From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SE+mCOUuL2AeeQAA0tVLHw (envelope-from ) for ; Fri, 19 Feb 2021 03:22:13 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 9hN1BOUuL2A8JQAAB5/wlQ (envelope-from ) for ; Fri, 19 Feb 2021 03:22:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DED7D1E362 for ; Fri, 19 Feb 2021 04:22:11 +0100 (CET) Received: from localhost ([::1]:55806 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lCwMr-0008Rs-Mq for larch@yhetil.org; Thu, 18 Feb 2021 22:22:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42936) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lCwMk-0008QK-9E for bug-guix@gnu.org; Thu, 18 Feb 2021 22:22:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:37037) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lCwMk-0007Bd-12 for bug-guix@gnu.org; Thu, 18 Feb 2021 22:22:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lCwMj-0001DI-SV for bug-guix@gnu.org; Thu, 18 Feb 2021 22:22:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#46631: Python CVE-2021-3177 Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 19 Feb 2021 03:22:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 46631 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46631@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16137049034638 (code B ref -1); Fri, 19 Feb 2021 03:22:01 +0000 Received: (at submit) by debbugs.gnu.org; 19 Feb 2021 03:21:43 +0000 Received: from localhost ([127.0.0.1]:48583 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lCwMR-0001Ck-9N for submit@debbugs.gnu.org; Thu, 18 Feb 2021 22:21:43 -0500 Received: from lists.gnu.org ([209.51.188.17]:57416) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lCwMP-0001Cc-NH for submit@debbugs.gnu.org; Thu, 18 Feb 2021 22:21:42 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42900) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lCwMP-0008Pi-HF for bug-guix@gnu.org; Thu, 18 Feb 2021 22:21:41 -0500 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:42015) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lCwMN-00071U-Jm for bug-guix@gnu.org; Thu, 18 Feb 2021 22:21:41 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id C113EC79; Thu, 18 Feb 2021 22:21:37 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 18 Feb 2021 22:21:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=p2GuoJtMRPEqWaWHvpOz5VT9yNrfY+3zCEPG9oKXJbU=; b=QURD+ X8tpFlMH98mavf6JIyv+Tmv6f4kPaOkIjXEyE2ZL/dAklyKsuX+mZ6djaOnEA1AR S6Tv+a9vkPgSR3TOZU5CxuxMz4g3rpP3GS1jZ6oqz6sbpGNciYBYGvxghwRLwc0X 5bXjXInbioztEECrWu9/A9DXSBFF1e/w7SpnB8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=p2GuoJtMRPEqWaWHvpOz5VT9yNrfY +3zCEPG9oKXJbU=; b=F29dZGCdqmx+ZO8JojJo2L2wnh7206e15O+kZl1DiEL1k asqRB2vIzL5k9pT6VOLROUXLrvYfv4sqdospJxZCvGgFn6hQuMvfm7ASTMw76Sju sHArQehyx79Y5xph0wuYUh3R4eGyf117g0cC41IuSNLGJcXG60URXYC4SCAjkGy8 fXfgB/mcTcUvu8pk/RqtwWFer6Bo/NsNR1+9cMWpLl3InhqxpyHxabPhmWZG44ww ictOFDM1HQ92DeIqnkN7FHI80yqgu5WyRrxIJf/VFKbexCQod83wSCAeF27g7Ygc BO9qGgXupFxy0GXRUSJH6YgxY9HIUtP27vELMvy8Q== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeehgdehiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehttdertddttd dvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdr nhgrmhgvqeenucggtffrrghtthgvrhhnpeffueeuieeuieefuefgteeghfelgeefvedvtd duvedtgffffeeiteeviefgveetheenucffohhmrghinhepmhhithhrvgdrohhrghdpphih thhhohhnrdhorhhgnecukfhppeeiledruddvtddrledvrddvtdeknecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhi rdhnrghmvg X-ME-Proxy: Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 383EF24005A for ; Thu, 18 Feb 2021 22:21:37 -0500 (EST) Date: Thu, 18 Feb 2021 22:21:34 -0500 From: Leo Famulari Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=64.147.123.20; envelope-from=leo@famulari.name; helo=wout4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.37 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="QURD+ X8"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=F29dZGCd; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: DED7D1E362 X-Spam-Score: -1.37 X-Migadu-Scanner: scn1.migadu.com X-TUID: eLR4PjePGbzu Quoting from MITRE: ------ Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. ------ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 There is not yet an upstream release to fix the issue in the 3.8 series that we distribute. I believe there are patches we can cherry-pick. Can somebody find them? I assume that Python is considered to be "graft-able". Can anyone confirm? The upstream bug report: https://bugs.python.org/issue42938