GNU bug report logs -
#32877
Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 29 Sep 2018 19:19:02 UTC
Severity: normal
Tags: security
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32877 in the body.
You can then email your comments to 32877 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#32877; Package
guix.
(Sat, 29 Sep 2018 19:19:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 29 Sep 2018 19:19:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Here are some bugs that apply to our Python 2.7.14 package.
CVE-2018-1060 (fixed upstream in Python 2.7.15):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
CVE-2018-1061 (fixed upstream in Python 2.7.15):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
CVE-2018-14647 (fixed in unreleased CPython commit
18b20bad75b4ff0486940fba4ec680e96e70f3a2):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
CVE-2018-1000802 (fixed in unreleased CPython commit
d8b103b8b3ef9644805341216963a64098642435):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Wed, 03 Oct 2018 20:57:04 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#32877; Package
guix.
(Sat, 06 Oct 2018 16:54:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 32877 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> Here are some bugs that apply to our Python 2.7.14 package.
>
> CVE-2018-1060 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
>
> CVE-2018-1061 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
>
> CVE-2018-14647 (fixed in unreleased CPython commit
> 18b20bad75b4ff0486940fba4ec680e96e70f3a2):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
>
> CVE-2018-1000802 (fixed in unreleased CPython commit
> d8b103b8b3ef9644805341216963a64098642435):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
Here is a patch that should fix these:
[0001-gnu-python2-Add-upstream-security-fixes.patch (text/x-patch, inline)]
From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke <at> fastmail.com>
Date: Sat, 6 Oct 2018 18:50:47 +0200
Subject: [PATCH] gnu: python2: Add upstream security fixes.
This addresses CVE-2018-{1060,1061,14647,1000802}.
* gnu/packages/patches/python2-CVE-2018-1000802.patch,
gnu/packages/patches/python2-CVE-2018-1060.patch,
gnu/packages/patches/python2-CVE-2018-1061.patch,
gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-2/fixed): New variable.
(python-2.7)[replacement]: New field.
(python2-minimal): Use PACKAGE/INHERIT.
---
gnu/local.mk | 4 ++
.../patches/python2-CVE-2018-1000802.patch | 47 ++++++++++++++
.../patches/python2-CVE-2018-1060.patch | 20 ++++++
.../patches/python2-CVE-2018-1061.patch | 20 ++++++
.../patches/python2-CVE-2018-14647.patch | 61 +++++++++++++++++++
gnu/packages/python.scm | 15 ++++-
6 files changed, 166 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/python2-CVE-2018-1000802.patch
create mode 100644 gnu/packages/patches/python2-CVE-2018-1060.patch
create mode 100644 gnu/packages/patches/python2-CVE-2018-1061.patch
create mode 100644 gnu/packages/patches/python2-CVE-2018-14647.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index df16f85db..e77f21db5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1067,6 +1067,10 @@ dist_patch_DATA = \
%D%/packages/patches/pygpgme-disable-problematic-tests.patch \
%D%/packages/patches/pyqt-configure.patch \
%D%/packages/patches/pyqt-public-sip.patch \
+ %D%/packages/patches/python2-CVE-2018-1060.patch \
+ %D%/packages/patches/python2-CVE-2018-1061.patch \
+ %D%/packages/patches/python2-CVE-2018-14647.patch \
+ %D%/packages/patches/python2-CVE-2018-1000802.patch \
%D%/packages/patches/python-2-deterministic-build-info.patch \
%D%/packages/patches/python-2.7-adjust-tests.patch \
%D%/packages/patches/python-2.7-search-paths.patch \
diff --git a/gnu/packages/patches/python2-CVE-2018-1000802.patch b/gnu/packages/patches/python2-CVE-2018-1000802.patch
new file mode 100644
index 000000000..0d5bc77c8
--- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1000802.patch
@@ -0,0 +1,47 @@
+Fix CVE-2018-1000802:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
+
+Taken from upstream commit (sans NEWS):
+https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435
+
+diff --git a/Lib/shutil.py b/Lib/shutil.py
+index 3462f7c5e9..0ab1a06f52 100644
+--- a/Lib/shutil.py
++++ b/Lib/shutil.py
+@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0,
+
+ return archive_name
+
+-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
++def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
+ # XXX see if we want to keep an external call here
+ if verbose:
+ zipoptions = "-r"
+ else:
+ zipoptions = "-rq"
+- from distutils.errors import DistutilsExecError
+- from distutils.spawn import spawn
++ cmd = ["zip", zipoptions, zip_filename, base_dir]
++ if logger is not None:
++ logger.info(' '.join(cmd))
++ if dry_run:
++ return
++ import subprocess
+ try:
+- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
+- except DistutilsExecError:
++ subprocess.check_call(cmd)
++ except subprocess.CalledProcessError:
+ # XXX really should distinguish between "couldn't find
+ # external 'zip' command" and "zip failed".
+ raise ExecError, \
+@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):
+ zipfile = None
+
+ if zipfile is None:
+- _call_external_zip(base_dir, zip_filename, verbose, dry_run)
++ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
+ else:
+ if logger is not None:
+ logger.info("creating '%s' and adding '%s' to it",
diff --git a/gnu/packages/patches/python2-CVE-2018-1060.patch b/gnu/packages/patches/python2-CVE-2018-1060.patch
new file mode 100644
index 000000000..5eb7ccfbc
--- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1060.patch
@@ -0,0 +1,20 @@
+Fix CVE-2018-1060:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
+
+Taken from upstream commit (sans test and NEWS):
+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2
+
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index b91e5f72d2ca..a238510b38fc 100644
+--- a/Lib/poplib.py
++++ b/Lib/poplib.py
+@@ -274,7 +274,7 @@ def rpop(self, user):
+ return self._shortcmd('RPOP %s' % user)
+
+
+- timestamp = re.compile(r'\+OK.*(<[^>]+>)')
++ timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
+
+ def apop(self, user, secret):
+ """Authorisation
+
diff --git a/gnu/packages/patches/python2-CVE-2018-1061.patch b/gnu/packages/patches/python2-CVE-2018-1061.patch
new file mode 100644
index 000000000..6caab24b4
--- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1061.patch
@@ -0,0 +1,20 @@
+Fix CVE-2018-1061:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
+
+Taken from upstream commit (sans test and NEWS):
+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2
+
+diff --git a/Lib/difflib.py b/Lib/difflib.py
+index 1c6fbdbedcb7..788a92df3f89 100644
+--- a/Lib/difflib.py
++++ b/Lib/difflib.py
+@@ -1103,7 +1103,7 @@ def _qformat(self, aline, bline, atags, btags):
+
+ import re
+
+-def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
++def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
+ r"""
+ Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
+
diff --git a/gnu/packages/patches/python2-CVE-2018-14647.patch b/gnu/packages/patches/python2-CVE-2018-14647.patch
new file mode 100644
index 000000000..6226b06ac
--- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-14647.patch
@@ -0,0 +1,61 @@
+Fix CVE-2018-14647:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
+https://bugs.python.org/issue34623
+
+Taken from upstream:
+https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2
+
+diff --git a/Include/pyexpat.h b/Include/pyexpat.h
+index 5340ef5fa3..3fc5fa54da 100644
+--- a/Include/pyexpat.h
++++ b/Include/pyexpat.h
+@@ -3,7 +3,7 @@
+
+ /* note: you must import expat.h before importing this module! */
+
+-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
+
+ struct PyExpat_CAPI
+@@ -43,6 +43,8 @@ struct PyExpat_CAPI
+ XML_Parser parser, XML_UnknownEncodingHandler handler,
+ void *encodingHandlerData);
+ void (*SetUserData)(XML_Parser parser, void *userData);
++ /* might be none for expat < 2.1.0 */
++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
+ /* always add new stuff to the end! */
+ };
+
+diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
+index f7f992dd3a..b38e0ab329 100644
+--- a/Modules/_elementtree.c
++++ b/Modules/_elementtree.c
+@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw)
+ PyErr_NoMemory();
+ return NULL;
+ }
++ /* expat < 2.1.0 has no XML_SetHashSalt() */
++ if (EXPAT(SetHashSalt) != NULL) {
++ EXPAT(SetHashSalt)(self->parser,
++ (unsigned long)_Py_HashSecret.prefix);
++ }
+
+ ALLOC(sizeof(XMLParserObject), "create expatparser");
+
+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
+index 2b4d31293c..1f8c0d70a5 100644
+--- a/Modules/pyexpat.c
++++ b/Modules/pyexpat.c
+@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void)
+ capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler;
+ capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler;
+ capi.SetUserData = XML_SetUserData;
++#if XML_COMBINED_VERSION >= 20100
++ capi.SetHashSalt = XML_SetHashSalt;
++#else
++ capi.SetHashSalt = NULL;
++#endif
+
+ /* export using capsule */
+ capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index e64193dce..4d9bad9bc 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -148,6 +148,7 @@
(package
(name "python2")
(version "2.7.14")
+ (replacement python-2/fixed)
(source
(origin
(method url-fetch)
@@ -344,6 +345,18 @@ data types.")
