Python-3 CVE-2018-14647

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Mark H Weaver
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 29 Sep 2018 21:23
(address . bug-guix@gnu.org)
20180929192302.GB17619@jasmine.lan
Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
v3.6.7rc1:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAluv0RUACgkQJkb6MLrK
fwhC8g/9FJn7ZtbzMjV7/tMRoKpZ5g4l+V//Cy0DZcPavo57zuWb4gt10cSuwU2s
T+il2zfeRqoTq+jkJa2onLQD1YV5/xyo4b86lBiXWo11+2eMoFtXR92wiH+HbBus
7Tm9YfC8/GJ4vL0ka7o5/ddn0/pQ9m3SDH1lOEJFEgbd48fz4zmgvVZjaFbvssne
T5E8IMc5u1v5Vf9ipwxwH/DXajLS2eMH+QTHPNFV9AHYuXUkBFcWw/dCRMowIqKA
vzJbneDjrE2yRa46LHzjLkvumqJgnLOZAuNbiB+hPhtGddlG1hemcMrtlVTpjryJ
jJFONd5tG0t28XPMXejDxgn9rJiWVPf6QbcqYSdOwnaCVOUh36FNVBACCeDzLOx9
mw8HDK8idjv/byhFY2KjQVRS/vICCa5Elmyrvr8bEDJMGJ9gZb3maFWNs0WJuo9A
cPSY5JQZatoF1ydnxX1oFIWC9MIhuOktJB6BXjAuwlSzi0Xiyeu3StWFv8Z5tg4j
I2oYNkRQN26Cb8T+ilUxgh6OSYvSKnKq0pfq3MoTp7TPOOszfie1VIqfEb4I1f3G
49KJTLalT2gUjrk3DZOOaZjkLVvudVzvx4XpqvoC4wBcgyr6CapbG4soHKiCGNAM
+CUqTGTAxKFVGaTFUHAAvIB9a2mspY74tACHrKNM7JeWQCU79Ng=
=BkNc
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 3 Oct 2018 22:56
control message for bug #32878
(address . control@debbugs.gnu.org)
87in2ilpf6.fsf@gnu.org
tags 32878 security
M
M
Marius Bakke wrote on 6 Oct 2018 16:51
Re: bug#32878: Python-3 CVE-2018-14647
87sh1ji0x0.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (6 lines)
> Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
> CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
> v3.6.7rc1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647

Reading https://bugs.python.org/issue34623, this issue seems to only
affect older versions of Expat, or when using Pythons bundled one which
is compiled with -DXML_POOR_ENTROPY.

