#32878 - Python-3 CVE-2018-14647 - GNU bug report logs

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #13 received at 32878@debbugs.gnu.org (full text, mbox, reply):

Received: (at 32878) by debbugs.gnu.org; 6 Oct 2018 15:26:31 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 06 11:26:31 2018
Received: from localhost ([127.0.0.1]:38764 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1g8oTL-0005yj-TJ
	for submit@debbugs.gnu.org; Sat, 06 Oct 2018 11:26:31 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:42963)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@fastmail.com>) id 1g8oTK-0005ya-76
 for 32878@debbugs.gnu.org; Sat, 06 Oct 2018 11:26:26 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id 1DD8621FC7;
 Sat,  6 Oct 2018 11:26:26 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute5.internal (MEProxy); Sat, 06 Oct 2018 11:26:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:subject:in-reply-to:references:date:message-id
 :mime-version:content-type; s=fm1; bh=aYMfJq+9BJJDp6qK0LjZ7JaFlc
 Z42OMy8W8n90lad58=; b=WzUSnEuj5OBiIBaYHiRUqYR8BLsNkU9fDKD+0i8k30
 BHVqyAKwWbjtMbofkPiZ8DUGUBOnv6vWGLlPOln84ro4Ms16pSn9Q948HXgAPgb6
 yqggOzNfW+bYKksG5hvbSJBiaqqAjwvXtEN0JA3gc7acKyFHuIs0Q0aB25zp9Spc
 o9bNy4cUHsmSCcOYX0dC2QLGJDfeRu7QxiSaU26sBToGB6GoiWSAYUv2JDxzMZTr
 ErLt+kEy2VtYxz5pZi8SutdPzLk7l3NUG8/TbaHM7+62YROxmsmX93zAgHRtj5zy
 p+XWm65tcc3AZBkz9EhF7uLnlLiQCKpIMJSet7Rgl0FQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=aYMfJq
 +9BJJDp6qK0LjZ7JaFlcZ42OMy8W8n90lad58=; b=NnPiU9HpAnbige+pDKTSK5
 PpdtIeLI8iBhSLspL3gO9zmKGJPZ7u34QlirpceEVSOmG//n8x0cy+NR7IJsE/1l
 OrtYy2fBCau4mz6ClfgAur9jotZ8P9fu3wjZm71lIHTUDPTPpwlnAGK6FWwUgDgM
 dKpGRjptsC1HgOoGlTSIFzz+PQ2nxxx6MW1Llwd/FbDsZs7f5thAj+iNXxvKl71j
 1jrcSEESDu9PeGBjvIcHed+ur2fmsmNUSJGY0J8C+4tf0IOv5tvOQBZQpt0lfkQ+
 UQUr8Cm7clvLwRCeoU44T5hV0zwY5Ad8Mya0OM/qwsiLGOA1FXC4ir8NJUWmDPyg
 ==
X-ME-Sender: <xms:H9S4W73l1RPGEiDgrIBxar-rAD0QepSaNEOCledi-vUqQtYY0BXz5Q>
X-ME-Proxy: <xmx:H9S4W27eZ5UTKB89tQW4MQCVpYjj6k_oXAsawm0ugwKEjFfEAxNobg>
 <xmx:H9S4W-qKHjcZNEBCK-958vUpz3n-v21BQiDRtwTqOetuBbs-LJjoig>
 <xmx:INS4W3oa2lTsf95AyAbrb-nybUOTX28NBN3xlIPDczipivHLHwJHcg>
 <xmx:INS4W3p34ko6p-T1V1KQeg2rIsKV-GDS4hBL3niwbO3uPn1VrdC_ig>
 <xmx:INS4W-Ykh-dnQQ9y-bgmvrJDWmapK45DfGWJFNoWxtN1h4dYiMKbeQ>
 <xmx:ItS4W5fLn1yyKS1ERLkHsVmB-fw6BXqjl4-_GwjxdV1nCdRQTTT1jQ>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id 57F1D102EE;
 Sat,  6 Oct 2018 11:26:23 -0400 (EDT)
From: Marius Bakke <mbakke@fastmail.com>
To: Leo Famulari <leo@famulari.name>, 32878@debbugs.gnu.org
Subject: Re: bug#32878: Python-3 CVE-2018-14647
In-Reply-To: <87sh1ji0x0.fsf@fastmail.com>
References: <20180929192302.GB17619@jasmine.lan> <87sh1ji0x0.fsf@fastmail.com>
User-Agent: Notmuch/0.27 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Sat, 06 Oct 2018 17:26:21 +0200
Message-ID: <87lg7bhzaa.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 32878
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]

Marius Bakke <mbakke@fastmail.com> writes:

> This patch adds a graft for Python:
>
> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001
> From: Marius Bakke <mbakke@fastmail.com>
> Date: Sat, 6 Oct 2018 16:47:05 +0200
> Subject: [PATCH] gnu: python: Fix CVE-2018-14647.
>
> * gnu/packages/patches/python-CVE-2018-14647.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/python.scm (python-3/fixed): New variable.
> (python-3.6)[replacement]: New field.
> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of
> standard inheritance.
> ---
>  gnu/local.mk                                  |  1 +
>  .../patches/python-CVE-2018-14647.patch       | 61 +++++++++++++++++++
>  gnu/packages/python.scm                       | 16 +++--
>  3 files changed, 74 insertions(+), 4 deletions(-)
>  create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 61e5913a0..df16f85db 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1075,6 +1075,7 @@ dist_patch_DATA =						\
>    %D%/packages/patches/python-3-deterministic-build-info.patch	\
>    %D%/packages/patches/python-3-search-paths.patch		\
>    %D%/packages/patches/python-3-fix-tests.patch			\
> +  %D%/packages/patches/python-CVE-2018-14647.patch		\
>    %D%/packages/patches/python-axolotl-AES-fix.patch		\
>    %D%/packages/patches/python-cairocffi-dlopen-path.patch	\
>    %D%/packages/patches/python-fix-tests.patch			\
> diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch
> new file mode 100644
> index 000000000..24f8d2182
> --- /dev/null
> +++ b/gnu/packages/patches/python-CVE-2018-14647.patch
> @@ -0,0 +1,61 @@
> +Fix CVE-2018-14647:
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
> +https://bugs.python.org/issue34623
> +
> +Taken from upstream:
> +https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1
> +
> +diff --git Include/pyexpat.h Include/pyexpat.h
> +index 44259bf6d7..07020b5dc9 100644
> +--- Include/pyexpat.h
> ++++ Include/pyexpat.h
> +@@ -3,7 +3,7 @@
> + 
> + /* note: you must import expat.h before importing this module! */
> + 
> +-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"
> ++#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"
> + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
> + 
> + struct PyExpat_CAPI
> +@@ -48,6 +48,8 @@ struct PyExpat_CAPI
> +     enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
> +     int (*DefaultUnknownEncodingHandler)(
> +         void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
> ++    /* might be none for expat < 2.1.0 */
> ++    int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
> +     /* always add new stuff to the end! */
> + };
> + 
> +diff --git Modules/_elementtree.c Modules/_elementtree.c
> +index 707ab2912b..53f05f937f 100644
> +--- Modules/_elementtree.c
> ++++ Modules/_elementtree.c
> +@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
> +         PyErr_NoMemory();
> +         return -1;
> +     }
> ++    /* expat < 2.1.0 has no XML_SetHashSalt() */
> ++    if (EXPAT(SetHashSalt) != NULL) {
> ++        EXPAT(SetHashSalt)(self->parser,
> ++                           (unsigned long)_Py_HashSecret.expat.hashsalt);
> ++    }
> + 
> +     if (target) {
> +         Py_INCREF(target);
> +diff --git Modules/pyexpat.c Modules/pyexpat.c
> +index 47c3e86c20..aa21d93c11 100644
> +--- Modules/pyexpat.c
> ++++ Modules/pyexpat.c
> +@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void)
> +     capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
> +     capi.SetEncoding = XML_SetEncoding;
> +     capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
> ++#if XML_COMBINED_VERSION >= 20100
> ++    capi.SetHashSalt = XML_SetHashSalt;
> ++#else
> ++    capi.SetHashSalt = NULL;
> ++#endif
> + 
> +     /* export using capsule */
> +     capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
> diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
> index 4703d95a2..5ee3db6bf 100644
> --- a/gnu/packages/python.scm
> +++ b/gnu/packages/python.scm
> @@ -357,6 +357,7 @@ data types.")
>    (package (inherit python-2)
>      (name "python")
>      (version "3.6.5")
> +    (replacement python-3/fixed)
>      (source (origin
>                (method url-fetch)
>                (uri (string-append "https://www.python.org/ftp/python/"
> @@ -456,6 +457,14 @@ data types.")
>  ;; Current 3.x version.
>  (define-public python-3 python-3.6)
>  
> +(define python-3/fixed
> +  (package
> +    (inherit python-3)
> +    (source (origin
> +              (inherit (package-source python-3))
> +              (patches (append (origin-patches (package-source python-3))
> +                               (search-patches "python-CVE-2018-14647.patch")))))))
> +
>  ;; Current major version.
>  (define-public python python-3)
>  
> @@ -474,7 +483,7 @@ data types.")
>                ("zlib" ,zlib)))))
>  
>  (define-public python-minimal
> -  (package (inherit python)
> +  (package/inherit python
>      (name "python-minimal")
>      (outputs '("out"))
>  
> @@ -486,8 +495,7 @@ data types.")
>                ("zlib" ,zlib)))))
>  
>  (define-public python-debug
> -  (package
> -    (inherit python)
> +  (package/inherit python
>      (name "python-debug")
>      (outputs '("out" "debug"))
>      (build-system gnu-build-system)
> @@ -506,7 +514,7 @@ for more information.")))
>  (define* (wrap-python3 python
>                         #:optional
>                         (name (string-append (package-name python) "-wrapper")))
> -  (package (inherit python)
> +  (package/inherit python
>      (name name)
>      (source #f)
>      (build-system trivial-build-system)
> -- 
> 2.19.0

Whoops, this hunk is also needed:

[Message part 2 (text/x-patch, inline)]

1 file changed, 11 insertions(+), 1 deletion(-)
gnu/packages/python.scm | 12 +++++++++++-

modified   gnu/packages/python.scm
@@ -463,7 +463,17 @@ data types.")
     (source (origin
               (inherit (package-source python-3))
               (patches (append (origin-patches (package-source python-3))
-                               (search-patches "python-CVE-2018-14647.patch")))))))
+                               (search-patches "python-CVE-2018-14647.patch")))))
+    (arguments
+     (substitute-keyword-arguments (package-arguments python-3)
+       ((#:phases phases)
+        `(modify-phases ,phases
+           (add-after 'unpack 'delete-broken-test
+             (lambda _
+               ;; Delete test which fails on recent kernels:
+               ;; <https://bugs.python.org/issue34587>.
+               (delete-file "Lib/test/test_socket.py")
+               #t))))))))
 
 ;; Current major version.
 (define-public python python-3)

[back]

[signature.asc (application/pgp-signature, inline)]

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:28:51 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#32878 Python-3 CVE-2018-14647