Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 46631) by debbugs.gnu.org; 22 Feb 2021 08:08:25 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 22 03:08:24 2021 Received: from localhost ([127.0.0.1]:55490 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lE6GW-0001Re-M3 for submit <at> debbugs.gnu.org; Mon, 22 Feb 2021 03:08:24 -0500 Received: from eggs.gnu.org ([209.51.188.92]:57070) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1lE6GU-0001RR-PN for 46631 <at> debbugs.gnu.org; Mon, 22 Feb 2021 03:08:23 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50104) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1lE6GP-0006Wt-Gv; Mon, 22 Feb 2021 03:08:17 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41006 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1lE6GP-00066y-0a; Mon, 22 Feb 2021 03:08:17 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Leo Famulari <leo@HIDDEN> Subject: Re: bug#46631: Python CVE-2021-3177 References: <YDBF+l7hL3IzP185@HIDDEN> <YDBIhd+7XE90GNre@HIDDEN> <YDBMpqCk3DBJXvfU@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 4 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 22 Feb 2021 09:08:14 +0100 In-Reply-To: <YDBMpqCk3DBJXvfU@HIDDEN> (Leo Famulari's message of "Fri, 19 Feb 2021 18:41:26 -0500") Message-ID: <87pn0sfrtd.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46631 Cc: 46631 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi Leo, Leo Famulari <leo@HIDDEN> skribis: > From b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001 > From: Leo Famulari <leo@HIDDEN> > Date: Fri, 19 Feb 2021 18:09:57 -0500 > Subject: [PATCH] gnu: Python: Fix CVE-2021-3177. > > * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT. > [replacement]: New field. > (python-3.8/fixed): New variable. [...] > (define-public python-3.8 > - (package (inherit python-2) > + (package/inherit python-2 > (name "python") > + (replacement python-3.8/fixed) You can keep (inherit =E2=80=A6) because the effect of =E2=80=98package/inh= erit=E2=80=99 is just to preserve replacements, which is unnecessary here. Apart from that, the Guix side of things LGTM. Thanks for working on it! Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#46631
; Package guix
.
Full text available.Received: (at 46631) by debbugs.gnu.org; 19 Feb 2021 23:41:42 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 19 18:41:42 2021 Received: from localhost ([127.0.0.1]:50632 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lDFOy-0001m3-Lx for submit <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:41:42 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:37625) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1lDFOw-0001lp-EM for 46631 <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:41:35 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 0BA675C005E; Fri, 19 Feb 2021 18:41:29 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Fri, 19 Feb 2021 18:41:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=/73evAj00i/oHlXzI1P7Cdgg 99jAplp67XijBF3Elb8=; b=SOa2UxcrbpJJHcqjGiNpNBrR0V3yel4M3YAAqSy0 q+mvut6U+TEZG0LVgXmX1J0lO69oynj2j4RH1UrTVypB05FkRYNWQ2doR2bOy4Js iJoo4B3an7qbn7AgCccYKo9kOrZbMS8xIxi9kLdzw0V/IM8GmcWLl/o4htSnReJp VkM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=/73evA j00i/oHlXzI1P7Cdgg99jAplp67XijBF3Elb8=; b=Tegm5gloPcQHFRNIY4kemP kDBUvXjxkeD/YW9+3cxbn+64tStlqiMe9du2OOdhbXJ7gmPsc6HX3bbdPpOFF7Kl /ob/gT31RIqs43cmVywSLIYabzH+kJ8nWT+bywoI9k6hSF6WlTEtgnyGOfaaHuEg yfeISTMXOqESfuidmybfa7nNEljnw6Q3BpcIEbjBRT+uatwr/jpM2Tv0Byc1R3+M xEeZFtXju9eOBKRk+jOu9U9lZI3CimKRITBkS6Bf2AVm3Hgvffa9zdS+tWSQKbSd A9J5yBQJf3GsxYHByDSMmV+1NC+d3H38qqqC3nHy1b/2+wfvtQLsGIpio5GQrOHQ == X-ME-Sender: <xms:qEwwYCRjImq0z-5kjNhC6UVQHkG92lQL3xWgIz9D2OmvbKEZ_oa2EA> <xme:qEwwYHyq3PpB7rUKgiD1k1OEoKp07sdtowhsle39rH2S1gn-qHHn4jrKMlOE54hec 1TeHClB9c421MlUyg> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeejgdduvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtderre dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedukeevgeetkeeltefgiedtjefgjeekff duteehvdfhueekudelieekjeefheffteenucfkphepieelrdduvddtrdelvddrvddtkeen ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghose hfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: <xmx:qEwwYP1W0Lps2AGZJdAXPhGRl73JOUnrZkKoxpo45_mFf5uhteYQNQ> <xmx:qEwwYODD-5QFN219NLrEds11a4QcmhxnwOB6fvhx0zWxKgc-jXugZw> <xmx:qEwwYLhq8a_ys07oS-OynaLPvVgq1PtMMGrouRluvI3ks2n7Hzm0Og> <xmx:qUwwYGuOhkYuF2iUYHuP-LLPfQRuGgNX6K7FrJo_NAZJlIruAzK2UA> Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 3CB2C108005C for <46631 <at> debbugs.gnu.org>; Fri, 19 Feb 2021 18:41:28 -0500 (EST) Date: Fri, 19 Feb 2021 18:41:26 -0500 From: Leo Famulari <leo@HIDDEN> To: 46631 <at> debbugs.gnu.org Subject: Re: Python CVE-2021-3177 Message-ID: <YDBMpqCk3DBJXvfU@HIDDEN> References: <YDBF+l7hL3IzP185@HIDDEN> <YDBIhd+7XE90GNre@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="FYqowmleijQ73pwK" Content-Disposition: inline In-Reply-To: <YDBIhd+7XE90GNre@HIDDEN> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46631 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --FYqowmleijQ73pwK Content-Type: multipart/mixed; boundary="3NoRtp2S5MlcyUaO" Content-Disposition: inline --3NoRtp2S5MlcyUaO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Feb 19, 2021 at 06:23:49PM -0500, Leo Famulari wrote: > More weirdness: When I apply the patch to the python-3.8 package (that > is, without setting up a grafted replacement), it works. So I am > definitely doing something wrong here. Here is a new patch that I'm currently building. I think I had composed the package inheritance incorrectly in my previous patch. --3NoRtp2S5MlcyUaO Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-Python-Fix-CVE-2021-3177.patch" Content-Transfer-Encoding: quoted-printable =46rom b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari <leo@HIDDEN> Date: Fri, 19 Feb 2021 18:09:57 -0500 Subject: [PATCH] gnu: Python: Fix CVE-2021-3177. * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT. [replacement]: New field. (python-3.8/fixed): New variable. --- gnu/local.mk | 1 + .../patches/python-3.8-CVE-2021-3177.patch | 194 ++++++++++++++++++ gnu/packages/python.scm | 11 +- 3 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/python-3.8-CVE-2021-3177.patch diff --git a/gnu/local.mk b/gnu/local.mk index 5588cda2e1..26dbcb940f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1526,6 +1526,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/python-3-search-paths.patch \ %D%/packages/patches/python-3-fix-tests.patch \ %D%/packages/patches/python-3.8-fix-tests.patch \ + %D%/packages/patches/python-3.8-CVE-2021-3177.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ diff --git a/gnu/packages/patches/python-3.8-CVE-2021-3177.patch b/gnu/pack= ages/patches/python-3.8-CVE-2021-3177.patch new file mode 100644 index 0000000000..01f6b52865 --- /dev/null +++ b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch @@ -0,0 +1,194 @@ +Fix CVE-2021-3177 for Python 3.8: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-3177 + +Patch copied from upstream source repository: + +https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b= 7aa5b5f + +From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@HIDDEN> +Date: Mon, 18 Jan 2021 13:28:52 -0800 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24248) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson <benjamin@HIDDEN> + +Co-authored-by: Benjamin Peterson <benjamin@HIDDEN> +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-4293= 8.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_par= ameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') +=20 ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' a= t 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>= ") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at= 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>= ") ++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511= )>") ++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (51= 1)>") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]'= \(20000\)>$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]= ' \(20000\)>$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]= ' \(20000\)>$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI= ]' \(20000\)>$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '= [liq]' \(20000\)>$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam = '[LIQ]' \(20000\)>$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5= )>") ++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.= 5)>") ++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (= 1e+300)>") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam (= 'd' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z= ' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z= ' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' = \(0x0*12\)>$") ++ + ################################################################ +=20 + if __name__ =3D=3D '__main__': +#diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4= Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#new file mode 100644 +#index 0000000000000..7df65a156feab +#--- /dev/null +#+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#@@ -0,0 +1,2 @@ +#+Avoid static buffers when computing the repr of :class:`ctypes.c_double`= and +#+:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index a9b8675cd951b..de75918d49f37 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "<cparam '%c' (%ld)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%ld)>", + self->tag, self->value.l); +- break; +=20 + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "<cparam '%c' (%I64d)>", +-#else +- "<cparam '%c' (%lld)>", +-#endif ++ return PyUnicode_FromFormat("<cparam '%c' (%lld)>", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f =3D PyFloat_FromDouble((self->tag =3D=3D 'f') ? self-= >value.f : self->value.d); ++ if (f =3D=3D NULL) { ++ return NULL; ++ } ++ PyObject *result =3D PyUnicode_FromFormat("<cparam '%c' (%R)>", s= elf->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "<cparam '%c' ('%c')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('%c')>", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "<cparam '%c' ('\\x%02x')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", + self->tag, (unsigned char)self->value.c); + } +- break; +=20 + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "<cparam '%c' (%p)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%p)>", + self->tag, self->value.p); + break; +=20 + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "<cparam '%c' at %p>", ++ return PyUnicode_FromFormat("<cparam '%c' at %p>", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "<cparam 0x%02x at %p>", ++ return PyUnicode_FromFormat("<cparam 0x%02x at %p>", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } +=20 + static PyMemberDef PyCArgType_members[] =3D { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 730c371fda..fc28d0e3f8 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -362,8 +362,9 @@ data types.") (properties `((superseded . ,python-2))))) =20 (define-public python-3.8 - (package (inherit python-2) + (package/inherit python-2 (name "python") + (replacement python-3.8/fixed) (version "3.8.2") (source (origin (method url-fetch) @@ -521,6 +522,14 @@ data types.") (version-major+minor version) "/site-packages")))))))) =20 +(define python-3.8/fixed + (package + (inherit python-3.8) + (source (origin + (inherit (package-source python-3.8)) + (patches (append (search-patches "python-3.8-CVE-2021-3177.p= atch") + (origin-patches (package-source python-3.8)= ))))))) + (define-public python-3.9 (package (inherit python-3.8) (name "python-next") --=20 2.30.1 --3NoRtp2S5MlcyUaO-- --FYqowmleijQ73pwK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmAwTKYACgkQJkb6MLrK fwimUhAAlX8e0kgBeeWDRR0Sqyq5lLQx3nzQnZf48cIYb6VMgGa3J9jFE+JtlY/N yaJBJ0OtVd0yct9g5CQCjcjIdbW0MP4nqHNo/Qn0H8fNxehZvw7SZkUEiK90ZIE0 ZKIS2cSY8XtJUirPiQFLMgUl4nJ2y7nKXLTVRrauwmvfVocWlXdz74lUv7yO3YEI MU3f6GTMoN9AOqBlIYaA2IhDGjKWHBHHWPvpOwG/0wixPPI33hzuFIecD4rzX0Fq lngTlo/AwAo1MOSislEP17OkETSOfFURN3p5S8mP83+JQ9atp9BLGYq6FenaN8db JrB+R/3G4NelbsiS2LDDmfOQdvnvLNXILxOI+vJG2jMEm0JC+IODbGVJc15445SG X836RLlUoOp7PelER5TnUNKPJPrODFly3gM6hARlFaRQt1W7Yu0IBEnds9DeOCW4 zrX1stVGj4XSRkGYJNLgAGBV2XnHoHcoU1VNyRt90PWiO89UpbL5CnEV0zTIYWS8 wtZ4gKVVr/H5HB97zAWLQJlKlnm1FlPOZg4FO1PUiEfXZNPbk7MPAi0amIYeM2PA thKi9fumJ/r/P5cepCcEzsKTce27EOEBVaF9mw+BYhbq9ZguGMqJzgOLxQvSiJOt 0qnqnNPNAUnjZAZiX7xYff5GZ2kXKfGi+rjFehySVd+qnMboRCY= =mqC7 -----END PGP SIGNATURE----- --FYqowmleijQ73pwK--
bug-guix@HIDDEN
:bug#46631
; Package guix
.
Full text available.Received: (at 46631) by debbugs.gnu.org; 19 Feb 2021 23:23:59 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 19 18:23:59 2021 Received: from localhost ([127.0.0.1]:50612 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lDF7v-0001Lx-0O for submit <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:23:59 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58101) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1lDF7t-0001Lk-7T for 46631 <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:23:57 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id E72DF5C00F8; Fri, 19 Feb 2021 18:23:51 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 19 Feb 2021 18:23:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=qoAeZDQTL2Dc2NI4T/tDLABR /W48Klt2UjGGyn2SJC4=; b=MhZxTdS2N+/C/D/uXd5/CLZ4ryHHIqSA3QDrXGI1 0YVk9uqaqLNVp1vg/KOtZ1fN5hkknjUFsdRhpbscgHb56yLlMH1DMGaCm+AwrQYN HewT5L0gmc+7dOMnVycbXqCCIY/L+QOiXVhX7taltEz4WXbPTRcQ5TZJezap1n+o Rbo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=qoAeZD QTL2Dc2NI4T/tDLABR/W48Klt2UjGGyn2SJC4=; b=nHMcWKXtCC4U1B6PBiFKBA RpGK3xjGETq5cBNlJkL5nlOL1WOUA1QNbEYnEqarS4yeyh0vBOP2Rj8LYEgyAHEL WZY2+J3YGaoH1fm55NBEUGT/K5x5WV78Me+Nu95Lmou/vANGPvH4VgojomgmcBfG j0k3bweIKbRj4RGmZvpMXzAEVAgupa2IUavUhvLBvyber3DEZdCgQyQOF5fuC0eK FJc8wSbcjexp2hXa0n6lpkUaAxb1lXFHMUPqJe9Q3Iep31L3zpCvshlW4uvNPoZf Yd0ukPqoVNR+KFxfMXEpQQ6XbOwA1v2ZQvWw9jUUUiu3GVUKGdApc3aAvLl5GPkQ == X-ME-Sender: <xms:h0gwYLZg_GKmLujbBnDfznA3OlcJz_R2tgLeBCllB1I_-uumw8sWYA> <xme:h0gwYKbNFigTTwcGJqrdIdfoIaApctUaIulbIxNSZKjYiFbalKFxRM1G4SJAqt9Gl 6GBx6YufVN9_YoJWw> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeejgddtkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehttdertd dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeukeektdffvddtudegjeegtdevhfeufe eivdejiedtieegtdevjedvjeehffevgfenucfkphepieelrdduvddtrdelvddrvddtkeen ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghose hfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: <xmx:h0gwYN8L4Q6D8XZI3q-jgyNHHth4jDnJNGN-Mx4jS-o7HZfX9AqOOg> <xmx:h0gwYBrU8x56SWsEpIOyUA_tKZu1qhLY9iHONBAym1ZoXrZ6iaGYug> <xmx:h0gwYGpvnI5jybksGzBLGLQ_AFkAUrT5mleBg1gSUXks1GKIL6V2FQ> <xmx:h0gwYD3sNxN0lz1AGbZzVLkjs8z7aHfUbXu0QMi2h0dQNKqi1cYuLw> Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 1C38B240062 for <46631 <at> debbugs.gnu.org>; Fri, 19 Feb 2021 18:23:51 -0500 (EST) Date: Fri, 19 Feb 2021 18:23:49 -0500 From: Leo Famulari <leo@HIDDEN> To: 46631 <at> debbugs.gnu.org Subject: Re: Python CVE-2021-3177 Message-ID: <YDBIhd+7XE90GNre@HIDDEN> References: <YDBF+l7hL3IzP185@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <YDBF+l7hL3IzP185@HIDDEN> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46631 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) On Fri, Feb 19, 2021 at 06:12:58PM -0500, Leo Famulari wrote: > But, we use Python 3.8 for everything, and my patch (attached) fails to > apply for some reason. It does work when I apply the new bug fix patch > "by hand" onto the Guix source code for our current python-3.8 package. More weirdness: When I apply the patch to the python-3.8 package (that is, without setting up a grafted replacement), it works. So I am definitely doing something wrong here.
bug-guix@HIDDEN
:bug#46631
; Package guix
.