...unfortunately we seem to be using the bundled version :-(

This patch adds a graft for Python:
WDYT?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu4y9wACgkQoqBt8qM6
VPqnmQgApOAHt4a1wl9sCK8lyL1xwAJ3gkjAq4wjPUTK5QoTK5myv6GuWO1bCvI+
8VbFZXCpo9a97HY/Ci9iGAmUB7Glqsyh30doG1BeDbC7zJGH4/fIAqC9vDTL/rWx
z+tnQvt9PnQIrTTAQ0jZsSjLCeWaqGbI2A7s6qElpAiVF0wpuQAJqNiR9gC86g3M
fFYOZxBOHAGqj+caTqdGJitDhPlFNUQnWGkYLuv5PTeN8781pHKzVezM4cnCeE5o
3XLDAM3TcZnQ6Ot66VjTPfG/vq/rz75OKzkOicT6oJHGf7zzoKkQU92lGCtxIspX
7RrIAft7S097mpSWr8uPhLqJ2pg2dA==
=vUBW
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 6 Oct 2018 17:26
87lg7bhzaa.fsf@fastmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (157 lines)
> This patch adds a graft for Python:
>
> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 16:47:05 +0200
> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>
> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-3/fixed): New variable.
> (python-3.6)[replacement]: New field.
> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
> standard inheritance.
> ---
> gnu/local.mk | 1 +
> .../patches/python-CVE-2018-14647.patch | 61 +++++++++++++++++++
> gnu/packages/python.scm | 16 +++--
> 3 files changed, 74 insertions(+), 4 deletions(-)
> create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 61e5913a0..df16f85db 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1075,6 +1075,7 @@ dist_patch_DATA = \
> %D%/packages/patches/python-3-deterministic-build-info.patch \
> %D%/packages/patches/python-3-search-paths.patch \
> %D%/packages/patches/python-3-fix-tests.patch \
> + %D%/packages/patches/python-CVE-2018-14647.patch \
> %D%/packages/patches/python-axolotl-AES-fix.patch \
> %D%/packages/patches/python-cairocffi-dlopen-path.patch \
> %D%/packages/patches/python-fix-tests.patch \
> diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch
> new file mode 100644
> index 000000000..24f8d2182
> --- /dev/null
> +++ b/gnu/packages/patches/python-CVE-2018-14647.patch
> @@ -0,0 +1,61 @@
> +Fix CVE-2018-14647:
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
> +https://bugs.python.org/issue34623
> +
> +Taken from upstream:
> +https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
> +
> +diff --git Include/pyexpat.h Include/pyexpat.h
> +index 44259bf6d7..07020b5dc9 100644
> +--- Include/pyexpat.h
> ++++ Include/pyexpat.h
> +@@ -3,7 +3,7 @@
> +
> + /* note: you must import expat.h before importing this module! */
> +
> +-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
> ++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
> + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
> +
> + struct PyExpat_CAPI
> +@@ -48,6 +48,8 @@ struct PyExpat_CAPI
> + enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
> + int (*DefaultUnknownEncodingHandler)(
> + void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
> ++ /* might be none for expat < 2.1.0 */
> ++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
> + /* always add new stuff to the end! */
> + };
> +
> +diff --git Modules/_elementtree.c Modules/_elementtree.c
> +index 707ab2912b..53f05f937f 100644
> +--- Modules/_elementtree.c
> ++++ Modules/_elementtree.c
> +@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
> + PyErr_NoMemory();
> + return -1;
> + }
> ++ /* expat < 2.1.0 has no XML_SetHashSalt() */
> ++ if (EXPAT(SetHashSalt) != NULL) {
> ++ EXPAT(SetHashSalt)(self->parser,
> ++ (unsigned long)_Py_HashSecret.expat.hashsalt);
> ++ }
> +
> + if (target) {
> + Py_INCREF(target);
> +diff --git Modules/pyexpat.c Modules/pyexpat.c
> +index 47c3e86c20..aa21d93c11 100644
> +--- Modules/pyexpat.c
> ++++ Modules/pyexpat.c
> +@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)
> + capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
> + capi.SetEncoding = XML_SetEncoding;
> + capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
> ++#if XML_COMBINED_VERSION >= 20100
> ++ capi.SetHashSalt = XML_SetHashSalt;
> ++#else
> ++ capi.SetHashSalt = NULL;
> ++#endif
> +
> + /* export using capsule */
> + capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
> diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
> index 4703d95a2..5ee3db6bf 100644
> --- a/gnu/packages/python.scm
> +++ b/gnu/packages/python.scm
> @@ -357,6 +357,7 @@ data types.")
> (package (inherit python-2)
> (name "python")
> (version "3.6.5")
> + (replacement python-3/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "https://www.python.org/ftp/python/"
> @@ -456,6 +457,14 @@ data types.")
> ;; Current 3.x version.
> (define-public python-3 python-3.6)
>
> +(define python-3/fixed
> + (package
> + (inherit python-3)
> + (source (origin
> + (inherit (package-source python-3))
> + (patches (append (origin-patches (package-source python-3))
> + (search-patches "python-CVE-2018-14647.patch")))))))
> +
> ;; Current major version.
> (define-public python python-3)
>
> @@ -474,7 +483,7 @@ data types.")
> ("zlib" ,zlib)))))
>
> (define-public python-minimal
> - (package (inherit python)
> + (package/inherit python
> (name "python-minimal")
> (outputs '("out"))
>
> @@ -486,8 +495,7 @@ data types.")
> ("zlib" ,zlib)))))
>
> (define-public python-debug
> - (package
> - (inherit python)
> + (package/inherit python
> (name "python-debug")
> (outputs '("out" "debug"))
> (build-system gnu-build-system)
> @@ -506,7 +514,7 @@ for more information.")))
> (define* (wrap-python3 python
> #:optional
> (name (string-append (package-name python) "-wrapper")))
> - (package (inherit python)
> + (package/inherit python
> (name name)
> (source #f)
> (build-system trivial-build-system)
> --
> 2.19.0

Whoops, this hunk is also needed:
1 file changed, 11 insertions(+), 1 deletion(-)
gnu/packages/python.scm | 12 +++++++++++-

modified gnu/packages/python.scm
@@ -463,7 +463,17 @@ data types.")
(source (origin
(inherit (package-source python-3))
(patches (append (origin-patches (package-source python-3))
- (search-patches "python-CVE-2018-14647.patch")))))))
+ (search-patches "python-CVE-2018-14647.patch")))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments python-3)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-after 'unpack 'delete-broken-test
+ (lambda _
+ ;; Delete test which fails on recent kernels:
+ (delete-file "Lib/test/test_socket.py")
+ #t))))))))
;; Current major version.
(define-public python python-3)

[back]
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu41B0ACgkQoqBt8qM6
VPpp2gf+NaeW3CkR/hXBlsfrU1sRCh9e9mdCdU1dMTR5hXmDTPe1UZsQQH2euLKa
Cxf1fqZH0wrU2KfvUEZNJKzi0lqQeJCUIjaT057/lBMhhnWLol6Yk4kN8WnYBAwM
l7Tkc+Wq0lqrphBimz6SxbhoHtusSSVx6IzLaqaQWSxW/HocXIE5bbl2BbxvtDSp
2KGhlYJQKYv9S/s81ZjnUK4PW0DiJHknAzncOfIkJ7PUri0CltRH7dnGpSRO+9uc
VCE4VUKRnEi1Z6OrGlIwpfNctOJ8ORI3LjIgSaUYUDEirqat+s2SwU/eVmnNgrtS
iWZQMS4YvM9zxbU8swW9UpvHebBHAA==
=f+yp
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 10 Oct 2018 21:26
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32878@debbugs.gnu.org)
20181010192601.GB22832@jasmine.lan
On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote:
Toggle quote (12 lines)
> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 16:47:05 +0200
> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>
> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-3/fixed): New variable.
> (python-3.6)[replacement]: New field.
> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
> standard inheritance.

Thanks! I did some more basic tests with this one, using the extra hunk
in your other mail. I think this change is okay.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+UkkACgkQJkb6MLrK
fwhXdw/+J+My56nC1+9G3+zL5OFyEmVWgtAxhxL3QrfcoZoZRoUtHIDo3nhuZMkm
lgtAWxR6qMZA76KWyQiJ4nLo7HreyPwXMrv+jInjKFTv4ABWNjuCtQWKoFH9gVwe
Jo/MRTlAzgFKzXBzi7X0XrDpxJ04oHLV/+/yt8SO//I/2O5ZFnyjoC1u4OtDdzIL
vUwyWBt/GMcIeVAcolU1mC19o3VJ00TD9VbORMxXdcJRmRkHrYEZ5FxfKSelTIUL
GKrm8M3VVCbAKjf17jSkQpYGqwCOhHKupoG7HhivGREAAkdbdd0loOtQ+oMplk2A
VOofMA73xrKZIMz1pcVScTSwnUzW2PeU6Ci6gOVkaSkGf+eK/pi4A6vZ8cEzWi+q
k2NxR/1zursvq2wxcgMFMpygfb0C9fXe0esXC1aXIy4NdfxbpKO/NmBWEZ54kVo/
0bHEnbG1suxkBRImzPntlXiSvIhbDy6Xl80CsaK/DWbx5NkxcxK0/mji+eBEGDRl
nWTUHzLkWqMLZ/uceaDnaQOxPTyIRzb/I10cxZf3C0jStEZNpLZv9KiV+RlQXx4Q
ZqdrQ1cg9R2dparlN/Mbb6xfR8Frg1yj/YxswlgmK7k+k0Bk5Uc+53lrvnA+DIbW
inLxXWeonI3ekii8syGctFr7I5oDYijV55t06wieb5m6d1VcGWs=
=Bfcp
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 11 Oct 2018 10:04
(name . Leo Famulari)(address . leo@famulari.name)
87k1moykmo.fsf@netris.org
Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)
> On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote:
>> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sat, 6 Oct 2018 16:47:05 +0200
>> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>>
>> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-3/fixed): New variable.
>> (python-3.6)[replacement]: New field.
>> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
>> standard inheritance.
>
> Thanks! I did some more basic tests with this one, using the extra hunk
> in your other mail. I think this change is okay.

As I wrote in another thread, I added this commit (with extra hunk) to
my private branch a few days ago, along with the Python-2 security
fixes, updated my GuixSD GNOME 3 system and user profile, and everything
seems to be working well.

I think they are both ready to push to master.

Thank you, Marius!

Mark
M
M
Marius Bakke wrote on 17 Oct 2018 21:02
32878
(address . control@debbugs.gnu.org)
87zhvcflc3.fsf@fastmail.com
close 32878 90aeaee861845142843a0f988fa4ff016c723cdb

thanks
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlvHhzwACgkQoqBt8qM6
VPq/Rwf/dbYQCZwBqZrmgBCbcgaNnfKMX9zxidzQV+g50+nNR4rTv7RrknqLCUmX
pD1XuvuEH5lUQem0aXbTHyYhxpO9+Vi235MHf1ECR+VL1XMTZTutd5eT28jLzw4U
dqxoAmp+DIA5GSeotcb++78+guomLBPCpkPereYjPxFMdOyPzCjc71+9F2spqgMF
NOzk/ql8rZc7o8OR9L/5s7i4ui9g+3Sh88Ra7EFH/O1FtPsvPYNRU0P7Fytof23C
KLv1nalRSuDs0hjwsrETMz+fsazmr/gcEt5eFyBwk2wsnRBH+9l+CDGWYT6Bhhs0
m+T6MaIdGyazZ8YCgqDsrWYZVDo9yA==
=gbUC
-----END PGP SIGNATURE-----

?