* bug#32878: Python-3 CVE-2018-14647 @ 2018-09-29 19:23 Leo Famulari 2018-10-06 14:51 ` Marius Bakke 0 siblings, 1 reply; 5+ messages in thread From: Leo Famulari @ 2018-09-29 19:23 UTC (permalink / raw) To: 32878 [-- Attachment #1: Type: text/plain, Size: 210 bytes --] Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in v3.6.7rc1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#32878: Python-3 CVE-2018-14647 2018-09-29 19:23 bug#32878: Python-3 CVE-2018-14647 Leo Famulari @ 2018-10-06 14:51 ` Marius Bakke 2018-10-06 15:26 ` Marius Bakke 2018-10-10 19:26 ` Leo Famulari 0 siblings, 2 replies; 5+ messages in thread From: Marius Bakke @ 2018-10-06 14:51 UTC (permalink / raw) To: Leo Famulari, 32878 [-- Attachment #1.1: Type: text/plain, Size: 542 bytes --] Leo Famulari <leo@famulari.name> writes: > Our Python 3.6.5 package is vulnerable to CVE-2018-14647, fixed in > CPython commit f7666e828cc3d5873136473ea36ba2013d624fa1, released in > v3.6.7rc1: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647 Reading <https://bugs.python.org/issue34623>, this issue seems to only affect older versions of Expat, or when using Pythons bundled one which is compiled with -DXML_POOR_ENTROPY. ...unfortunately we seem to be using the bundled version :-( This patch adds a graft for Python: [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1.2: 0001-gnu-python-Fix-CVE-2018-14647.patch --] [-- Type: text/x-patch, Size: 5679 bytes --] From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001 From: Marius Bakke <mbakke@fastmail.com> Date: Sat, 6 Oct 2018 16:47:05 +0200 Subject: [PATCH] gnu: python: Fix CVE-2018-14647. * gnu/packages/patches/python-CVE-2018-14647.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/python.scm (python-3/fixed): New variable. (python-3.6)[replacement]: New field. (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of standard inheritance. --- gnu/local.mk | 1 + .../patches/python-CVE-2018-14647.patch | 61 +++++++++++++++++++ gnu/packages/python.scm | 16 +++-- 3 files changed, 74 insertions(+), 4 deletions(-) create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch diff --git a/gnu/local.mk b/gnu/local.mk index 61e5913a0..df16f85db 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1075,6 +1075,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-3-deterministic-build-info.patch \ %D%/packages/patches/python-3-search-paths.patch \ %D%/packages/patches/python-3-fix-tests.patch \ + %D%/packages/patches/python-CVE-2018-14647.patch \ %D%/packages/patches/python-axolotl-AES-fix.patch \ %D%/packages/patches/python-cairocffi-dlopen-path.patch \ %D%/packages/patches/python-fix-tests.patch \ diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch new file mode 100644 index 000000000..24f8d2182 --- /dev/null +++ b/gnu/packages/patches/python-CVE-2018-14647.patch @@ -0,0 +1,61 @@ +Fix CVE-2018-14647: +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647 +https://bugs.python.org/issue34623 + +Taken from upstream: +https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1 + +diff --git Include/pyexpat.h Include/pyexpat.h +index 44259bf6d7..07020b5dc9 100644 +--- Include/pyexpat.h ++++ Include/pyexpat.h +@@ -3,7 +3,7 @@ + + /* note: you must import expat.h before importing this module! */ + +-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0" ++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1" + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI" + + struct PyExpat_CAPI +@@ -48,6 +48,8 @@ struct PyExpat_CAPI + enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding); + int (*DefaultUnknownEncodingHandler)( + void *encodingHandlerData, const XML_Char *name, XML_Encoding *info); ++ /* might be none for expat < 2.1.0 */ ++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt); + /* always add new stuff to the end! */ + }; + +diff --git Modules/_elementtree.c Modules/_elementtree.c +index 707ab2912b..53f05f937f 100644 +--- Modules/_elementtree.c ++++ Modules/_elementtree.c +@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html, + PyErr_NoMemory(); + return -1; + } ++ /* expat < 2.1.0 has no XML_SetHashSalt() */ ++ if (EXPAT(SetHashSalt) != NULL) { ++ EXPAT(SetHashSalt)(self->parser, ++ (unsigned long)_Py_HashSecret.expat.hashsalt); ++ } + + if (target) { + Py_INCREF(target); +diff --git Modules/pyexpat.c Modules/pyexpat.c +index 47c3e86c20..aa21d93c11 100644 +--- Modules/pyexpat.c ++++ Modules/pyexpat.c +@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void) + capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler; + capi.SetEncoding = XML_SetEncoding; + capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler; ++#if XML_COMBINED_VERSION >= 20100 ++ capi.SetHashSalt = XML_SetHashSalt; ++#else ++ capi.SetHashSalt = NULL; ++#endif + + /* export using capsule */ + capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL); diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 4703d95a2..5ee3db6bf 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -357,6 +357,7 @@ data types.") (package (inherit python-2) (name "python") (version "3.6.5") + (replacement python-3/fixed) (source (origin (method url-fetch) (uri (string-append "https://www.python.org/ftp/python/" @@ -456,6 +457,14 @@ data types.") ;; Current 3.x version. (define-public python-3 python-3.6) +(define python-3/fixed + (package + (inherit python-3) + (source (origin + (inherit (package-source python-3)) + (patches (append (origin-patches (package-source python-3)) + (search-patches "python-CVE-2018-14647.patch"))))))) + ;; Current major version. (define-public python python-3) @@ -474,7 +483,7 @@ data types.") ("zlib" ,zlib))))) (define-public python-minimal - (package (inherit python) + (package/inherit python (name "python-minimal") (outputs '("out")) @@ -486,8 +495,7 @@ data types.") ("zlib" ,zlib))))) (define-public python-debug - (package - (inherit python) + (package/inherit python (name "python-debug") (outputs '("out" "debug")) (build-system gnu-build-system) @@ -506,7 +514,7 @@ for more information."))) (define* (wrap-python3 python #:optional (name (string-append (package-name python) "-wrapper"))) - (package (inherit python) + (package/inherit python (name name) (source #f) (build-system trivial-build-system) -- 2.19.0 [-- Attachment #1.3: Type: text/plain, Size: 7 bytes --] WDYT? [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply related [flat|nested] 5+ messages in thread
* bug#32878: Python-3 CVE-2018-14647 2018-10-06 14:51 ` Marius Bakke @ 2018-10-06 15:26 ` Marius Bakke 2018-10-10 19:26 ` Leo Famulari 1 sibling, 0 replies; 5+ messages in thread From: Marius Bakke @ 2018-10-06 15:26 UTC (permalink / raw) To: Leo Famulari, 32878 [-- Attachment #1.1: Type: text/plain, Size: 6110 bytes --] Marius Bakke <mbakke@fastmail.com> writes: > This patch adds a graft for Python: > > From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001 > From: Marius Bakke <mbakke@fastmail.com> > Date: Sat, 6 Oct 2018 16:47:05 +0200 > Subject: [PATCH] gnu: python: Fix CVE-2018-14647. > > * gnu/packages/patches/python-CVE-2018-14647.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/python.scm (python-3/fixed): New variable. > (python-3.6)[replacement]: New field. > (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of > standard inheritance. > --- > gnu/local.mk | 1 + > .../patches/python-CVE-2018-14647.patch | 61 +++++++++++++++++++ > gnu/packages/python.scm | 16 +++-- > 3 files changed, 74 insertions(+), 4 deletions(-) > create mode 100644 gnu/packages/patches/python-CVE-2018-14647.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 61e5913a0..df16f85db 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1075,6 +1075,7 @@ dist_patch_DATA = \ > %D%/packages/patches/python-3-deterministic-build-info.patch \ > %D%/packages/patches/python-3-search-paths.patch \ > %D%/packages/patches/python-3-fix-tests.patch \ > + %D%/packages/patches/python-CVE-2018-14647.patch \ > %D%/packages/patches/python-axolotl-AES-fix.patch \ > %D%/packages/patches/python-cairocffi-dlopen-path.patch \ > %D%/packages/patches/python-fix-tests.patch \ > diff --git a/gnu/packages/patches/python-CVE-2018-14647.patch b/gnu/packages/patches/python-CVE-2018-14647.patch > new file mode 100644 > index 000000000..24f8d2182 > --- /dev/null > +++ b/gnu/packages/patches/python-CVE-2018-14647.patch > @@ -0,0 +1,61 @@ > +Fix CVE-2018-14647: > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647 > +https://bugs.python.org/issue34623 > + > +Taken from upstream: > +https://github.com/python/cpython/commit/f7666e828cc3d5873136473ea36ba2013d624fa1 > + > +diff --git Include/pyexpat.h Include/pyexpat.h > +index 44259bf6d7..07020b5dc9 100644 > +--- Include/pyexpat.h > ++++ Include/pyexpat.h > +@@ -3,7 +3,7 @@ > + > + /* note: you must import expat.h before importing this module! */ > + > +-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0" > ++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1" > + #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI" > + > + struct PyExpat_CAPI > +@@ -48,6 +48,8 @@ struct PyExpat_CAPI > + enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding); > + int (*DefaultUnknownEncodingHandler)( > + void *encodingHandlerData, const XML_Char *name, XML_Encoding *info); > ++ /* might be none for expat < 2.1.0 */ > ++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt); > + /* always add new stuff to the end! */ > + }; > + > +diff --git Modules/_elementtree.c Modules/_elementtree.c > +index 707ab2912b..53f05f937f 100644 > +--- Modules/_elementtree.c > ++++ Modules/_elementtree.c > +@@ -3261,6 +3261,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html, > + PyErr_NoMemory(); > + return -1; > + } > ++ /* expat < 2.1.0 has no XML_SetHashSalt() */ > ++ if (EXPAT(SetHashSalt) != NULL) { > ++ EXPAT(SetHashSalt)(self->parser, > ++ (unsigned long)_Py_HashSecret.expat.hashsalt); > ++ } > + > + if (target) { > + Py_INCREF(target); > +diff --git Modules/pyexpat.c Modules/pyexpat.c > +index 47c3e86c20..aa21d93c11 100644 > +--- Modules/pyexpat.c > ++++ Modules/pyexpat.c > +@@ -1887,6 +1887,11 @@ MODULE_INITFUNC(void) > + capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler; > + capi.SetEncoding = XML_SetEncoding; > + capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler; > ++#if XML_COMBINED_VERSION >= 20100 > ++ capi.SetHashSalt = XML_SetHashSalt; > ++#else > ++ capi.SetHashSalt = NULL; > ++#endif > + > + /* export using capsule */ > + capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL); > diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm > index 4703d95a2..5ee3db6bf 100644 > --- a/gnu/packages/python.scm > +++ b/gnu/packages/python.scm > @@ -357,6 +357,7 @@ data types.") > (package (inherit python-2) > (name "python") > (version "3.6.5") > + (replacement python-3/fixed) > (source (origin > (method url-fetch) > (uri (string-append "https://www.python.org/ftp/python/" > @@ -456,6 +457,14 @@ data types.") > ;; Current 3.x version. > (define-public python-3 python-3.6) > > +(define python-3/fixed > + (package > + (inherit python-3) > + (source (origin > + (inherit (package-source python-3)) > + (patches (append (origin-patches (package-source python-3)) > + (search-patches "python-CVE-2018-14647.patch"))))))) > + > ;; Current major version. > (define-public python python-3) > > @@ -474,7 +483,7 @@ data types.") > ("zlib" ,zlib))))) > > (define-public python-minimal > - (package (inherit python) > + (package/inherit python > (name "python-minimal") > (outputs '("out")) > > @@ -486,8 +495,7 @@ data types.") > ("zlib" ,zlib))))) > > (define-public python-debug > - (package > - (inherit python) > + (package/inherit python > (name "python-debug") > (outputs '("out" "debug")) > (build-system gnu-build-system) > @@ -506,7 +514,7 @@ for more information."))) > (define* (wrap-python3 python > #:optional > (name (string-append (package-name python) "-wrapper"))) > - (package (inherit python) > + (package/inherit python > (name name) > (source #f) > (build-system trivial-build-system) > -- > 2.19.0 Whoops, this hunk is also needed: [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1.2: Type: text/x-patch, Size: 963 bytes --] 1 file changed, 11 insertions(+), 1 deletion(-) gnu/packages/python.scm | 12 +++++++++++- modified gnu/packages/python.scm @@ -463,7 +463,17 @@ data types.") (source (origin (inherit (package-source python-3)) (patches (append (origin-patches (package-source python-3)) - (search-patches "python-CVE-2018-14647.patch"))))))) + (search-patches "python-CVE-2018-14647.patch"))))) + (arguments + (substitute-keyword-arguments (package-arguments python-3) + ((#:phases phases) + `(modify-phases ,phases + (add-after 'unpack 'delete-broken-test + (lambda _ + ;; Delete test which fails on recent kernels: + ;; <https://bugs.python.org/issue34587>. + (delete-file "Lib/test/test_socket.py") + #t)))))))) ;; Current major version. (define-public python python-3) [back] [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#32878: Python-3 CVE-2018-14647 2018-10-06 14:51 ` Marius Bakke 2018-10-06 15:26 ` Marius Bakke @ 2018-10-10 19:26 ` Leo Famulari 2018-10-11 8:04 ` Mark H Weaver 1 sibling, 1 reply; 5+ messages in thread From: Leo Famulari @ 2018-10-10 19:26 UTC (permalink / raw) To: Marius Bakke; +Cc: 32878 [-- Attachment #1: Type: text/plain, Size: 725 bytes --] On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote: > From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001 > From: Marius Bakke <mbakke@fastmail.com> > Date: Sat, 6 Oct 2018 16:47:05 +0200 > Subject: [PATCH] gnu: python: Fix CVE-2018-14647. > > * gnu/packages/patches/python-CVE-2018-14647.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/python.scm (python-3/fixed): New variable. > (python-3.6)[replacement]: New field. > (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of > standard inheritance. Thanks! I did some more basic tests with this one, using the extra hunk in your other mail. I think this change is okay. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#32878: Python-3 CVE-2018-14647 2018-10-10 19:26 ` Leo Famulari @ 2018-10-11 8:04 ` Mark H Weaver 0 siblings, 0 replies; 5+ messages in thread From: Mark H Weaver @ 2018-10-11 8:04 UTC (permalink / raw) To: Leo Famulari; +Cc: 32878 Leo Famulari <leo@famulari.name> writes: > On Sat, Oct 06, 2018 at 04:51:07PM +0200, Marius Bakke wrote: >> From a60d655fd4dddb86e1c8134c675fb61af52b32af Mon Sep 17 00:00:00 2001 >> From: Marius Bakke <mbakke@fastmail.com> >> Date: Sat, 6 Oct 2018 16:47:05 +0200 >> Subject: [PATCH] gnu: python: Fix CVE-2018-14647. >> >> * gnu/packages/patches/python-CVE-2018-14647.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Register it. >> * gnu/packages/python.scm (python-3/fixed): New variable. >> (python-3.6)[replacement]: New field. >> (python-minimal, python-debug, wrap-python3): Use PACKAGE/INHERIT instead of >> standard inheritance. > > Thanks! I did some more basic tests with this one, using the extra hunk > in your other mail. I think this change is okay. As I wrote in another thread, I added this commit (with extra hunk) to my private branch a few days ago, along with the Python-2 security fixes, updated my GuixSD GNOME 3 system and user profile, and everything seems to be working well. I think they are both ready to push to master. Thank you, Marius! Mark ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-10-11 8:05 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-09-29 19:23 bug#32878: Python-3 CVE-2018-14647 Leo Famulari 2018-10-06 14:51 ` Marius Bakke 2018-10-06 15:26 ` Marius Bakke 2018-10-10 19:26 ` Leo Famulari 2018-10-11 8:04 ` Mark H Weaver
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).