GNU bug report logs -
#32878
Python-3 CVE-2018-14647
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 29 Sep 2018 19:24:02 UTC
Severity: normal
Tags: security
Fixed in version 90aeaee861845142843a0f988fa4ff016c723cdb
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32878 in the body.
You can then email your comments to 32878 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#32878; Package
guix.
(Sat, 29 Sep 2018 19:24:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 29 Sep 2018 19:24:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
v3.6.7rc1:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Wed, 03 Oct 2018 20:57:03 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#32878; Package
guix.
(Sat, 06 Oct 2018 14:52:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 32878 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
> CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
> v3.6.7rc1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
Reading <https://bugs.python.org/issue34623>, this issue seems to only
affect older versions of Expat, or when using Pythons bundled one which
is compiled with -DXML_POOR_ENTROPY.
...unfortunately we seem to be using the bundled version :-(
This patch adds a graft for Python:
[0001-gnu-python-Fix-CVE-2018-14647.patch (text/x-patch, inline)]
From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke <at> fastmail.com>
Date: Sat, 6 Oct 2018 16:47:05 +0200
Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
* gnu/packages/patches/python-CVE-2018-14647.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-3/fixed): New variable.
(python-3.6)[replacement]: New field.
(python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
standard inheritance.
---
gnu/local.mk | 1 +
.../patches/python-CVE-2018-14647.patch | 61 +++++++++++++++++++
gnu/packages/python.scm | 16 +++--
3 files changed, 74 insertions(+), 4 deletions(-)
create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 61e5913a0..df16f85db 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1075,6 +1075,7 @@ dist_patch_DATA = \
%D%/packages/patches/python-3-deterministic-build-info.patch \
%D%/packages/patches/python-3-search-paths.patch \
%D%/packages/patches/python-3-fix-tests.patch \
+ %D%/packages/patches/python-CVE-2018-14647.patch \
%D%/packages/patches/python-axolotl-AES-fix.patch \
%D%/packages/patches/python-cairocffi-dlopen-path.patch \
%D%/packages/patches/python-fix-tests.patch \
diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch
new file mode 100644
index 000000000..24f8d2182
--- /dev/null
+++ b/gnu/packages/patches/python-CVE-2018-14647.patch
@@ -0,0 +1,61 @@
+Fix CVE-2018-14647:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
+https://bugs.python.org/issue34623
+
+Taken from upstream:
+https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
+
+diff --git Include/pyexpat.h Include/pyexpat.h
+index 44259bf6d7..07020b5dc9 100644
+--- Include/pyexpat.h
++++ Include/pyexpat.h
+@@ -3,7 +3,7 @@
+
+ /* note: you must import expat.h before importing this module! */
+
+-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
+
+ struct PyExpat_CAPI
+@@ -48,6 +48,8 @@ struct PyExpat_CAPI
+ enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
+ int (*DefaultUnknownEncodingHandler)(
+ void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
++ /* might be none for expat < 2.1.0 */
++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
+ /* always add new stuff to the end! */
+ };
+
+diff --git Modules/_elementtree.c Modules/_elementtree.c
+index 707ab2912b..53f05f937f 100644
+--- Modules/_elementtree.c
++++ Modules/_elementtree.c
+@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
+ PyErr_NoMemory();
+ return -1;
+ }
++ /* expat < 2.1.0 has no XML_SetHashSalt() */
++ if (EXPAT(SetHashSalt) != NULL) {
++ EXPAT(SetHashSalt)(self->parser,
++ (unsigned long)_Py_HashSecret.expat.hashsalt);
++ }
+
+ if (target) {
+ Py_INCREF(target);
+diff --git Modules/pyexpat.c Modules/pyexpat.c
+index 47c3e86c20..aa21d93c11 100644
+--- Modules/pyexpat.c
++++ Modules/pyexpat.c
+@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)
+ capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
+ capi.SetEncoding = XML_SetEncoding;
+ capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
++#if XML_COMBINED_VERSION >= 20100
++ capi.SetHashSalt = XML_SetHashSalt;
++#else
++ capi.SetHashSalt = NULL;
++#endif
+
+ /* export using capsule */
+ capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 4703d95a2..5ee3db6bf 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -357,6 +357,7 @@ data types.")
(package (inherit python-2)
(name "python")
(version "3.6.5")
+ (replacement python-3/fixed)
(source (origin
(method url-fetch)
(uri (string-append "https://www.python.org/ftp/python/"
@@ -456,6 +457,14 @@ data types.")
;; Current 3.x version.
(define-public python-3 python-3.6)
+(define python-3/fixed
+ (package
+ (inherit python-3)
+ (source (origin
+ (inherit (package-source python-3))
+ (patches (append (origin-patches (package-source python-3))
+ (search-patches "python-CVE-2018-14647.patch")))))))
+
;; Current major version.
(define-public python python-3)
@@ -474,7 +483,7 @@ data types.")
("zlib" ,zlib)))))
(define-public python-minimal
- (package (inherit python)
+ (package/inherit python
(name "python-minimal")
(outputs '("out"))
@@ -486,8 +495,7 @@ data types.")
("zlib" ,zlib)))))
(define-public python-debug
- (package
- (inherit python)
+ (package/inherit python
(name "python-debug")
(outputs '("out" "debug"))
(build-system gnu-build-system)
@@ -506,7 +514,7 @@ for more information.")))
(define* (wrap-python3 python
#:optional
(name (string-append (package-name python) "-wrapper")))
- (package (inherit python)
+ (package/inherit python
(name name)
(source #f)
(build-system trivial-build-system)
--
2.19.0
[Message part 3 (text/plain, inline)]
WDYT?
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#32878; Package
guix.
(Sat, 06 Oct 2018 15:27:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 32878 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes:
> This patch adds a graft for Python:
>
> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke <at> fastmail.com>
> Date: Sat, 6 Oct 2018 16:47:05 +0200
> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>
> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-3/fixed): New variable.
> (python-3.6)[replacement]: New field.
> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
> standard inheritance.
> ---
> gnu/local.mk | 1 +
> .../patches/python-CVE-2018-14647.patch | 61 +++++++++++++++++++
> gnu/packages/python.scm | 16 +++--
> 3 files changed, 74 insertions(+), 4 deletions(-)
> create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 61e5913a0..df16f85db 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1075,6 +1075,7 @@ dist_patch_DATA = \
> %D%/packages/patches/python-3-deterministic-build-info.patch \
> %D%/packages/patches/python-3-search-paths.patch \
> %D%/packages/patches/python-3-fix-tests.patch \
> + %D%/packages/patches/python-CVE-2018-14647.patch \
> %D%/packages/patches/python-axolotl-AES-fix.patch \
> %D%/packages/patches/python-cairocffi-dlopen-path.patch \
> %D%/packages/patches/python-fix-tests.patch \
> diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch
> new file mode 100644
> index 000000000..24f8d2182
> --- /dev/null
> +++ b/gnu/packages/patches/python-CVE-2018-14647.patch
> @@ -0,0 +1,61 @@
> +Fix CVE-2018-14647:
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
> +https://bugs.python.org/issue34623
> +
> +Taken from upstream:
> +https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
> +
> +diff --git Include/pyexpat.h Include/pyexpat.h
> +index 44259bf6d7..07020b5dc9 100644
> +--- Include/pyexpat.h
> ++++ Include/pyexpat.h
> +@@ -3,7 +3,7 @@
> +
> + /* note: you must import expat.h before importing this module! */
> +
> +-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
> ++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
> + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
> +
> + struct PyExpat_CAPI
> +@@ -48,6 +48,8 @@ struct PyExpat_CAPI
> + enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
> + int (*DefaultUnknownEncodingHandler)(
> + void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
> ++ /* might be none for expat < 2.1.0 */
> ++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
> + /* always add new stuff to the end! */
> + };
> +
> +diff --git Modules/_elementtree.c Modules/_elementtree.c
> +index 707ab2912b..53f05f937f 100644
> +--- Modules/_elementtree.c
> ++++ Modules/_elementtree.c
> +@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
> + PyErr_NoMemory();
> + return -1;
> + }
> ++ /* expat < 2.1.0 has no XML_SetHashSalt() */
> ++ if (EXPAT(SetHashSalt) != NULL) {
> ++ EXPAT(SetHashSalt)(self->parser,
> ++ (unsigned long)_Py_HashSecret.expat.hashsalt);
> ++ }
> +
> + if (target) {
> + Py_INCREF(target);
> +diff --git Modules/pyexpat.c Modules/pyexpat.c
> +index 47c3e86c20..aa21d93c11 100644
> +--- Modules/pyexpat.c
> ++++ Modules/pyexpat.c
> +@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)
> + capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
> + capi.SetEncoding = XML_SetEncoding;
> + capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
> ++#if XML_COMBINED_VERSION >= 20100
> ++ capi.SetHashSalt = XML_SetHashSalt;
> ++#else
> ++ capi.SetHashSalt = NULL;
> ++#endif
> +
> + /* export using capsule */
> + capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
> diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
> index 4703d95a2..5ee3db6bf 100644
> --- a/gnu/packages/python.scm
> +++ b/gnu/packages/python.scm
> @@ -357,6 +357,7 @@ data types.")
> (package (inherit python-2)
> (name "python")
> (version "3.6.5")
> + (replacement python-3/fixed)
> (source (origin
> (method url-fetch)
> (uri (string-append "https://www.python.org/ftp/python/"
> @@ -456,6 +457,14 @@ data types.")
> ;; Current 3.x version.
> (define-public python-3 python-3.6)
>
> +(define python-3/fixed
> + (package
> + (inherit python-3)
> + (source (origin
> + (inherit (package-source python-3))
> + (patches (append (origin-patches (package-source python-3))
> + (search-patches "python-CVE-2018-14647.patch")))))))
> +
> ;; Current major version.
> (define-public python python-3)
>
> @@ -474,7 +483,7 @@ data types.")
> ("zlib" ,zlib)))))
>
> (define-public python-minimal
> - (package (inherit python)
> + (package/inherit python
> (name "python-minimal")
> (outputs '("out"))
>
> @@ -486,8 +495,7 @@ data types.")
> ("zlib" ,zlib)))))
>
> (define-public python-debug
> - (package
> - (inherit python)
> + (package/inherit python
> (name "python-debug")
> (outputs '("out" "debug"))
> (build-system gnu-build-system)
> @@ -506,7 +514,7 @@ for more information.")))
> (define* (wrap-python3 python
> #:optional
> (name (string-append (package-name python) "-wrapper")))
> - (package (inherit python)
> + (package/inherit python
> (name name)
> (source #f)
> (build-system trivial-build-system)
> --
> 2.19.0
Whoops, this hunk is also needed:
[Message part 2 (text/x-patch, inline)]
1 file changed, 11 insertions(+), 1 deletion(-)
gnu/packages/python.scm | 12 +++++++++++-
modified gnu/packages/python.scm
@@ -463,7 +463,17 @@ data types.")
(source (origin
(inherit (package-source python-3))
(patches (append (origin-patches (package-source python-3))
- (search-patches "python-CVE-2018-14647.patch")))))))
+ (search-patches "python-CVE-2018-14647.patch")))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments python-3)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-after 'unpack 'delete-broken-test
+ (lambda _
+ ;; Delete test which fails on recent kernels:
+ ;; <https://bugs.python.org/issue34587>.
+ (delete-file "Lib/test/test_socket.py")
+ #t))))))))
;; Current major version.
(define-public python python-3)
[back]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#32878; Package
guix.
(Wed, 10 Oct 2018 19:27:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 32878 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote:
> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke <at> fastmail.com>
> Date: Sat, 6 Oct 2018 16:47:05 +0200
> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>
> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-3/fixed): New variable.
> (python-3.6)[replacement]: New field.
> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
> standard inheritance.
Thanks! I did some more basic tests with this one, using the extra hunk
in your other mail. I think this change is okay.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#32878; Package
guix.
(Thu, 11 Oct 2018 08:05:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 32878 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote:
>> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke <at> fastmail.com>
>> Date: Sat, 6 Oct 2018 16:47:05 +0200
>> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>>
>> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-3/fixed): New variable.
>> (python-3.6)[replacement]: New field.
>> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
>> standard inheritance.
>
> Thanks! I did some more basic tests with this one, using the extra hunk
> in your other mail. I think this change is okay.
As I wrote in another thread, I added this commit (with extra hunk) to
my private branch a few days ago, along with the Python-2 security
fixes, updated my GuixSD GNOME 3 system and user profile, and everything
seems to be working well.
I think they are both ready to push to master.
Thank you, Marius!
Mark
bug marked as fixed in version 90aeaee861845142843a0f988fa4ff016c723cdb, send any further explanations to
32878 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name>
Request was from
Marius Bakke <mbakke <at> fastmail.com>
to
control <at> debbugs.gnu.org.
(Wed, 17 Oct 2018 19:03:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 15 Nov 2018 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 277 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.