Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802

Done

Details

4 participants

Leo Famulari
Ludovic Courtès
Marius Bakke
Mark H Weaver

Owner: unassigned

Submitted by: Leo Famulari

Severity: normal

Leo Famulari wrote on 29 Sep 2018 21:18

Recipients:(address . bug-guix@gnu.org)

Message-ID:20180929191827.GA17619@jasmine.lan

Here are some bugs that apply to our Python 2.7.14 package.

CVE-2018-1060 (fixed upstream in Python 2.7.15):

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060

CVE-2018-1061 (fixed upstream in Python 2.7.15):

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061

CVE-2018-14647 (fixed in unreleased CPython commit

18b20bad75b4ff0486940fba4ec680e96e70f3a2):

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647

CVE-2018-1000802 (fixed in unreleased CPython commit

d8b103b8b3ef9644805341216963a64098642435):

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Ludovic Courtès wrote on 3 Oct 2018 22:56

control message for bug #32877

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87h8i2lpf1.fsf@gnu.org

tags 32877 security

Marius Bakke wrote on 6 Oct 2018 18:53

Re: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802

Recipients:

Message-ID:87in2fhv8v.fsf@fastmail.com

Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)> Here are some bugs that apply to our Python 2.7.14 package.
>
> CVE-2018-1060 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
>
> CVE-2018-1061 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
>
> CVE-2018-14647 (fixed in unreleased CPython commit
> 18b20bad75b4ff0486940fba4ec680e96e70f3a2):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
>
> CVE-2018-1000802 (fixed in unreleased CPython commit
> d8b103b8b3ef9644805341216963a64098642435):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Here is a patch that should fix these:

Attachment: 0001-gnu-python2-Add-upstream-security-fixes.patch

WDYT?

Leo Famulari wrote on 10 Oct 2018 21:14

Recipients:(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32877@debbugs.gnu.org)

Message-ID:20181010191425.GA22832@jasmine.lan

On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:

Toggle quote (16 lines)> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 18:50:47 +0200
> Subject: [PATCH] gnu: python2: Add upstream security fixes.
> 
> This addresses CVE-2018-{1060,1061,14647,1000802}.
> 
> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
> gnu/packages/patches/python2-CVE-2018-1060.patch,
> gnu/packages/patches/python2-CVE-2018-1061.patch,
> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-2/fixed): New variable.
> (python-2.7)[replacement]: New field.
> (python2-minimal): Use PACKAGE/INHERIT.

Thanks! I did some basic tests and things seem to work.

Mark H Weaver wrote on 11 Oct 2018 10:03

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:87o9c0ykol.fsf@netris.org

Leo Famulari <leo@famulari.name> writes:

Toggle quote (19 lines)> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>> 
>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>> 
>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-2/fixed): New variable.
>> (python-2.7)[replacement]: New field.
>> (python2-minimal): Use PACKAGE/INHERIT.
>
> Thanks! I did some basic tests and things seem to work.

I added this commit to my private branch a few days ago, along with the

Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD

GNOME 3 system and user profile, and everything seems to be working

well.

I think they are both ready to push to master.

Thank you, Marius!

Mark

Marius Bakke wrote on 17 Oct 2018 20:35

Recipients:(address . 32877-done@debbugs.gnu.org)

Message-ID:875zy0h14q.fsf@fastmail.com

Mark H Weaver <mhw@netris.org> writes:

Toggle quote (28 lines)> Leo Famulari <leo@famulari.name> writes:
>
>> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>>> From: Marius Bakke <mbakke@fastmail.com>
>>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>>> 
>>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>>> 
>>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Register it.
>>> * gnu/packages/python.scm (python-2/fixed): New variable.
>>> (python-2.7)[replacement]: New field.
>>> (python2-minimal): Use PACKAGE/INHERIT.
>>
>> Thanks! I did some basic tests and things seem to work.
>
> I added this commit to my private branch a few days ago, along with the
> Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
> GNOME 3 system and user profile, and everything seems to be working
> well.
>
> I think they are both ready to push to master.

Hi Mark,

Thank you very much for testing. I've pushed these patches now, sorry

for the delay!

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 32877@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 32877

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date