Python CVE-2021-3177

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 19 Feb 2021 04:21
(address . bug-guix@gnu.org)
YC8uvtnvGyXcCno1@jasmine.lan
Quoting from MITRE:

------
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution in certain
Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This
occurs because sprintf is used unsafely.
------

There is not yet an upstream release to fix the issue in the 3.8 series
that we distribute. I believe there are patches we can cherry-pick. Can
somebody find them?

I assume that Python is considered to be "graft-able". Can anyone
confirm?

The upstream bug report:
L
L
Ludovic Courtès wrote on 19 Feb 2021 16:35
(name . Leo Famulari)(address . leo@famulari.name)(address . 46631@debbugs.gnu.org)
87h7m8kr41.fsf@gnu.org
Hi,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (3 lines)
> I assume that Python is considered to be "graft-able". Can anyone
> confirm?

Yes, I think so.

Ludo’.
L
L
Leo Famulari wrote on 20 Feb 2021 00:12
Re: Python CVE-2021-3177
(address . 46631@debbugs.gnu.org)
YDBF+l7hL3IzP185@jasmine.lan
I pushed a fix for Python 3.9 in commit
f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1.

But, we use Python 3.8 for everything, and my patch (attached) fails to
apply for some reason. It does work when I apply the new bug fix patch
"by hand" onto the Guix source code for our current python-3.8 package.
Attachment: 0001-gnu-Python-Fix-CVE-2021-3177.patch
L
L
Leo Famulari wrote on 20 Feb 2021 00:23
(address . 46631@debbugs.gnu.org)
YDBIhd+7XE90GNre@jasmine.lan
On Fri, Feb 19, 2021 at 06:12:58PM -0500, Leo Famulari wrote:
Toggle quote (4 lines)
> But, we use Python 3.8 for everything, and my patch (attached) fails to
> apply for some reason. It does work when I apply the new bug fix patch
> "by hand" onto the Guix source code for our current python-3.8 package.

More weirdness: When I apply the patch to the python-3.8 package (that
is, without setting up a grafted replacement), it works. So I am
definitely doing something wrong here.
L
L
Leo Famulari wrote on 20 Feb 2021 00:41
(address . 46631@debbugs.gnu.org)
YDBMpqCk3DBJXvfU@jasmine.lan
On Fri, Feb 19, 2021 at 06:23:49PM -0500, Leo Famulari wrote:
Toggle quote (4 lines)
> More weirdness: When I apply the patch to the python-3.8 package (that
> is, without setting up a grafted replacement), it works. So I am
> definitely doing something wrong here.

Here is a new patch that I'm currently building. I think I had composed
the package inheritance incorrectly in my previous patch.
Attachment: 0001-gnu-Python-Fix-CVE-2021-3177.patch
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmAwTKYACgkQJkb6MLrK
fwimUhAAlX8e0kgBeeWDRR0Sqyq5lLQx3nzQnZf48cIYb6VMgGa3J9jFE+JtlY/N
yaJBJ0OtVd0yct9g5CQCjcjIdbW0MP4nqHNo/Qn0H8fNxehZvw7SZkUEiK90ZIE0
ZKIS2cSY8XtJUirPiQFLMgUl4nJ2y7nKXLTVRrauwmvfVocWlXdz74lUv7yO3YEI
MU3f6GTMoN9AOqBlIYaA2IhDGjKWHBHHWPvpOwG/0wixPPI33hzuFIecD4rzX0Fq
lngTlo/AwAo1MOSislEP17OkETSOfFURN3p5S8mP83+JQ9atp9BLGYq6FenaN8db
JrB+R/3G4NelbsiS2LDDmfOQdvnvLNXILxOI+vJG2jMEm0JC+IODbGVJc15445SG
X836RLlUoOp7PelER5TnUNKPJPrODFly3gM6hARlFaRQt1W7Yu0IBEnds9DeOCW4
zrX1stVGj4XSRkGYJNLgAGBV2XnHoHcoU1VNyRt90PWiO89UpbL5CnEV0zTIYWS8
wtZ4gKVVr/H5HB97zAWLQJlKlnm1FlPOZg4FO1PUiEfXZNPbk7MPAi0amIYeM2PA
thKi9fumJ/r/P5cepCcEzsKTce27EOEBVaF9mw+BYhbq9ZguGMqJzgOLxQvSiJOt
0qnqnNPNAUnjZAZiX7xYff5GZ2kXKfGi+rjFehySVd+qnMboRCY=
=mqC7
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 22 Feb 2021 09:08
Re: bug#46631: Python CVE-2021-3177
(name . Leo Famulari)(address . leo@famulari.name)(address . 46631@debbugs.gnu.org)
87pn0sfrtd.fsf@gnu.org
Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (11 lines)
> From b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 19 Feb 2021 18:09:57 -0500
> Subject: [PATCH] gnu: Python: Fix CVE-2021-3177.
>
> * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT.
> [replacement]: New field.
> (python-3.8/fixed): New variable.

[...]

Toggle quote (6 lines)
> (define-public python-3.8
> - (package (inherit python-2)
> + (package/inherit python-2
> (name "python")
> + (replacement python-3.8/fixed)

You can keep (inherit …) because the effect of ‘package/inherit’ is just
to preserve replacements, which is unnecessary here.

Apart from that, the Guix side of things LGTM.

Thanks for working on it!

Ludo’.
L
L
Ludovic Courtès wrote on 22 Feb 2021 10:15
control message for bug #46631
(address . control@debbugs.gnu.org)
87ft1oea5d.fsf@gnu.org
tags 46631 + security
quit
L
L
Leo Famulari wrote on 23 Feb 2021 20:16
Re: bug#46631: Python CVE-2021-3177
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 46631-done@debbugs.gnu.org)
YDVUppIfrq7dViXv@jasmine.lan
On Mon, Feb 22, 2021 at 09:08:14AM +0100, Ludovic Courtès wrote:
Toggle quote (3 lines)
> You can keep (inherit …) because the effect of ‘package/inherit’ is just
> to preserve replacements, which is unnecessary here.

I used to know that... it's been a while and I forgot, and had trouble
understanding the package/inherit docstring. So I pushed a commit that I
hope clarifies it.

Toggle quote (2 lines)
> Apart from that, the Guix side of things LGTM.

Pushed as 84e082e31706411e7f9c3189a83f8ed0b4016fe7

Toggle quote (2 lines)
> Thanks for working on it!

Thanks for the review!
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 46631@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 46631
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch