Python-3 CVE-2018-14647

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Mark H Weaver
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 29 Sep 2018 21:23
(address . bug-guix@gnu.org)
20180929192302.GB17619@jasmine.lan
Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
v3.6.7rc1:

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAluv0RUACgkQJkb6MLrK
fwhC8g/9FJn7ZtbzMjV7/tMRoKpZ5g4l+V//Cy0DZcPavo57zuWb4gt10cSuwU2s
T+il2zfeRqoTq+jkJa2onLQD1YV5/xyo4b86lBiXWo11+2eMoFtXR92wiH+HbBus
7Tm9YfC8/GJ4vL0ka7o5/ddn0/pQ9m3SDH1lOEJFEgbd48fz4zmgvVZjaFbvssne
T5E8IMc5u1v5Vf9ipwxwH/DXajLS2eMH+QTHPNFV9AHYuXUkBFcWw/dCRMowIqKA
vzJbneDjrE2yRa46LHzjLkvumqJgnLOZAuNbiB+hPhtGddlG1hemcMrtlVTpjryJ
jJFONd5tG0t28XPMXejDxgn9rJiWVPf6QbcqYSdOwnaCVOUh36FNVBACCeDzLOx9
mw8HDK8idjv/byhFY2KjQVRS/vICCa5Elmyrvr8bEDJMGJ9gZb3maFWNs0WJuo9A
cPSY5JQZatoF1ydnxX1oFIWC9MIhuOktJB6BXjAuwlSzi0Xiyeu3StWFv8Z5tg4j
I2oYNkRQN26Cb8T+ilUxgh6OSYvSKnKq0pfq3MoTp7TPOOszfie1VIqfEb4I1f3G
49KJTLalT2gUjrk3DZOOaZjkLVvudVzvx4XpqvoC4wBcgyr6CapbG4soHKiCGNAM
+CUqTGTAxKFVGaTFUHAAvIB9a2mspY74tACHrKNM7JeWQCU79Ng=
=BkNc
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 3 Oct 2018 22:56
control message for bug #32878
(address . control@debbugs.gnu.org)
87in2ilpf6.fsf@gnu.org
tags 32878 security
M
M
Marius Bakke wrote on 6 Oct 2018 16:51
Re: bug#32878: Python-3 CVE-2018-14647
87sh1ji0x0.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (6 lines)
> Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
> CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
> v3.6.7rc1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647

Reading https://bugs.python.org/issue34623, this issue seems to only
affect older versions of Expat, or when using Pythons bundled one which
is compiled with -DXML_POOR_ENTROPY.

...unfortunately we seem to be using the bundled version :-(

This patch adds a graft for Python:
Attachment: 0001-gnu-python-Fix-CVE-2018-14647.patch
WDYT?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu4y9wACgkQoqBt8qM6
VPqnmQgApOAHt4a1wl9sCK8lyL1xwAJ3gkjAq4wjPUTK5QoTK5myv6GuWO1bCvI+
8VbFZXCpo9a97HY/Ci9iGAmUB7Glqsyh30doG1BeDbC7zJGH4/fIAqC9vDTL/rWx
z+tnQvt9PnQIrTTAQ0jZsSjLCeWaqGbI2A7s6qElpAiVF0wpuQAJqNiR9gC86g3M
fFYOZxBOHAGqj+caTqdGJitDhPlFNUQnWGkYLuv5PTeN8781pHKzVezM4cnCeE5o
3XLDAM3TcZnQ6Ot66VjTPfG/vq/rz75OKzkOicT6oJHGf7zzoKkQU92lGCtxIspX
7RrIAft7S097mpSWr8uPhLqJ2pg2dA==
=vUBW
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 6 Oct 2018 17:26
87lg7bhzaa.fsf@fastmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (157 lines)
> This patch adds a graft for Python:
>
> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 16:47:05 +0200
> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>
> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-3/fixed): New variable.
> (python-3.6)[replacement]: New field.
> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
> standard inheritance.
> ---
> gnu/local.mk | 1 +
> .../patches/python-CVE-2018-14647.patch | 61 +++++++++++++++++++
> gnu/packages/python.scm | 16 +++--
> 3 files changed, 74 insertions(+), 4 deletions(-)
> create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 61e5913a0..df16f85db 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1075,6 +1075,7 @@ dist_patch_DATA = \
> %D%/packages/patches/python-3-deterministic-build-info.patch \
> %D%/packages/patches/python-3-search-paths.patch \
> %D%/packages/patches/python-3-fix-tests.patch \
> + %D%/packages/patches/python-CVE-2018-14647.patch \
> %D%/packages/patches/python-axolotl-AES-fix.patch \
> %D%/packages/patches/python-cairocffi-dlopen-path.patch \
> %D%/packages/patches/python-fix-tests.patch \
> diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch
> new file mode 100644
> index 000000000..24f8d2182
> --- /dev/null
> +++ b/gnu/packages/patches/python-CVE-2018-14647.patch
> @@ -0,0 +1,61 @@
> +Fix CVE-2018-14647:
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
> +https://bugs.python.org/issue34623
> +
> +Taken from upstream:
> +https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
> +
> +diff --git Include/pyexpat.h Include/pyexpat.h
> +index 44259bf6d7..07020b5dc9 100644
> +--- Include/pyexpat.h
> ++++ Include/pyexpat.h
> +@@ -3,7 +3,7 @@
> +
> + /* note: you must import expat.h before importing this module! */
> +
> +-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
> ++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
> + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
> +
> + struct PyExpat_CAPI
> +@@ -48,6 +48,8 @@ struct PyExpat_CAPI
> + enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
> + int (*DefaultUnknownEncodingHandler)(
> + void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
> ++ /* might be none for expat < 2.1.0 */
> ++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
> + /* always add new stuff to the end! */
> + };
> +
> +diff --git Modules/_elementtree.c Modules/_elementtree.c
> +index 707ab2912b..53f05f937f 100644
> +--- Modules/_elementtree.c
> ++++ Modules/_elementtree.c
> +@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
> + PyErr_NoMemory();
> + return -1;
> + }
> ++ /* expat < 2.1.0 has no XML_SetHashSalt() */
> ++ if (EXPAT(SetHashSalt) != NULL) {
> ++ EXPAT(SetHashSalt)(self->parser,
> ++ (unsigned long)_Py_HashSecret.expat.hashsalt);
> ++ }
> +
> + if (target) {
> + Py_INCREF(target);
> +diff --git Modules/pyexpat.c Modules/pyexpat.c
> +index 47c3e86c20..aa21d93c11 100644
> +--- Modules/pyexpat.c
> ++++ Modules/pyexpat.c
> +@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)
> + capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
> + capi.SetEncoding = XML_SetEncoding;
> + capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
> ++#if XML_COMBINED_VERSION >= 20100
> ++ capi.SetHashSalt = XML_SetHashSalt;
> ++#else
> ++ capi.SetHashSalt = NULL;
> ++#endif
> +
> + /* export using capsule */
> + capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
> diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
> index 4703d95a2..5ee3db6bf 100644
> --- a/gnu/packages/python.scm
> +++ b/gnu/packages/python.scm
> @@ -357,6 +357,7 @@ data types.")
> (package (inherit python-2)
> (name "python")
> (version "3.6.5")
> + (replacement python-3/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "https://www.python.org/ftp/python/"
> @@ -456,6 +457,14 @@ data types.")
> ;; Current 3.x version.
> (define-public python-3 python-3.6)
>
> +(define python-3/fixed
> + (package
> + (inherit python-3)
> + (source (origin
> + (inherit (package-source python-3))
> + (patches (append (origin-patches (package-source python-3))
> + (search-patches "python-CVE-2018-14647.patch")))))))
> +
> ;; Current major version.
> (define-public python python-3)
>
> @@ -474,7 +483,7 @@ data types.")
> ("zlib" ,zlib)))))
>
> (define-public python-minimal
> - (package (inherit python)
> + (package/inherit python
> (name "python-minimal")
> (outputs '("out"))
>
> @@ -486,8 +495,7 @@ data types.")
> ("zlib" ,zlib)))))
>
> (define-public python-debug
> - (package
> - (inherit python)
> + (package/inherit python
> (name "python-debug")
> (outputs '("out" "debug"))
> (build-system gnu-build-system)
> @@ -506,7 +514,7 @@ for more information.")))
> (define* (wrap-python3 python
> #:optional
> (name (string-append (package-name python) "-wrapper")))
> - (package (inherit python)
> + (package/inherit python
> (name name)
> (source #f)
> (build-system trivial-build-system)
> --
> 2.19.0

Whoops, this hunk is also needed:
1 file changed, 11 insertions(+), 1 deletion(-)
gnu/packages/python.scm | 12 +++++++++++-

modified gnu/packages/python.scm
@@ -463,7 +463,17 @@ data types.")
(source (origin
(inherit (package-source python-3))
(patches (append (origin-patches (package-source python-3))
- (search-patches "python-CVE-2018-14647.patch")))))))
+ (search-patches "python-CVE-2018-14647.patch")))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments python-3)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-after 'unpack 'delete-broken-test
+ (lambda _
+ ;; Delete test which fails on recent kernels:
+ (delete-file "Lib/test/test_socket.py")
+ #t))))))))
;; Current major version.
(define-public python python-3)

[back]
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu41B0ACgkQoqBt8qM6
VPpp2gf+NaeW3CkR/hXBlsfrU1sRCh9e9mdCdU1dMTR5hXmDTPe1UZsQQH2euLKa
Cxf1fqZH0wrU2KfvUEZNJKzi0lqQeJCUIjaT057/lBMhhnWLol6Yk4kN8WnYBAwM
l7Tkc+Wq0lqrphBimz6SxbhoHtusSSVx6IzLaqaQWSxW/HocXIE5bbl2BbxvtDSp
2KGhlYJQKYv9S/s81ZjnUK4PW0DiJHknAzncOfIkJ7PUri0CltRH7dnGpSRO+9uc
VCE4VUKRnEi1Z6OrGlIwpfNctOJ8ORI3LjIgSaUYUDEirqat+s2SwU/eVmnNgrtS
iWZQMS4YvM9zxbU8swW9UpvHebBHAA==
=f+yp
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 10 Oct 2018 21:26
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32878@debbugs.gnu.org)
20181010192601.GB22832@jasmine.lan
On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote:
Toggle quote (12 lines)
> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 16:47:05 +0200
> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>
> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-3/fixed): New variable.
> (python-3.6)[replacement]: New field.
> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
> standard inheritance.

Thanks! I did some more basic tests with this one, using the extra hunk
in your other mail. I think this change is okay.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+UkkACgkQJkb6MLrK
fwhXdw/+J+My56nC1+9G3+zL5OFyEmVWgtAxhxL3QrfcoZoZRoUtHIDo3nhuZMkm
lgtAWxR6qMZA76KWyQiJ4nLo7HreyPwXMrv+jInjKFTv4ABWNjuCtQWKoFH9gVwe
Jo/MRTlAzgFKzXBzi7X0XrDpxJ04oHLV/+/yt8SO//I/2O5ZFnyjoC1u4OtDdzIL
vUwyWBt/GMcIeVAcolU1mC19o3VJ00TD9VbORMxXdcJRmRkHrYEZ5FxfKSelTIUL
GKrm8M3VVCbAKjf17jSkQpYGqwCOhHKupoG7HhivGREAAkdbdd0loOtQ+oMplk2A
VOofMA73xrKZIMz1pcVScTSwnUzW2PeU6Ci6gOVkaSkGf+eK/pi4A6vZ8cEzWi+q
k2NxR/1zursvq2wxcgMFMpygfb0C9fXe0esXC1aXIy4NdfxbpKO/NmBWEZ54kVo/
0bHEnbG1suxkBRImzPntlXiSvIhbDy6Xl80CsaK/DWbx5NkxcxK0/mji+eBEGDRl
nWTUHzLkWqMLZ/uceaDnaQOxPTyIRzb/I10cxZf3C0jStEZNpLZv9KiV+RlQXx4Q
ZqdrQ1cg9R2dparlN/Mbb6xfR8Frg1yj/YxswlgmK7k+k0Bk5Uc+53lrvnA+DIbW
inLxXWeonI3ekii8syGctFr7I5oDYijV55t06wieb5m6d1VcGWs=
=Bfcp
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 11 Oct 2018 10:04
(name . Leo Famulari)(address . leo@famulari.name)
87k1moykmo.fsf@netris.org
Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)
> On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote:
>> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sat, 6 Oct 2018 16:47:05 +0200
>> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>>
>> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-3/fixed): New variable.
>> (python-3.6)[replacement]: New field.
>> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
>> standard inheritance.
>
> Thanks! I did some more basic tests with this one, using the extra hunk
> in your other mail. I think this change is okay.

As I wrote in another thread, I added this commit (with extra hunk) to
my private branch a few days ago, along with the Python-2 security
fixes, updated my GuixSD GNOME 3 system and user profile, and everything
seems to be working well.

I think they are both ready to push to master.

Thank you, Marius!

Mark
M
M
Marius Bakke wrote on 17 Oct 2018 21:02
32878
(address . control@debbugs.gnu.org)
87zhvcflc3.fsf@fastmail.com
close 32878 90aeaee861845142843a0f988fa4ff016c723cdb

thanks
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlvHhzwACgkQoqBt8qM6
VPq/Rwf/dbYQCZwBqZrmgBCbcgaNnfKMX9zxidzQV+g50+nNR4rTv7RrknqLCUmX
pD1XuvuEH5lUQem0aXbTHyYhxpO9+Vi235MHf1ECR+VL1XMTZTutd5eT28jLzw4U
dqxoAmp+DIA5GSeotcb++78+guomLBPCpkPereYjPxFMdOyPzCjc71+9F2spqgMF
NOzk/ql8rZc7o8OR9L/5s7i4ui9g+3Sh88Ra7EFH/O1FtPsvPYNRU0P7Fytof23C
KLv1nalRSuDs0hjwsrETMz+fsazmr/gcEt5eFyBwk2wsnRBH+9l+CDGWYT6Bhhs0
m+T6MaIdGyazZ8YCgqDsrWYZVDo9yA==
=gbUC
-----END PGP SIGNATURE-----

?
Your comment

This issue is archived.

To comment on this conversation send an email to 32878@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 32878
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch