GNU bug report logs -
#46631
Python CVE-2021-3177
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Fri, 19 Feb 2021 03:22:01 UTC
Severity: normal
Tags: security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46631 in the body.
You can then email your comments to 46631 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#46631
; Package
guix
.
(Fri, 19 Feb 2021 03:22:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Fri, 19 Feb 2021 03:22:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Quoting from MITRE:
------
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution in certain
Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This
occurs because sprintf is used unsafely.
------
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177
There is not yet an upstream release to fix the issue in the 3.8 series
that we distribute. I believe there are patches we can cherry-pick. Can
somebody find them?
I assume that Python is considered to be "graft-able". Can anyone
confirm?
The upstream bug report:
https://bugs.python.org/issue42938
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46631
; Package
guix
.
(Fri, 19 Feb 2021 15:36:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 46631 <at> debbugs.gnu.org (full text, mbox):
Hi,
Leo Famulari <leo <at> famulari.name> skribis:
> I assume that Python is considered to be "graft-able". Can anyone
> confirm?
Yes, I think so.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46631
; Package
guix
.
(Fri, 19 Feb 2021 23:14:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 46631 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I pushed a fix for Python 3.9 in commit
f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1.
But, we use Python 3.8 for everything, and my patch (attached) fails to
apply for some reason. It does work when I apply the new bug fix patch
"by hand" onto the Guix source code for our current python-3.8 package.
[0001-gnu-Python-Fix-CVE-2021-3177.patch (text/plain, attachment)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46631
; Package
guix
.
(Fri, 19 Feb 2021 23:24:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 46631 <at> debbugs.gnu.org (full text, mbox):
On Fri, Feb 19, 2021 at 06:12:58PM -0500, Leo Famulari wrote:
> But, we use Python 3.8 for everything, and my patch (attached) fails to
> apply for some reason. It does work when I apply the new bug fix patch
> "by hand" onto the Guix source code for our current python-3.8 package.
More weirdness: When I apply the patch to the python-3.8 package (that
is, without setting up a grafted replacement), it works. So I am
definitely doing something wrong here.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46631
; Package
guix
.
(Fri, 19 Feb 2021 23:42:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 46631 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Fri, Feb 19, 2021 at 06:23:49PM -0500, Leo Famulari wrote:
> More weirdness: When I apply the patch to the python-3.8 package (that
> is, without setting up a grafted replacement), it works. So I am
> definitely doing something wrong here.
Here is a new patch that I'm currently building. I think I had composed
the package inheritance incorrectly in my previous patch.
[0001-gnu-Python-Fix-CVE-2021-3177.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#46631
; Package
guix
.
(Mon, 22 Feb 2021 08:09:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 46631 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
Leo Famulari <leo <at> famulari.name> skribis:
> From b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Fri, 19 Feb 2021 18:09:57 -0500
> Subject: [PATCH] gnu: Python: Fix CVE-2021-3177.
>
> * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT.
> [replacement]: New field.
> (python-3.8/fixed): New variable.
[...]
> (define-public python-3.8
> - (package (inherit python-2)
> + (package/inherit python-2
> (name "python")
> + (replacement python-3.8/fixed)
You can keep (inherit …) because the effect of ‘package/inherit’ is just
to preserve replacements, which is unnecessary here.
Apart from that, the Guix side of things LGTM.
Thanks for working on it!
Ludo’.
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Mon, 22 Feb 2021 09:16:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Leo Famulari <leo <at> famulari.name>
:
You have taken responsibility.
(Tue, 23 Feb 2021 19:18:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>
:
bug acknowledged by developer.
(Tue, 23 Feb 2021 19:18:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 46631-done <at> debbugs.gnu.org (full text, mbox):
On Mon, Feb 22, 2021 at 09:08:14AM +0100, Ludovic Courtès wrote:
> You can keep (inherit …) because the effect of ‘package/inherit’ is just
> to preserve replacements, which is unnecessary here.
I used to know that... it's been a while and I forgot, and had trouble
understanding the package/inherit docstring. So I pushed a commit that I
hope clarifies it.
> Apart from that, the Guix side of things LGTM.
Pushed as 84e082e31706411e7f9c3189a83f8ed0b4016fe7
> Thanks for working on it!
Thanks for the review!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Wed, 24 Mar 2021 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 25 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.