Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
  • Mark H Weaver
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal

Debbugs page

L
L
Leo Famulari wrote on 29 Sep 2018 12:18
(address . bug-guix@gnu.org)
20180929191827.GA17619@jasmine.lan
Here are some bugs that apply to our Python 2.7.14 package.

CVE-2018-1060 (fixed upstream in Python 2.7.15):

CVE-2018-1061 (fixed upstream in Python 2.7.15):

CVE-2018-14647 (fixed in unreleased CPython commit
18b20bad75b4ff0486940fba4ec680e96e70f3a2):

CVE-2018-1000802 (fixed in unreleased CPython commit
d8b103b8b3ef9644805341216963a64098642435):
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAluvz/8ACgkQJkb6MLrK
fwg3/A/+K3kU1Npbdnz751GugCsCuwuDMXmy0vwtKZ+uHtHiF3Z5vgGFOeAxaagl
JlV8vUf4zVcBfdX5tlZEga7rBNNvpmU5xAT3stb/jG0LqMtTiRmIG0XIRgZ3L8JA
f0DVwObTtLcFXnvSYfqSyrRtBg1XMvWGE5hbHKurloR2Au7zitzwhAzQWEXaOt4r
iImjtEpEmi30E6l2jJC3OE12zmmPR6pEUlakyo3gphCCiIDXfxUTX/yAX+ml/yKo
l7s3/O4AoQiPIrH8dqzC3oq8vxnyPZklr0ydcz2XWmc1qMCWBWDuW4A+SFYAVbEu
KvaXccFaQ02Kh9VcBGO+kmc9QmBgnciF7UDM9N1vRdTXB+pZFWpGZ9y4sOhq3iNU
lgPB6pGTE70IJ+Qh3s2lckkzJ70YBQFDg7bhpRGbujMTaBbMk/vcKXU0zQ0O/T3D
5O+vrKJVgPOitV07rF9M6i/01mDJzHBwsPoOMq4Y9hu5Adr/Ede5i5KAq/lXLHtr
qur4g9q4W863RAvdO8Dqkf/Zp36p86oj35Dno5/KXYFQaIGyTmTU67SUqWRSDgZc
dwkR6snT97bxiK7U61kT/CfcmXphBamU0ObrjU/cVTgWjS3UC9lmd2miGg42Q1c+
95QGsVq3sCB5Y8YA4SKC83TRJTOlr9yvROdWfQnDpu+y1i6z9iQ=
=eaCa
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 3 Oct 2018 13:56
control message for bug #32877
(address . control@debbugs.gnu.org)
87h8i2lpf1.fsf@gnu.org
tags 32877 security
M
M
Marius Bakke wrote on 6 Oct 2018 09:53
Re: bug#32877: Python-2 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-1000802
87in2fhv8v.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)
> Here are some bugs that apply to our Python 2.7.14 package.
>
> CVE-2018-1060 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
>
> CVE-2018-1061 (fixed upstream in Python 2.7.15):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
>
> CVE-2018-14647 (fixed in unreleased CPython commit
> 18b20bad75b4ff0486940fba4ec680e96e70f3a2):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
>
> CVE-2018-1000802 (fixed in unreleased CPython commit
> d8b103b8b3ef9644805341216963a64098642435):
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Here is a patch that should fix these:
WDYT?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlu46JAACgkQoqBt8qM6
VPqwgQgAqL46w9GCNQFM3SdVVLUkg6MUdk1fLAKXyoEi03dG85lRUEiEZcQvAJnW
dGSe/JU6vr2TsR11HXFrBfOPDWpf1O3ISDF/DmKaZUwhJLuVW5dRWQYkI8uCzNHJ
tkQ/NMzq0lz9jN0oRzb+XAcoKs8xupEyTWY+lEasqBKmsoxnHHAz/AGqkKVBwm9q
ZyAkEK7Kzc04mT5YRzw2T6vdxptOWylMDIR1wfgXdTO6ZxjD+L4BHTeRPySlvjVa
3WvlhWPqkdDtWzeG5OHJ8LB9d6yAjN/9asKyl4s6s8Jsx2PQd5FphcLPcbqxbu2p
Be2njDvE+Q/W5Sa5VFjiLaaCwwMGnA==
=m+AH
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 10 Oct 2018 12:14
(name . Marius Bakke)(address . mbakke@fastmail.com)(address . 32877@debbugs.gnu.org)
20181010191425.GA22832@jasmine.lan
On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
Toggle quote (16 lines)
> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 18:50:47 +0200
> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>
> This addresses CVE-2018-{1060,1061,14647,1000802}.
>
> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
> gnu/packages/patches/python2-CVE-2018-1060.patch,
> gnu/packages/patches/python2-CVE-2018-1061.patch,
> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-2/fixed): New variable.
> (python-2.7)[replacement]: New field.
> (python2-minimal): Use PACKAGE/INHERIT.

Thanks! I did some basic tests and things seem to work.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlu+T44ACgkQJkb6MLrK
fwhdoA//Qv6eKfCl4lRaKkeuE9Jr56xtFAk72D5jxDh+ARJKUuJl8Re93hEIr8JW
Jrw20qLMq3LY/2fqkCt8A2OqTwVnlHSKszGZzaSKKGTcp9BgA/H/8dX1epQYxS7e
pVSroAmNi2zFPKHt6EDZmxJjXZMehC1H7f1WXxvo1wk9LDoSw6cEYOCf8eDtwMqU
gc/AgIpy5BMQPc4Gn16b/4QZIH0oW2h0c3jzEOVMkwLTQjjRGhISNMtfKL+RERSL
PI+iJ+v/xvjPCk6zFekeDiYoMszVAFGRqkzAqMDy0k2EK4kMxyDGthHdmX0vugyI
n9fV4BHb35H+tJiQxbh5u8UkH2iukJtRDnwFiq3T6fUlpVw+JV8I0wppBR/E1aPw
1ltvm7b4LeTDNdnMLTeBTNRQQeq9WcQ5kTY8XiBcAiQ1FzGq8SmPLDgnJxITm8Az
zBOEVhmkY84ZFWisVrEMvgoE/XALonJSTxOCCVEFJ6p5sqqLMEgHT8azkvC6FzjX
1zxf3MzAxPkOYy7OHASyiqmAEhcouOsOQ0yqtJVl8D9gvQEM/9eh1oyFlXy+jDlm
a898P/YrTAr/XLikvjWl7rT9OsBbfI8WEroi+Ywg9WNxic7DSeDodae9OiZfL65X
gjOQhqaaWTru8OCyAmhnreOf49LhSY7VR6N5R5bp5lel4ZGjz4I=
=KN0+
-----END PGP SIGNATURE-----


M
M
Mark H Weaver wrote on 11 Oct 2018 01:03
(name . Leo Famulari)(address . leo@famulari.name)
87o9c0ykol.fsf@netris.org
Leo Famulari <leo@famulari.name> writes:

Toggle quote (19 lines)
> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>>
>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>>
>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> * gnu/packages/python.scm (python-2/fixed): New variable.
>> (python-2.7)[replacement]: New field.
>> (python2-minimal): Use PACKAGE/INHERIT.
>
> Thanks! I did some basic tests and things seem to work.

I added this commit to my private branch a few days ago, along with the
Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
GNOME 3 system and user profile, and everything seems to be working
well.

I think they are both ready to push to master.

Thank you, Marius!

Mark
M
M
Marius Bakke wrote on 17 Oct 2018 11:35
(address . 32877-done@debbugs.gnu.org)
875zy0h14q.fsf@fastmail.com
Mark H Weaver <mhw@netris.org> writes:

Toggle quote (28 lines)
> Leo Famulari <leo@famulari.name> writes:
>
>> On Sat, Oct 06, 2018 at 06:53:36PM +0200, Marius Bakke wrote:
>>> From 2891a9acb7704c3397ef34fbb520b46936504422 Mon Sep 17 00:00:00 2001
>>> From: Marius Bakke <mbakke@fastmail.com>
>>> Date: Sat, 6 Oct 2018 18:50:47 +0200
>>> Subject: [PATCH] gnu: python2: Add upstream security fixes.
>>>
>>> This addresses CVE-2018-{1060,1061,14647,1000802}.
>>>
>>> * gnu/packages/patches/python2-CVE-2018-1000802.patch,
>>> gnu/packages/patches/python2-CVE-2018-1060.patch,
>>> gnu/packages/patches/python2-CVE-2018-1061.patch,
>>> gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Register it.
>>> * gnu/packages/python.scm (python-2/fixed): New variable.
>>> (python-2.7)[replacement]: New field.
>>> (python2-minimal): Use PACKAGE/INHERIT.
>>
>> Thanks! I did some basic tests and things seem to work.
>
> I added this commit to my private branch a few days ago, along with the
> Python-3 CVE-2018-14647 fix (with the added hunk), updated my GuixSD
> GNOME 3 system and user profile, and everything seems to be working
> well.
>
> I think they are both ready to push to master.

Hi Mark,

Thank you very much for testing. I've pushed these patches now, sorry
for the delay!
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlvHgQUACgkQoqBt8qM6
VPol4AgA1HUzhyxfMSA5KTm9d7NqWUEXy0PtWxoCEMZRdxUK8JZXEBI7ddPd4tZp
WCfkHbMTnRb0oJ3KVoz2nIYEqwzNaCCsYOViU4T2zchVaEhKaP2kzcL6Dv56DOmL
ty2HO0ZCB9ohIN872mkIdyBduv3YqmGEFMpuKYo5khyFM+vHdygNhWCHibKFIbJs
lWcaaCepmbe4Qi7FkczzqTeRXRp7IXJGTy4TKFQ5DblE8rZYNhc01XBHCisufEQu
zE1mVffxNGdgh5p3hQCrF5oTdy44WgxcqvL2S4RwegidlbMKpPjzNpc9jI09cHjq
ETznF9x3hRg5St5gxSF3k+29+5JO0g==
=p/Ew
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 32877@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 32877
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch