GNU bug report logs - #32878
Python-3 CVE-2018-14647

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sat, 29 Sep 2018 19:24:02 UTC

Severity: normal

Tags: security

Fixed in version 90aeaee861845142843a0f988fa4ff016c723cdb

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #10 received at 32878 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 32878 <at> debbugs.gnu.org
Subject: Re: bug#32878: Python-3 CVE-2018-14647
Date: Sat, 06 Oct 2018 16:51:07 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in
> CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in
> v3.6.7rc1:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647

Reading <https://bugs.python.org/issue34623>, this issue seems to only
affect older versions of Expat, or when using Pythons bundled one which
is compiled with -DXML_POOR_ENTROPY.

...unfortunately we seem to be using the bundled version :-(

This patch adds a graft for Python:


[0001-gnu-python-Fix-CVE-2018-14647.patch (text/x-patch, inline)]
From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke <at> fastmail.com>
Date: Sat, 6 Oct 2018 16:47:05 +0200
Subject: [PATCH] gnu: python: Fix CVE-2018-14647.

* gnu/packages/patches/python-CVE-2018-14647.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-3/fixed): New variable.
(python-3.6)[replacement]: New field.
(python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
standard inheritance.
---
 gnu/local.mk                                  |  1 +
 .../patches/python-CVE-2018-14647.patch       | 61 +++++++++++++++++++
 gnu/packages/python.scm                       | 16 +++--
 3 files changed, 74 insertions(+), 4 deletions(-)
 create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 61e5913a0..df16f85db 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1075,6 +1075,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-3-deterministic-build-info.patch	\
   %D%/packages/patches/python-3-search-paths.patch		\
   %D%/packages/patches/python-3-fix-tests.patch			\
+  %D%/packages/patches/python-CVE-2018-14647.patch		\
   %D%/packages/patches/python-axolotl-AES-fix.patch		\
   %D%/packages/patches/python-cairocffi-dlopen-path.patch	\
   %D%/packages/patches/python-fix-tests.patch			\
diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch
new file mode 100644
index 000000000..24f8d2182
--- /dev/null
+++ b/gnu/packages/patches/python-CVE-2018-14647.patch
@@ -0,0 +1,61 @@
+Fix CVE-2018-14647:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
+https://bugs.python.org/issue34623
+
+Taken from upstream:
+https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
+
+diff --git Include/pyexpat.h Include/pyexpat.h
+index 44259bf6d7..07020b5dc9 100644
+--- Include/pyexpat.h
++++ Include/pyexpat.h
+@@ -3,7 +3,7 @@
+ 
+ /* note: you must import expat.h before importing this module! */
+ 
+-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"
++#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"
+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
+ 
+ struct PyExpat_CAPI
+@@ -48,6 +48,8 @@ struct PyExpat_CAPI
+     enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
+     int (*DefaultUnknownEncodingHandler)(
+         void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
++    /* might be none for expat < 2.1.0 */
++    int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
+     /* always add new stuff to the end! */
+ };
+ 
+diff --git Modules/_elementtree.c Modules/_elementtree.c
+index 707ab2912b..53f05f937f 100644
+--- Modules/_elementtree.c
++++ Modules/_elementtree.c
+@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
+         PyErr_NoMemory();
+         return -1;
+     }
++    /* expat < 2.1.0 has no XML_SetHashSalt() */
++    if (EXPAT(SetHashSalt) != NULL) {
++        EXPAT(SetHashSalt)(self->parser,
++                           (unsigned long)_Py_HashSecret.expat.hashsalt);
++    }
+ 
+     if (target) {
+         Py_INCREF(target);
+diff --git Modules/pyexpat.c Modules/pyexpat.c
+index 47c3e86c20..aa21d93c11 100644
+--- Modules/pyexpat.c
++++ Modules/pyexpat.c
+@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)
+     capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
+     capi.SetEncoding = XML_SetEncoding;
+     capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
++#if XML_COMBINED_VERSION >= 20100
++    capi.SetHashSalt = XML_SetHashSalt;
++#else
++    capi.SetHashSalt = NULL;
++#endif
+ 
+     /* export using capsule */
+     capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 4703d95a2..5ee3db6bf 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -357,6 +357,7 @@ data types.")
   (package (inherit python-2)
     (name "python")
     (version "3.6.5")
+    (replacement python-3/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.python.org/ftp/python/"
@@ -456,6 +457,14 @@ data types.")
 ;; Current 3.x version.
 (define-public python-3 python-3.6)
 
+(define python-3/fixed
+  (package
+    (inherit python-3)
+    (source (origin
+              (inherit (package-source python-3))
+              (patches (append (origin-patches (package-source python-3))
+                               (search-patches "python-CVE-2018-14647.patch")))))))
+
 ;; Current major version.
 (define-public python python-3)
 
@@ -474,7 +483,7 @@ data types.")
               ("zlib" ,zlib)))))
 
 (define-public python-minimal
-  (package (inherit python)
+  (package/inherit python
     (name "python-minimal")
     (outputs '("out"))
 
@@ -486,8 +495,7 @@ data types.")
               ("zlib" ,zlib)))))
 
 (define-public python-debug
-  (package
-    (inherit python)
+  (package/inherit python
     (name "python-debug")
     (outputs '("out" "debug"))
     (build-system gnu-build-system)
@@ -506,7 +514,7 @@ for more information.")))
 (define* (wrap-python3 python
                        #:optional
                        (name (string-append (package-name python) "-wrapper")))
-  (package (inherit python)
+  (package/inherit python
     (name name)
     (source #f)
     (build-system trivial-build-system)
-- 
2.19.0


[Message part 3 (text/plain, inline)]
WDYT?

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 278 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.