;; Current 2.x version.
(define-public python-2 python-2.7)
+(define python-2/fixed
+ (package
+ (inherit python-2)
+ (source (origin
+ (inherit (package-source python-2))
+ (patches (append
+ (origin-patches (package-source python-2))
+ (search-patches "python2-CVE-2018-1060.patch"
+ "python2-CVE-2018-1061.patch"
+ "python2-CVE-2018-14647.patch"
+ "python2-CVE-2018-1000802.patch")))))))
+
(define-public python2-called-python
;; Both 2.x and 3.x used to be called "python". In commit
;; a7714d42de2c3082f3609d1e63c83d703fb39cf9 (March 2018), we renamed the
@@ -482,7 +495,7 @@ data types.")
;; Python (Tk -> libxcb -> Python.)
(define-public python2-minimal
- (package (inherit python-2)
+ (package/inherit python-2
(name "python2-minimal")
(outputs '("out"))
--
2.19.0
[Message part 3 (text/plain, inline)]
WDYT?
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#32877; Package
guix.
(Wed, 10 Oct 2018 19:15:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 32877 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke <at> fastmail.com>
> Date: Sat, 6 Oct 2018 18:50:47 +0200
> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>
> This addresses CVE-2018-{1060,1061,14647,1000802}.
>
> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
> gnu/packages/patches/python2-CVE-2018-1060.patch,
> gnu/packages/patches/python2-CVE-2018-1061.patch,
> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-2/fixed): New variable.
> (python-2.7)[replacement]: New field.
> (python2-minimal): Use PACKAGE/INHERIT.
Thanks! I did some basic tests and things seem to work.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#32877; Package
guix.
(Thu, 11 Oct 2018 08:04:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 32877 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke <at> fastmail.com>
>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>>
>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>>
>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-2/fixed): New variable.
>> (python-2.7)[replacement]: New field.
>> (python2-minimal): Use PACKAGE/INHERIT.
>
> Thanks! I did some basic tests and things seem to work.
I added this commit to my private branch a few days ago, along with the
Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
GNOME 3 system and user profile, and everything seems to be working
well.
I think they are both ready to push to master.
Thank you, Marius!
Mark
Reply sent
to
Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility.
(Wed, 17 Oct 2018 18:36:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Wed, 17 Oct 2018 18:36:02 GMT)
Full text and
rfc822 format available.
Message #21 received at 32877-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Mark H Weaver <mhw <at> netris.org> writes:
> Leo Famulari <leo <at> famulari.name> writes:
>
>> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>>> From: Marius Bakke <mbakke <at> fastmail.com>
>>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>>>
>>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>>>
>>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Register it.
>>> * gnu/packages/python.scm (python-2/fixed): New variable.
>>> (python-2.7)[replacement]: New field.
>>> (python2-minimal): Use PACKAGE/INHERIT.
>>
>> Thanks! I did some basic tests and things seem to work.
>
> I added this commit to my private branch a few days ago, along with the
> Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
> GNOME 3 system and user profile, and everything seems to be working
> well.
>
> I think they are both ready to push to master.
Hi Mark,
Thank you very much for testing. I've pushed these patches now, sorry
for the delay!
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 15 Nov 2018 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 279 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.