GNU bug report logs

#46631 Python CVE-2021-3177

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 03:22:01 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Fri, 19 Feb 2021 03:22:01 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: Python CVE-2021-3177
Date: Thu, 18 Feb 2021 22:21:34 -0500
Quoting from MITRE:

------
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution in certain
Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This
occurs because sprintf is used unsafely. 
------
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177

There is not yet an upstream release to fix the issue in the 3.8 series
that we distribute. I believe there are patches we can cherry-pick. Can
somebody find them?

I assume that Python is considered to be "graft-able". Can anyone
confirm?

The upstream bug report:
https://bugs.python.org/issue42938

Information forwarded to bug-guix@gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 15:36:01 GMT) (full text, mbox, link).

Message #8 received at 46631@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 46631@debbugs.gnu.org
Subject: Re: bug#46631: Python CVE-2021-3177
Date: Fri, 19 Feb 2021 16:35:26 +0100
Hi,

Leo Famulari <leo@famulari.name> skribis:

> I assume that Python is considered to be "graft-able". Can anyone
> confirm?

Yes, I think so.

Ludo’.

Information forwarded to bug-guix@gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 23:14:01 GMT) (full text, mbox, link).

Message #11 received at 46631@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: 46631@debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Date: Fri, 19 Feb 2021 18:12:58 -0500
[Message part 1 (text/plain, inline)]
I pushed a fix for Python 3.9 in commit
f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1.

But, we use Python 3.8 for everything, and my patch (attached) fails to
apply for some reason. It does work when I apply the new bug fix patch
"by hand" onto the Guix source code for our current python-3.8 package.

[0001-gnu-Python-Fix-CVE-2021-3177.patch (text/plain, attachment)]

Information forwarded to bug-guix@gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 23:24:01 GMT) (full text, mbox, link).

Message #14 received at 46631@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: 46631@debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Date: Fri, 19 Feb 2021 18:23:49 -0500
On Fri, Feb 19, 2021 at 06:12:58PM -0500, Leo Famulari wrote:
> But, we use Python 3.8 for everything, and my patch (attached) fails to
> apply for some reason. It does work when I apply the new bug fix patch
> "by hand" onto the Guix source code for our current python-3.8 package.

More weirdness: When I apply the patch to the python-3.8 package (that
is, without setting up a grafted replacement), it works. So I am
definitely doing something wrong here.

Information forwarded to bug-guix@gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 23:42:01 GMT) (full text, mbox, link).

Message #17 received at 46631@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: 46631@debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Date: Fri, 19 Feb 2021 18:41:26 -0500
[Message part 1 (text/plain, inline)]
On Fri, Feb 19, 2021 at 06:23:49PM -0500, Leo Famulari wrote:
> More weirdness: When I apply the patch to the python-3.8 package (that
> is, without setting up a grafted replacement), it works. So I am
> definitely doing something wrong here.

Here is a new patch that I'm currently building. I think I had composed
the package inheritance incorrectly in my previous patch.

[0001-gnu-Python-Fix-CVE-2021-3177.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#46631; Package guix. (Mon, 22 Feb 2021 08:09:01 GMT) (full text, mbox, link).

Message #20 received at 46631@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 46631@debbugs.gnu.org
Subject: Re: bug#46631: Python CVE-2021-3177
Date: Mon, 22 Feb 2021 09:08:14 +0100
Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

> From b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 19 Feb 2021 18:09:57 -0500
> Subject: [PATCH] gnu: Python: Fix CVE-2021-3177.
>
> * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT.
> [replacement]: New field.
> (python-3.8/fixed): New variable.

[...]

>  (define-public python-3.8
> -  (package (inherit python-2)
> +  (package/inherit python-2
>      (name "python")
> +    (replacement python-3.8/fixed)

You can keep (inherit …) because the effect of ‘package/inherit’ is just
to preserve replacements, which is unnecessary here.

Apart from that, the Guix side of things LGTM.

Thanks for working on it!

Ludo’.

Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Mon, 22 Feb 2021 09:16:02 GMT) (full text, mbox, link).

Reply sent to Leo Famulari <leo@famulari.name>:
You have taken responsibility. (Tue, 23 Feb 2021 19:18:02 GMT) (full text, mbox, link).

Notification sent to Leo Famulari <leo@famulari.name>:
bug acknowledged by developer. (Tue, 23 Feb 2021 19:18:02 GMT) (full text, mbox, link).

Message #27 received at 46631-done@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: Ludovic Courtès <ludo@gnu.org>
Cc: 46631-done@debbugs.gnu.org
Subject: Re: bug#46631: Python CVE-2021-3177
Date: Tue, 23 Feb 2021 14:16:54 -0500
On Mon, Feb 22, 2021 at 09:08:14AM +0100, Ludovic Courtès wrote:
> You can keep (inherit …) because the effect of ‘package/inherit’ is just
> to preserve replacements, which is unnecessary here.

I used to know that... it's been a while and I forgot, and had trouble
understanding the package/inherit docstring. So I pushed a commit that I
hope clarifies it.

> Apart from that, the Guix side of things LGTM.

Pushed as 84e082e31706411e7f9c3189a83f8ed0b4016fe7

> Thanks for working on it!

Thanks for the review!

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Wed, 24 Mar 2021 11:24:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 11:58:59 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.