13U57Nx0dq1aSsGkCTQhg9 UhuLUqz/5JDOpra1KqNy6njw2TU/XLWK+GQ/STAjpG0ZdQaGCizDf35Qv5eZtUfI /i3LkLNOy5fd6zOUqw2OUm5ADh1PZwVTA48ZO17zk3ap5iihlzBOpnIXEekAviU2 HUiPcgurxZCX6b5esiL7qmk6o/KYzaI5EqMfQSY0U3mzjt37zY+StUsmBiStmqhQ == X-ME-Sender: X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id 69F9B102DE; Sat, 6 Oct 2018 10:51:09 -0400 (EDT) From: Marius Bakke To: Leo Famulari , 32878@debbugs.gnu.org Subject: Re: bug#32878: Python-3 CVE-2018-14647 In-Reply-To: <20180929192302.GB17619@jasmine.lan> References: <20180929192302.GB17619@jasmine.lan> User-Agent: Notmuch/0.27 (https://notmuchmail.org) Emacs/26.1 (x86_64-pc-linux-gnu) Date: Sat, 06 Oct 2018 16:51:07 +0200 Message-ID: <87sh1ji0x0.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 32878 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Leo Famulari writes: > Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in > CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in > v3.6.7rc1: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647 Reading , this issue seems to only affect older versions of Expat, or when using Pythons bundled one which is compiled with -DXML_POOR_ENTROPY. ...unfortunately we seem to be using the bundled version :-( This patch adds a graft for Python: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-python-Fix-CVE-2018-14647.patch Content-Transfer-Encoding: quoted-printable From=20a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sat, 6 Oct 2018 16:47:05 +0200 Subject: [PATCH] gnu: python: Fix CVE-2018-14647. * gnu/packages/patches/python-CVE-2018-14647.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/python.scm (python-3/fixed): New variable. (python-3.6)[replacement]: New field. (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of standard inheritance. =2D-- gnu/local.mk | 1 + .../patches/python-CVE-2018-14647.patch | 61 +++++++++++++++++++ gnu/packages/python.scm | 16 +++-- 3 files changed, 74 insertions(+), 4 deletions(-) create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch diff --git a/gnu/local.mk b/gnu/local.mk index 61e5913a0..df16f85db 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -1075,6 +1075,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/python-3-deterministic-build-info.patch \ %D%/packages/patches/python-3-search-paths.patch \ %D%/packages/patches/python-3-fix-tests.patch \ + %D%/packages/patches/python-CVE-2018-14647.patch \ %D%/packages/patches/python-axolotl-AES-fix.patch \ %D%/packages/patches/python-cairocffi-dlopen-path.patch \ %D%/packages/patches/python-fix-tests.patch \ diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/package= s/patches/python-CVE-2018-14647.patch new file mode 100644 index 000000000..24f8d2182 =2D-- /dev/null +++ b/gnu/packages/patches/python-CVE-2018-14647.patch @@ -0,0 +1,61 @@ +Fix CVE-2018-14647: +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-14647 +https://bugs.python.org/issue34623 + +Taken from upstream: +https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013= d624fa1 + +diff --git Include/pyexpat.h Include/pyexpat.h +index 44259bf6d7..07020b5dc9 100644 +--- Include/pyexpat.h ++++ Include/pyexpat.h +@@ -3,7 +3,7 @@ +=20 + /* note: you must import expat.h before importing this module! */ +=20 +-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0" ++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1" + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI" +=20 + struct PyExpat_CAPI +@@ -48,6 +48,8 @@ struct PyExpat_CAPI + enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *enc= oding); + int (*DefaultUnknownEncodingHandler)( + void *encodingHandlerData, const XML_Char *name, XML_Encoding *in= fo); ++ /* might be none for expat < 2.1.0 */ ++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt); + /* always add new stuff to the end! */ + }; +=20 +diff --git Modules/_elementtree.c Modules/_elementtree.c +index 707ab2912b..53f05f937f 100644 +--- Modules/_elementtree.c ++++ Modules/_elementtree.c +@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObjec= t *self, PyObject *html, + PyErr_NoMemory(); + return -1; + } ++ /* expat < 2.1.0 has no XML_SetHashSalt() */ ++ if (EXPAT(SetHashSalt) !=3D NULL) { ++ EXPAT(SetHashSalt)(self->parser, ++ (unsigned long)_Py_HashSecret.expat.hashsalt); ++ } +=20 + if (target) { + Py_INCREF(target); +diff --git Modules/pyexpat.c Modules/pyexpat.c +index 47c3e86c20..aa21d93c11 100644 +--- Modules/pyexpat.c ++++ Modules/pyexpat.c +@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void) + capi.SetStartDoctypeDeclHandler =3D XML_SetStartDoctypeDeclHandler; + capi.SetEncoding =3D XML_SetEncoding; + capi.DefaultUnknownEncodingHandler =3D PyUnknownEncodingHandler; ++#if XML_COMBINED_VERSION >=3D 20100 ++ capi.SetHashSalt =3D XML_SetHashSalt; ++#else ++ capi.SetHashSalt =3D NULL; ++#endif +=20 + /* export using capsule */ + capi_object =3D PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL); diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 4703d95a2..5ee3db6bf 100644 =2D-- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -357,6 +357,7 @@ data types.") (package (inherit python-2) (name "python") (version "3.6.5") + (replacement python-3/fixed) (source (origin (method url-fetch) (uri (string-append "https://www.python.org/ftp/python/" @@ -456,6 +457,14 @@ data types.") ;; Current 3.x version. (define-public python-3 python-3.6) =20 +(define python-3/fixed + (package + (inherit python-3) + (source (origin + (inherit (package-source python-3)) + (patches (append (origin-patches (package-source python-3)) + (search-patches "python-CVE-2018-14647.patc= h"))))))) + ;; Current major version. (define-public python python-3) =20 @@ -474,7 +483,7 @@ data types.") ("zlib" ,zlib))))) =20 (define-public python-minimal =2D (package (inherit python) + (package/inherit python (name "python-minimal") (outputs '("out")) =20 @@ -486,8 +495,7 @@ data types.") ("zlib" ,zlib))))) =20 (define-public python-debug =2D (package =2D (inherit python) + (package/inherit python (name "python-debug") (outputs '("out" "debug")) (build-system gnu-build-system) @@ -506,7 +514,7 @@ for more information."))) (define* (wrap-python3 python #:optional (name (string-append (package-name python) "-wrappe= r"))) =2D (package (inherit python) + (package/inherit python (name name) (source #f) (build-system trivial-build-system) =2D-=20 2.19.0 --=-=-= Content-Type: text/plain WDYT? --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu4y9wACgkQoqBt8qM6 VPqnmQgApOAHt4a1wl9sCK8lyL1xwAJ3gkjAq4wjPUTK5QoTK5myv6GuWO1bCvI+ 8VbFZXCpo9a97HY/Ci9iGAmUB7Glqsyh30doG1BeDbC7zJGH4/fIAqC9vDTL/rWx z+tnQvt9PnQIrTTAQ0jZsSjLCeWaqGbI2A7s6qElpAiVF0wpuQAJqNiR9gC86g3M fFYOZxBOHAGqj+caTqdGJitDhPlFNUQnWGkYLuv5PTeN8781pHKzVezM4cnCeE5o 3XLDAM3TcZnQ6Ot66VjTPfG/vq/rz75OKzkOicT6oJHGf7zzoKkQU92lGCtxIspX 7RrIAft7S097mpSWr8uPhLqJ2pg2dA== =vUBW -----END PGP SIGNATURE----- --==-=-=--