From unknown Tue Aug 19 10:01:25 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#32877 <32877@debbugs.gnu.org>
To: bug#32877 <32877@debbugs.gnu.org>
Subject: Status: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
 CVE-2018-1000802
Reply-To: bug#32877 <32877@debbugs.gnu.org>
Date: Tue, 19 Aug 2025 17:01:25 +0000

retitle 32877 Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-=
1000802
reassign 32877 guix
submitter 32877 Leo Famulari <leo@famulari.name>
severity 32877 normal
tag 32877 security

thanks


From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 29 15:18:47 2018
Received: (at submit) by debbugs.gnu.org; 29 Sep 2018 19:18:47 +0000
Received: from localhost ([127.0.0.1]:59159 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1g6KlK-00076r-SI
	for submit@debbugs.gnu.org; Sat, 29 Sep 2018 15:18:47 -0400
Received: from eggs.gnu.org ([208.118.235.92]:38393)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1g6KlI-00076d-RD
 for submit@debbugs.gnu.org; Sat, 29 Sep 2018 15:18:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1g6KlC-0002WS-Kf
 for submit@debbugs.gnu.org; Sat, 29 Sep 2018 15:18:39 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:50482)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1g6KlC-0002WG-FU
 for submit@debbugs.gnu.org; Sat, 29 Sep 2018 15:18:38 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48002)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1g6KlB-0006ik-Kj
 for bug-guix@gnu.org; Sat, 29 Sep 2018 15:18:38 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1g6Kl7-0002Ut-Mo
 for bug-guix@gnu.org; Sat, 29 Sep 2018 15:18:37 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:37419)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1g6Kl7-0002UZ-FS
 for bug-guix@gnu.org; Sat, 29 Sep 2018 15:18:33 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 1CEFE219E6;
 Sat, 29 Sep 2018 15:18:33 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Sat, 29 Sep 2018 15:18:33 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=pdfrvl7gljCGoQ
 EaYMSNCDP+96iBzD1fHpVaHhpzNMA=; b=sL7KBp2GTw4RtKg+qZD5QxHti3EYP/
 Y4qqLUumYV+nwYYviSczted7QGJsRehfqABYtsTrOn8nGOEF+LCif57AZPp6KTjn
 782Yh6fzl5fsPRN3ceUUYfgcuh1QwBTqfXeQm5G0hMAxG4OExFqOaUuiZJo7uzJa
 rlaQ4wWz+LO5g=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm3; bh=pdfrvl7gljCGoQEaYMSNCDP+96iBzD1fHpVaHhpzNMA=; b=umBWw3kL
 UwvjztMnC4LhOz0eN7c5mtyceN9LfA+T7oEGWOoxSXr6RfiHwhblyZkixRCAA8wt
 tIN3EpcXAcF0fH9p7b5nBy93ppM1LBfr5jR11bsoT2B+OoJ/xZiz6QB/TFVEgJnQ
 R0Jls6WFpoA/CY8Nc/mCZAH347a8ZFGQ3J3gBa315Wij5LSTVyI4m1aFwVnUXPTr
 iHhpCtQzaWU9ASBLbBYzOa9fsPXrszRGx01XGbEqDiWGiLO+gEHJenSVaAXeiqpz
 3kwb9p4mCRO0PFKElGjWPDmy9XX9kQ/bwpQ2Wofe6fjBiTjoFvcu1A3gt005+8Yk
 oqfw9G4O4Fth/w==
X-ME-Proxy: <xmx:BtCvW0bDNnab3kodETENNX6jl8pIrZQv1KjY8sC5khj4u4MKMkuo8A>
 <xmx:BtCvW6IZdpmZXbzndOUZwlJo36mVwxpCsE_9nqsb7IHy793DPzYPFQ>
 <xmx:BtCvW91FS5yQv4Eu6AWJ3W-9Z7myG0UAeQ7W3CN9sQ26mZz_oosKjw>
 <xmx:BtCvW1am1daNtA_8Gc2Wba3Ik6YrzGcgCXT8JeuzbK3vKb3lFRO6wg>
 <xmx:BtCvWwVe2yUKYFmVeni8j6gqyoVr5xdR6BWcEK6aKFUxCH2ohBi3SQ>
 <xmx:CdCvWzmecAiVeeLR7gQUu8zu6c7kYxIDuUQSeKuPAvtY40y5aNVF2g>
X-ME-Sender: <xms:BtCvW_sfra-qdEWwFvFe4AbrFD393UghbCBTmL-IW4W6qwO8o1cLRg>
Received: from localhost (50-207-9-203-static.hfc.comcastbusiness.net
 [50.207.9.203])
 by mail.messagingengine.com (Postfix) with ESMTPA id DB5E9E47C0
 for <bug-guix@gnu.org>; Sat, 29 Sep 2018 15:18:29 -0400 (EDT)
Date: Sat, 29 Sep 2018 15:18:27 -0400
From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802
Message-ID: <20180929191827.GA17619@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ"
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.1 (-----)


--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Here are some bugs that apply to our Python 2.7.14 package.

CVE-2018-1060 (fixed upstream in Python 2.7.15):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060

CVE-2018-1061 (fixed upstream in Python 2.7.15):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061

CVE-2018-14647 (fixed in unreleased CPython commit
18b20bad75b4ff0486940fba4ec680e96e70f3a2):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647

CVE-2018-1000802 (fixed in unreleased CPython commit
d8b103b8b3ef9644805341216963a64098642435):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAluvz/8ACgkQJkb6MLrK
fwg3/A/+K3kU1Npbdnz751GugCsCuwuDMXmy0vwtKZ+uHtHiF3Z5vgGFOeAxaagl
JlV8vUf4zVcBfdX5tlZEga7rBNNvpmU5xAT3stb/jG0LqMtTiRmIG0XIRgZ3L8JA
f0DVwObTtLcFXnvSYfqSyrRtBg1XMvWGE5hbHKurloR2Au7zitzwhAzQWEXaOt4r
iImjtEpEmi30E6l2jJC3OE12zmmPR6pEUlakyo3gphCCiIDXfxUTX/yAX+ml/yKo
l7s3/O4AoQiPIrH8dqzC3oq8vxnyPZklr0ydcz2XWmc1qMCWBWDuW4A+SFYAVbEu
KvaXccFaQ02Kh9VcBGO+kmc9QmBgnciF7UDM9N1vRdTXB+pZFWpGZ9y4sOhq3iNU
lgPB6pGTE70IJ+Qh3s2lckkzJ70YBQFDg7bhpRGbujMTaBbMk/vcKXU0zQ0O/T3D
5O+vrKJVgPOitV07rF9M6i/01mDJzHBwsPoOMq4Y9hu5Adr/Ede5i5KAq/lXLHtr
qur4g9q4W863RAvdO8Dqkf/Zp36p86oj35Dno5/KXYFQaIGyTmTU67SUqWRSDgZc
dwkR6snT97bxiK7U61kT/CfcmXphBamU0ObrjU/cVTgWjS3UC9lmd2miGg42Q1c+
95QGsVq3sCB5Y8YA4SKC83TRJTOlr9yvROdWfQnDpu+y1i6z9iQ=
=eaCa
-----END PGP SIGNATURE-----

--rwEMma7ioTxnRzrJ--




From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 03 16:56:59 2018
Received: (at control) by debbugs.gnu.org; 3 Oct 2018 20:56:59 +0000
Received: from localhost ([127.0.0.1]:36143 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1g7oCY-0004iO-Sb
	for submit@debbugs.gnu.org; Wed, 03 Oct 2018 16:56:59 -0400
Received: from eggs.gnu.org ([208.118.235.92]:54460)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1g7oCY-0004hy-1N
 for control@debbugs.gnu.org; Wed, 03 Oct 2018 16:56:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1g7oCR-0001wx-GZ
 for control@debbugs.gnu.org; Wed, 03 Oct 2018 16:56:52 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled
 version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:53787)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1g7oCR-0001we-A8
 for control@debbugs.gnu.org; Wed, 03 Oct 2018 16:56:51 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=34152 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>) id 1g7oCR-0000E5-0X
 for control@debbugs.gnu.org; Wed, 03 Oct 2018 16:56:51 -0400
Date: Wed, 03 Oct 2018 22:56:50 +0200
Message-Id: <87h8i2lpf1.fsf@gnu.org>
To: control@debbugs.gnu.org
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #32877
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -6.0 (------)

tags 32877 security




From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 06 12:53:48 2018
Received: (at 32877) by debbugs.gnu.org; 6 Oct 2018 16:53:48 +0000
Received: from localhost ([127.0.0.1]:38793 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1g8ppl-00085X-Uk
	for submit@debbugs.gnu.org; Sat, 06 Oct 2018 12:53:48 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:51067)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1g8ppj-00085P-Lr
 for 32877@debbugs.gnu.org; Sat, 06 Oct 2018 12:53:40 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 61CBC21E32;
 Sat,  6 Oct 2018 12:53:39 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Sat, 06 Oct 2018 12:53:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:subject:in-reply-to:references:date:message-id
 :mime-version:content-type; s=fm1; bh=d80b7LKEr45aAuQ6Qe40UkD6zm
 HBMRKzXZ2+2nVkgnY=; b=MBRsGL/nyb80Ds0uzm+p8JD0xS67xk8Y/4S14k49Ll
 sOG6mbIJCi7S7DWFxG2+jCjsJSBJ95WAXa4/Lt5huxwG1KID7shkkmcgtVn/lwpJ
 Cy6z8ViUOoZatr09EAlHKu1gZKwioZI9KmSofzBAAV38qDaFt76W9UAkEKDr6G0z
 qszsU1p00UShSgNLIR+nX9HOYyR1pjD+5t1uL2OVi8jqFMWZj4be0XGDG/H7gnVj
 E4AvwH4+9yL8uJWHFHwCCiMoXnnPS/er0cg6/Ni11zB//maVbPu0hLldHn4hcmhm
 UWLQX7Ap721CQbGlCvC8CbigBsrtbmBPPMeIo9JnQp4g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=d80b7L
 KEr45aAuQ6Qe40UkD6zmHBMRKzXZ2+2nVkgnY=; b=gGrgCJDqXt5wuPbJsbKcRX
 yBwzr0vE+BfkO6i1GHJdut32Y50ufQwCtpMrb6HiMFaUanwPqnGQiLrGsGBRmjfa
 6BbKhmdCWvhkOiP9zuXU7a5YiON22SIWuxN7jHyyOaEgr3vfpyOfbAAUs1hbVcM8
 rskdXdDZXoKV0atjDCaVaDVUmQ5Pah98vIod2K/0AbN7SEHgi98Ieu4RSQYoOiHA
 qba9jJ8YmTpetYnSzJfwyKEqw9HrM6Oqt4xjhT1e0CAITsY4lGS0AdHN8YitS7lK
 BZsJGW0R7xSrL4fpDex97FPxfQpLxDvMHDrWU3/U3jf2tH+GPM8UJSeQBWIyJHBw
 ==
X-ME-Sender: <xms:k-i4W1EcGdumiUKmNYcEXqs6JSnZCEDB_qWTl6HpwazAW-9BRbxwkQ>
X-ME-Proxy: <xmx:k-i4W0amlS19lLgXd6k3goL2PznQSvvB5RrMWyeCQkkemBh4N6xcNA>
 <xmx:k-i4W_ml6wyNLIfrG3ZZA_bOc_Tl_AYgeLvaowWIrTc8hpJZLww4-Q>
 <xmx:k-i4Wwyq2U7miUUYXY_MLMzqPoXQxjtM4pcDsuVH-wNw49TfLEoUhA>
 <xmx:k-i4W9OsSjYPLdhWBm4YIuQj_G8PaJA0xTsnQkUe8cfr5fqVbaJL4g>
 <xmx:k-i4W0QTLR89gW96r0Yr0sq6aZAiIZ-l7AugXZd8f7qSHiI5b4q3XA>
 <xmx:k-i4W6cpuHK4r6z3jCD-HBbE6hmW0BnpDE1nLmR9oJBhFlpQL7ScqA>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id 9BD2B102E7;
 Sat,  6 Oct 2018 12:53:38 -0400 (EDT)
From: Marius Bakke <mbakke@fastmail.com>
To: Leo Famulari <leo@famulari.name>, 32877@debbugs.gnu.org
Subject: Re: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
 CVE-2018-1000802
In-Reply-To: <20180929191827.GA17619@jasmine.lan>
References: <20180929191827.GA17619@jasmine.lan>
User-Agent: Notmuch/0.27 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Sat, 06 Oct 2018 18:53:36 +0200
Message-ID: <87in2fhv8v.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 32877
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain

Leo Famulari <leo@famulari.name> writes:

> Here are some bugs that apply to our Python 2.7.14 package.
>
> CVE-2018-1060 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
>
> CVE-2018-1061 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
>
> CVE-2018-14647 (fixed in unreleased CPython commit
> 18b20bad75b4ff0486940fba4ec680e96e70f3a2):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
>
> CVE-2018-1000802 (fixed in unreleased CPython commit
> d8b103b8b3ef9644805341216963a64098642435):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Here is a patch that should fix these:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-gnu-python2-Add-upstream-security-fixes.patch
Content-Transfer-Encoding: quoted-printable

From=202891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 6 Oct 2018 18:50:47 +0200
Subject: [PATCH] gnu: python2: Add upstream security fixes.

This addresses CVE-2018-{1060,1061,14647,1000802}.

* gnu/packages/patches/python2-CVE-2018-1000802.patch,
gnu/packages/patches/python2-CVE-2018-1060.patch,
gnu/packages/patches/python2-CVE-2018-1061.patch,
gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-2/fixed): New variable.
(python-2.7)[replacement]: New field.
(python2-minimal): Use PACKAGE/INHERIT.
=2D--
 gnu/local.mk                                  |  4 ++
 .../patches/python2-CVE-2018-1000802.patch    | 47 ++++++++++++++
 .../patches/python2-CVE-2018-1060.patch       | 20 ++++++
 .../patches/python2-CVE-2018-1061.patch       | 20 ++++++
 .../patches/python2-CVE-2018-14647.patch      | 61 +++++++++++++++++++
 gnu/packages/python.scm                       | 15 ++++-
 6 files changed, 166 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/python2-CVE-2018-1000802.patch
 create mode 100644 gnu/packages/patches/python2-CVE-2018-1060.patch
 create mode 100644 gnu/packages/patches/python2-CVE-2018-1061.patch
 create mode 100644 gnu/packages/patches/python2-CVE-2018-14647.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index df16f85db..e77f21db5 100644
=2D-- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1067,6 +1067,10 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/pygpgme-disable-problematic-tests.patch  \
   %D%/packages/patches/pyqt-configure.patch			\
   %D%/packages/patches/pyqt-public-sip.patch			\
+  %D%/packages/patches/python2-CVE-2018-1060.patch		\
+  %D%/packages/patches/python2-CVE-2018-1061.patch		\
+  %D%/packages/patches/python2-CVE-2018-14647.patch		\
+  %D%/packages/patches/python2-CVE-2018-1000802.patch		\
   %D%/packages/patches/python-2-deterministic-build-info.patch	\
   %D%/packages/patches/python-2.7-adjust-tests.patch		\
   %D%/packages/patches/python-2.7-search-paths.patch		\
diff --git a/gnu/packages/patches/python2-CVE-2018-1000802.patch b/gnu/pack=
ages/patches/python2-CVE-2018-1000802.patch
new file mode 100644
index 000000000..0d5bc77c8
=2D-- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1000802.patch
@@ -0,0 +1,47 @@
+Fix CVE-2018-1000802:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-1000802
+
+Taken from upstream commit (sans NEWS):
+https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a6409=
8642435
+
+diff --git a/Lib/shutil.py b/Lib/shutil.py
+index 3462f7c5e9..0ab1a06f52 100644
+--- a/Lib/shutil.py
++++ b/Lib/shutil.py
+@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress=3D"g=
zip", verbose=3D0, dry_run=3D0,
+=20
+     return archive_name
+=20
+-def _call_external_zip(base_dir, zip_filename, verbose=3DFalse, dry_run=
=3DFalse):
++def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
+     # XXX see if we want to keep an external call here
+     if verbose:
+         zipoptions =3D "-r"
+     else:
+         zipoptions =3D "-rq"
+-    from distutils.errors import DistutilsExecError
+-    from distutils.spawn import spawn
++    cmd =3D ["zip", zipoptions, zip_filename, base_dir]
++    if logger is not None:
++        logger.info(' '.join(cmd))
++    if dry_run:
++        return
++    import subprocess
+     try:
+-        spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=3Ddry_=
run)
+-    except DistutilsExecError:
++        subprocess.check_call(cmd)
++    except subprocess.CalledProcessError:
+         # XXX really should distinguish between "couldn't find
+         # external 'zip' command" and "zip failed".
+         raise ExecError, \
+@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=3D0, dr=
y_run=3D0, logger=3DNone):
+         zipfile =3D None
+=20
+     if zipfile is None:
+-        _call_external_zip(base_dir, zip_filename, verbose, dry_run)
++        _call_external_zip(base_dir, zip_filename, verbose, dry_run, logg=
er)
+     else:
+         if logger is not None:
+             logger.info("creating '%s' and adding '%s' to it",
diff --git a/gnu/packages/patches/python2-CVE-2018-1060.patch b/gnu/package=
s/patches/python2-CVE-2018-1060.patch
new file mode 100644
index 000000000..5eb7ccfbc
=2D-- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1060.patch
@@ -0,0 +1,20 @@
+Fix CVE-2018-1060:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-1060
+
+Taken from upstream commit (sans test and NEWS):
+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b3974=
4dc62a2
+
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index b91e5f72d2ca..a238510b38fc 100644
+--- a/Lib/poplib.py
++++ b/Lib/poplib.py
+@@ -274,7 +274,7 @@ def rpop(self, user):
+         return self._shortcmd('RPOP %s' % user)
+=20
+=20
+-    timestamp =3D re.compile(r'\+OK.*(<[^>]+>)')
++    timestamp =3D re.compile(br'\+OK.[^<]*(<.*>)')
+=20
+     def apop(self, user, secret):
+         """Authorisation
+
diff --git a/gnu/packages/patches/python2-CVE-2018-1061.patch b/gnu/package=
s/patches/python2-CVE-2018-1061.patch
new file mode 100644
index 000000000..6caab24b4
=2D-- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1061.patch
@@ -0,0 +1,20 @@
+Fix CVE-2018-1061:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-1061
+
+Taken from upstream commit (sans test and NEWS):
+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b3974=
4dc62a2
+
+diff --git a/Lib/difflib.py b/Lib/difflib.py
+index 1c6fbdbedcb7..788a92df3f89 100644
+--- a/Lib/difflib.py
++++ b/Lib/difflib.py
+@@ -1103,7 +1103,7 @@ def _qformat(self, aline, bline, atags, btags):
+=20
+ import re
+=20
+-def IS_LINE_JUNK(line, pat=3Dre.compile(r"\s*#?\s*$").match):
++def IS_LINE_JUNK(line, pat=3Dre.compile(r"\s*(?:#\s*)?$").match):
+     r"""
+     Return 1 for ignorable line: iff `line` is blank or contains a single=
 '#'.
+
diff --git a/gnu/packages/patches/python2-CVE-2018-14647.patch b/gnu/packag=
es/patches/python2-CVE-2018-14647.patch
new file mode 100644
index 000000000..6226b06ac
=2D-- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-14647.patch
@@ -0,0 +1,61 @@
+Fix CVE-2018-14647:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-14647
+https://bugs.python.org/issue34623
+
+Taken from upstream:
+https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96=
e70f3a2
+
+diff --git a/Include/pyexpat.h b/Include/pyexpat.h
+index 5340ef5fa3..3fc5fa54da 100644
+--- a/Include/pyexpat.h
++++ b/Include/pyexpat.h
+@@ -3,7 +3,7 @@
+=20
+ /* note: you must import expat.h before importing this module! */
+=20
+-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"
++#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"
+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
+=20
+ struct PyExpat_CAPI=20
+@@ -43,6 +43,8 @@ struct PyExpat_CAPI
+         XML_Parser parser, XML_UnknownEncodingHandler handler,
+         void *encodingHandlerData);
+     void (*SetUserData)(XML_Parser parser, void *userData);
++    /* might be none for expat < 2.1.0 */
++    int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
+     /* always add new stuff to the end! */
+ };
+=20
+diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
+index f7f992dd3a..b38e0ab329 100644
+--- a/Modules/_elementtree.c
++++ b/Modules/_elementtree.c
+@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject=
* kw)
+         PyErr_NoMemory();
+         return NULL;
+     }
++    /* expat < 2.1.0 has no XML_SetHashSalt() */
++    if (EXPAT(SetHashSalt) !=3D NULL) {
++        EXPAT(SetHashSalt)(self->parser,
++                           (unsigned long)_Py_HashSecret.prefix);
++    }
+=20
+     ALLOC(sizeof(XMLParserObject), "create expatparser");
+=20
+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
+index 2b4d31293c..1f8c0d70a5 100644
+--- a/Modules/pyexpat.c
++++ b/Modules/pyexpat.c
+@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void)
+     capi.SetProcessingInstructionHandler =3D XML_SetProcessingInstruction=
Handler;
+     capi.SetUnknownEncodingHandler =3D XML_SetUnknownEncodingHandler;
+     capi.SetUserData =3D XML_SetUserData;
++#if XML_COMBINED_VERSION >=3D 20100
++    capi.SetHashSalt =3D XML_SetHashSalt;
++#else
++    capi.SetHashSalt =3D NULL;
++#endif
+=20
+     /* export using capsule */
+     capi_object =3D PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index e64193dce..4d9bad9bc 100644
=2D-- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -148,6 +148,7 @@
   (package
     (name "python2")
     (version "2.7.14")
+    (replacement python-2/fixed)
     (source
      (origin
       (method url-fetch)
@@ -344,6 +345,18 @@ data types.")
 ;; Current 2.x version.
 (define-public python-2 python-2.7)
=20
+(define python-2/fixed
+  (package
+    (inherit python-2)
+    (source (origin
+              (inherit (package-source python-2))
+              (patches (append
+                        (origin-patches (package-source python-2))
+                        (search-patches "python2-CVE-2018-1060.patch"
+                                        "python2-CVE-2018-1061.patch"
+                                        "python2-CVE-2018-14647.patch"
+                                        "python2-CVE-2018-1000802.patch"))=
)))))
+
 (define-public python2-called-python
   ;; Both 2.x and 3.x used to be called "python".  In commit
   ;; a7714d42de2c3082f3609d1e63c83d703fb39cf9 (March 2018), we renamed the
@@ -482,7 +495,7 @@ data types.")
 ;; Python (Tk -> libxcb -> Python.)
=20
 (define-public python2-minimal
=2D  (package (inherit python-2)
+  (package/inherit python-2
     (name "python2-minimal")
     (outputs '("out"))
=20
=2D-=20
2.19.0


--=-=-=
Content-Type: text/plain


WDYT?

--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu46JAACgkQoqBt8qM6
VPqwgQgAqL46w9GCNQFM3SdVVLUkg6MUdk1fLAKXyoEi03dG85lRUEiEZcQvAJnW
dGSe/JU6vr2TsR11HXFrBfOPDWpf1O3ISDF/DmKaZUwhJLuVW5dRWQYkI8uCzNHJ
tkQ/NMzq0lz9jN0oRzb+XAcoKs8xupEyTWY+lEasqBKmsoxnHHAz/AGqkKVBwm9q
ZyAkEK7Kzc04mT5YRzw2T6vdxptOWylMDIR1wfgXdTO6ZxjD+L4BHTeRPySlvjVa
3WvlhWPqkdDtWzeG5OHJ8LB9d6yAjN/9asKyl4s6s8Jsx2PQd5FphcLPcbqxbu2p
Be2njDvE+Q/W5Sa5VFjiLaaCwwMGnA==
=m+AH
-----END PGP SIGNATURE-----
--==-=-=--




From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 10 15:14:33 2018
Received: (at 32877) by debbugs.gnu.org; 10 Oct 2018 19:14:33 +0000
Received: from localhost ([127.0.0.1]:43857 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gAJwH-0007OG-F8
	for submit@debbugs.gnu.org; Wed, 10 Oct 2018 15:14:33 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:44345)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1gAJwE-0007O8-Sn
 for 32877@debbugs.gnu.org; Wed, 10 Oct 2018 15:14:32 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id A98FE21964;
 Wed, 10 Oct 2018 15:14:30 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Wed, 10 Oct 2018 15:14:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=v/hnIMEUxDH2ojVnRdAMbiNU
 +k31FMU7dLQstIPwG0w=; b=utb2KomaCvSNwKLKR94iBmFvB1a1ZNSZXzXAfxeS
 jQenxaAm3dyMGCGba80Ufsmruj1LxYV1tpy49WnItM4SGrCPdUrGP0AXjlRtp8Oy
 VOoC6YbHQS/ANeIraWz96iWIEEY8EVWfZIrtoAAB43/zwkHXhna3C5VfEFTKvrGK
 qLI=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=v/hnIM
 EUxDH2ojVnRdAMbiNU+k31FMU7dLQstIPwG0w=; b=LRxCz36B5VfAauw/tGuoKT
 U/tr+NzJz+CQ6IpwqI8ULfuvdXfkTqpa3YuNLerk3hk5n99ExR3T9PPX+HeG9mjw
 gmE7/MxjDs8pvlz80pvNUZXQHbVSNvSHz6YCWOp86se+/YB1F6DMY/hbpYTBW/CT
 JvnMFu0qdIqMIz9Ij9l7+8+wMJRgZv5FfVSEidIFnN0amiH8+oD9Vd8uGT1iG8pe
 O82YVLJm2QUv0vwCnAfkSGD5jhB6B3PrErGimCLSlC+tubcA/bhBthvATkD5iV2e
 4eQtMgqA9zM5XXmqDpIxqDD9M625J0zhHdb9DLZtXJKKW+TNxEV8HBkVeOihWTiQ
 ==
X-ME-Sender: <xms:k0--Wyboxsim7bblar8qnJs-gx0Yn_LdzIpJf-udOJLOPC3hd-8OdA>
X-ME-Proxy: <xmx:k0--WwZLtqSJz6jlOtj8q3PDEhVyhIgf7qjp-vWkvAHKkTFAFjGMlw>
 <xmx:k0--W5WeZ26j0fA9uSnxZlOKS8Qk0ZT7x9kko7MymEKK3O6zs2Q82w>
 <xmx:k0--WyjhumsvSh7fQQYaOeTjqkEFb2enSqEoWZ8CsWXL8V7d-VrPvw>
 <xmx:k0--W3W5U6PUWLqFMR2v8zqE1oTAZqP-FiRS6vUyHcfQfIfntSu-Jw>
 <xmx:k0--W5PHtQwiXOyJb-kSoxPWHGtFg-6-_DsnW4gvM-JoniSyfnLydQ>
 <xmx:lk--W-7jVTsDE0tNNx1dicwgupPpvl1G7PnWtdMgvTs1KlAnPcVJVw>
Received: from localhost (unknown [172.58.201.64])
 by mail.messagingengine.com (Postfix) with ESMTPA id 1F231102F3;
 Wed, 10 Oct 2018 15:14:27 -0400 (EDT)
Date: Wed, 10 Oct 2018 15:14:25 -0400
From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <mbakke@fastmail.com>
Subject: Re: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
 CVE-2018-1000802
Message-ID: <20181010191425.GA22832@jasmine.lan>
References: <20180929191827.GA17619@jasmine.lan> <87in2fhv8v.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy"
Content-Disposition: inline
In-Reply-To: <87in2fhv8v.fsf@fastmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 32877
Cc: 32877@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 18:50:47 +0200
> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>=20
> This addresses CVE-2018-{1060,1061,14647,1000802}.
>=20
> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
> gnu/packages/patches/python2-CVE-2018-1060.patch,
> gnu/packages/patches/python2-CVE-2018-1061.patch,
> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-2/fixed): New variable.
> (python-2.7)[replacement]: New field.
> (python2-minimal): Use PACKAGE/INHERIT.

Thanks! I did some basic tests and things seem to work.

--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+T44ACgkQJkb6MLrK
fwhdoA//Qv6eKfCl4lRaKkeuE9Jr56xtFAk72D5jxDh+ARJKUuJl8Re93hEIr8JW
Jrw20qLMq3LY/2fqkCt8A2OqTwVnlHSKszGZzaSKKGTcp9BgA/H/8dX1epQYxS7e
pVSroAmNi2zFPKHt6EDZmxJjXZMehC1H7f1WXxvo1wk9LDoSw6cEYOCf8eDtwMqU
gc/AgIpy5BMQPc4Gn16b/4QZIH0oW2h0c3jzEOVMkwLTQjjRGhISNMtfKL+RERSL
PI+iJ+v/xvjPCk6zFekeDiYoMszVAFGRqkzAqMDy0k2EK4kMxyDGthHdmX0vugyI
n9fV4BHb35H+tJiQxbh5u8UkH2iukJtRDnwFiq3T6fUlpVw+JV8I0wppBR/E1aPw
1ltvm7b4LeTDNdnMLTeBTNRQQeq9WcQ5kTY8XiBcAiQ1FzGq8SmPLDgnJxITm8Az
zBOEVhmkY84ZFWisVrEMvgoE/XALonJSTxOCCVEFJ6p5sqqLMEgHT8azkvC6FzjX
1zxf3MzAxPkOYy7OHASyiqmAEhcouOsOQ0yqtJVl8D9gvQEM/9eh1oyFlXy+jDlm
a898P/YrTAr/XLikvjWl7rT9OsBbfI8WEroi+Ywg9WNxic7DSeDodae9OiZfL65X
gjOQhqaaWTru8OCyAmhnreOf49LhSY7VR6N5R5bp5lel4ZGjz4I=
=KN0+
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--




From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 11 04:03:46 2018
Received: (at 32877) by debbugs.gnu.org; 11 Oct 2018 08:03:46 +0000
Received: from localhost ([127.0.0.1]:44110 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gAVwg-0006yk-1m
	for submit@debbugs.gnu.org; Thu, 11 Oct 2018 04:03:46 -0400
Received: from world.peace.net ([64.112.178.59]:34692)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1gAVwc-0006yR-E8
 for 32877@debbugs.gnu.org; Thu, 11 Oct 2018 04:03:45 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89)
 (envelope-from <mhw@netris.org>)
 id 1gAVwW-0001uc-BR; Thu, 11 Oct 2018 04:03:36 -0400
From: Mark H Weaver <mhw@netris.org>
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
 CVE-2018-1000802
References: <20180929191827.GA17619@jasmine.lan> <87in2fhv8v.fsf@fastmail.com>
 <20181010191425.GA22832@jasmine.lan>
Date: Thu, 11 Oct 2018 04:03:22 -0400
In-Reply-To: <20181010191425.GA22832@jasmine.lan> (Leo Famulari's message of
 "Wed, 10 Oct 2018 15:14:25 -0400")
Message-ID: <87o9c0ykol.fsf@netris.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 32877
Cc: Marius Bakke <mbakke@fastmail.com>, 32877@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Leo Famulari <leo@famulari.name> writes:

> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>> 
>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>> 
>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-2/fixed): New variable.
>> (python-2.7)[replacement]: New field.
>> (python2-minimal): Use PACKAGE/INHERIT.
>
> Thanks! I did some basic tests and things seem to work.

I added this commit to my private branch a few days ago, along with the
Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
GNOME 3 system and user profile, and everything seems to be working
well.

I think they are both ready to push to master.

Thank you, Marius!

       Mark




From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 17 14:35:56 2018
Received: (at 32877-done) by debbugs.gnu.org; 17 Oct 2018 18:35:56 +0000
Received: from localhost ([127.0.0.1]:55620 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gCqfk-0001U1-Cq
	for submit@debbugs.gnu.org; Wed, 17 Oct 2018 14:35:56 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:59651)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1gCqfh-0001Ts-SS
 for 32877-done@debbugs.gnu.org; Wed, 17 Oct 2018 14:35:54 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 7B04D220A5;
 Wed, 17 Oct 2018 14:35:53 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Wed, 17 Oct 2018 14:35:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:cc:subject:in-reply-to:references:date:message-id
 :mime-version:content-type; s=fm1; bh=y4XG6LcbHSXJZJogR7j3zL3BYw
 onWczfLM2R2w/859U=; b=jNtPm0CbChX/3STcX+mhY7a2oU9jg0iHVN1deu7Iif
 QZX5V7QhxSjOvmI7mksKzAdC/MzHQ65cz//G/y1eKVRdcVJF3hN3w/kdd64yDneS
 E93q2GjNiv7MNtNaY0US4xhW/b/foQ7nHt1Ral6cIFBD+ZuA6D2Kj7TTNsL5w/+X
 lIyG0BxBhKSQOeW9iiQxVN0EavXK87aERz8sQpZGpSDDCEXj7m0Q2XsHeZ03mHfj
 ghJdPutek9pdVkPbSj+oU4iKB5wmMsqfkvYFapVnZF+E9S48lH28PYTSZHnhl3Yd
 BqofNFgAVNHK5i9JMG7VwW1wDxI35pKBvjr5RMENF9Bw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=y4XG6L
 cbHSXJZJogR7j3zL3BYwonWczfLM2R2w/859U=; b=R35EgJJkoCdGdVCG/9fVjk
 0YrOpiajQKciI1Ywi5brOze9vl8tA6bb7mevpUHn542wzishYPPrhfquFqgD1rQN
 xtMsyWrHMYkB31wr40+FZOZj+AeIois5Cl9apVFN+/H5R3cOTBuG4kCrTbXfXQ0P
 ddGKyh7FUGy4pvUEyFdbyfT7TL9iAJwFERRzAV0BY+Xtt1196mjkfdoMOurH6RR/
 v9sZP3zE9JLZ55h/XxfzYrNKLA7mQflM5LuHM/elWlKKSMQV99Qs31Io0wp7IPRr
 RhqOa1jLJ7DM+qrmdcdyOc2RASSxB7R15ZJFPUWDGhGLo8KZupNsnQMx69KLq9eg
 ==
X-ME-Sender: <xms:B4HHW3mIQQP-lJ1qSgnoyiEFX0EC2cLal14kKYI7MAep6USj6PbCLg>
X-ME-Proxy: <xmx:B4HHW9TO6Ldri-QVx5zDAy-JjaW72Jb8Z1p0Gq9CisVWGqFyJfvecg>
 <xmx:B4HHW5YRPM95Knz5OyCXAOuXepe5Th-D1pyHE-OBbUDmV_EodmkGaA>
 <xmx:B4HHW3ES5AAjyGKR4Bch0511GAtr6ZdOgo8T8NyO-hkIGKFiqoFckw>
 <xmx:B4HHWwa1hykwieKSJte89SF4ms5WXiiRU3ti9KqN1xE9lxSzpPeTGA>
 <xmx:B4HHW13GM-T9gTOM_ZYhvmwunLMBg0fDv_kIoUBfecTv4bUrI3MTCw>
 <xmx:CYHHW-dWS90qJsIbS3_CDVOWY4k9-cb8WkmUf-4P_0tg5jAsbCWFjg>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id 1CD10E421C;
 Wed, 17 Oct 2018 14:35:50 -0400 (EDT)
From: Marius Bakke <mbakke@fastmail.com>
To: Mark H Weaver <mhw@netris.org>, Leo Famulari <leo@famulari.name>
Subject: Re: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
 CVE-2018-1000802
In-Reply-To: <87o9c0ykol.fsf@netris.org>
References: <20180929191827.GA17619@jasmine.lan> <87in2fhv8v.fsf@fastmail.com>
 <20181010191425.GA22832@jasmine.lan> <87o9c0ykol.fsf@netris.org>
User-Agent: Notmuch/0.27 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Wed, 17 Oct 2018 20:35:49 +0200
Message-ID: <875zy0h14q.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 32877-done
Cc: 32877-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Mark H Weaver <mhw@netris.org> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>>> From: Marius Bakke <mbakke@fastmail.com>
>>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>>>=20
>>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>>>=20
>>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Register it.
>>> * gnu/packages/python.scm (python-2/fixed): New variable.
>>> (python-2.7)[replacement]: New field.
>>> (python2-minimal): Use PACKAGE/INHERIT.
>>
>> Thanks! I did some basic tests and things seem to work.
>
> I added this commit to my private branch a few days ago, along with the
> Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
> GNOME 3 system and user profile, and everything seems to be working
> well.
>
> I think they are both ready to push to master.

Hi Mark,

Thank you very much for testing.  I've pushed these patches now, sorry
for the delay!

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlvHgQUACgkQoqBt8qM6
VPol4AgA1HUzhyxfMSA5KTm9d7NqWUEXy0PtWxoCEMZRdxUK8JZXEBI7ddPd4tZp
WCfkHbMTnRb0oJ3KVoz2nIYEqwzNaCCsYOViU4T2zchVaEhKaP2kzcL6Dv56DOmL
ty2HO0ZCB9ohIN872mkIdyBduv3YqmGEFMpuKYo5khyFM+vHdygNhWCHibKFIbJs
lWcaaCepmbe4Qi7FkczzqTeRXRp7IXJGTy4TKFQ5DblE8rZYNhc01XBHCisufEQu
zE1mVffxNGdgh5p3hQCrF5oTdy44WgxcqvL2S4RwegidlbMKpPjzNpc9jI09cHjq
ETznF9x3hRg5St5gxSF3k+29+5JO0g==
=p/Ew
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Tue Aug 19 10:01:25 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Thu, 15 Nov 2018 12:24:06 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator