Toggle quote (6 lines)> Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in> CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in> v3.6.7rc1:>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
Reading https://bugs.python.org/issue34623, this issue seems to onlyaffect older versions of Expat, or when using Pythons bundled one whichis compiled with -DXML_POOR_ENTROPY. ...unfortunately we seem to be using the bundled version :-( This patch adds a graft for Python:
From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001From: Marius Bakke <email@example.com>Date: Sat, 6 Oct 2018 16:47:05 +0200Subject: [PATCH] gnu: python: Fix CVE-2018-14647. * gnu/packages/patches/python-CVE-2018-14647.patch: New file.* gnu/local.mk (dist_patch_DATA): Register it.* gnu/packages/python.scm (python-3/fixed): New variable.(python-3.6)[replacement]: New field.(python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead ofstandard inheritance.--- gnu/local.mk | 1 + .../patches/python-CVE-2018-14647.patch | 61 +++++++++++++++++++ gnu/packages/python.scm | 16 +++-- 3 files changed, 74 insertions(+), 4 deletions(-) create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch
(name . Leo Famulari)(address . firstname.lastname@example.org)
Leo Famulari <email@example.com> writes:
Toggle quote (16 lines)> On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote:>> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001>> From: Marius Bakke <firstname.lastname@example.org>>> Date: Sat, 6 Oct 2018 16:47:05 +0200>> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.>> >> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.>> * gnu/local.mk (dist_patch_DATA): Register it.>> * gnu/packages/python.scm (python-3/fixed): New variable.>> (python-3.6)[replacement]: New field.>> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of>> standard inheritance.>> Thanks! I did some more basic tests with this one, using the extra hunk> in your other mail. I think this change is okay.
As I wrote in another thread, I added this commit (with extra hunk) tomy private branch a few days ago, along with the Python-2 securityfixes, updated my GuixSD GNOME 3 system and user profile, and everythingseems to be working well. I think they are both ready to push to master. Thank you, Marius! Mark