Full text available.Received: (at 46631) by debbugs.gnu.org; 19 Feb 2021 23:13:15 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 19 18:13:15 2021 Received: from localhost ([127.0.0.1]:50600 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lDExS-00015X-Bj for submit <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:13:15 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:41195) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1lDExO-000151-GR for 46631 <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:13:09 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 7F8655C00C3; Fri, 19 Feb 2021 18:13:00 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Fri, 19 Feb 2021 18:13:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=2lOgx7UgEp86JOay2r39emB8w+E3d8i/q8qD2ljJlgY=; b=jmTVo MGByTF/Sjj5XYZ9pjXrOhktp+6Yy7xs/NSotxwf1ePas7qeZiQNpYPV831w6dgbk bXXZyz6mt4JJngW+2InbJb5Ikmk6qCKwyvMrTRCAWdOdw0CRGAIiqY85OxzX+B2u p/8fMi1meT/Egb9rPFXrTrxtKgSH0EXPuQTfhQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=2lOgx7UgEp86JOay2r39emB8w+E3d 8i/q8qD2ljJlgY=; b=Hu94rLijc++4U+BjiL8fCJHumbbalZasJYBCmwO/hSRPn +GbZeFPgupaEGdX1c/GMjBWrRYLEZ2iMUrFIDnfyM7O1KrctOvp6A1DrwFh+gBcu 2LeSHHyeR+RjMA2SZwBm9RoOcVtYZPdAUrFd6uZ7nAUeYZ5WwPKQsacDxWJhAIGL TItpd3UypEWpt6MqakqRATvjN1SJnH13R+SE/QLzaFUF43V7BPGOZNuDQDwcFZJl NN4dNz3pusErORLsrVUJf5ySaFCPEVX1mkXVEvbEige6Vq8fyxD/ewyEq2MJbEOT lWgzQKVTjFQqdegDYjyibGOUcir/gXRQ+q9Zw76QQ== X-ME-Sender: <xms:_EUwYHA3fnPIYU2owLx_3QMUxhN6EtFRpIaSD_rQW3a4XHnohkTR4Q> <xme:_EUwYPil7kmyVYKJoQOw-ndO-pt06D5adFpTbbCd4C2B0Ws280FmtaELn_Ayo4mOT XqCjWTs_UDj7zLQVg> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeejgddtiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehmtderredttd dvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdr nhgrmhgvqeenucggtffrrghtthgvrhhnpeelleefvdffudeiueeihfeiiedvgeekheejie evhfeiteejfeefhfeglefhfffgieenucfkphepieelrdduvddtrdelvddrvddtkeenucev lhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrg hmuhhlrghrihdrnhgrmhgv X-ME-Proxy: <xmx:_EUwYL_7zly7Ngvoca9SVtbiOhla2ZNDlOiYsRKjGwrjSqYerOSy_g> <xmx:_EUwYL-_h9FIW12zr75p7C20zIQei1fd-EcHaN-q-7jd0WsHM5K73w> <xmx:_EUwYEAr0VRHfGpaw8nFxGLyK8lnHimth3Wetu9eilCYkJdJAy2ooQ> <xmx:_EUwYAq-3nVvkLCcji3EgISJv9MTeTNRDPV2j7oKqhVYFoS3TiB59g> Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 5B3EA108005C for <46631 <at> debbugs.gnu.org>; Fri, 19 Feb 2021 18:13:00 -0500 (EST) Date: Fri, 19 Feb 2021 18:12:58 -0500 From: Leo Famulari <leo@HIDDEN> To: 46631 <at> debbugs.gnu.org Subject: Re: Python CVE-2021-3177 Message-ID: <YDBF+l7hL3IzP185@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="/YZKjQU8EkpL8FB1" Content-Disposition: inline X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46631 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --/YZKjQU8EkpL8FB1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I pushed a fix for Python 3.9 in commit f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1. But, we use Python 3.8 for everything, and my patch (attached) fails to apply for some reason. It does work when I apply the new bug fix patch "by hand" onto the Guix source code for our current python-3.8 package. --/YZKjQU8EkpL8FB1 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-Python-Fix-CVE-2021-3177.patch" From 3cc80457d26c725da61307755716db18ff88d28e Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@HIDDEN> Date: Fri, 19 Feb 2021 18:09:57 -0500 Subject: [PATCH] gnu: Python: Fix CVE-2021-3177. * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-3.8)[replacement]: New field. (python-3.8/fixed): New variable. --- gnu/local.mk | 1 + .../patches/python-3.8-CVE-2021-3177.patch | 194 ++++++++++++++++++ gnu/packages/python.scm | 8 + 3 files changed, 203 insertions(+) create mode 100644 gnu/packages/patches/python-3.8-CVE-2021-3177.patch diff --git a/gnu/local.mk b/gnu/local.mk index 5588cda2e1..26dbcb940f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1526,6 +1526,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-3-search-paths.patch \ %D%/packages/patches/python-3-fix-tests.patch \ %D%/packages/patches/python-3.8-fix-tests.patch \ + %D%/packages/patches/python-3.8-CVE-2021-3177.patch \ %D%/packages/patches/python-3.9-fix-tests.patch \ %D%/packages/patches/python-3.9-CVE-2021-3177.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ diff --git a/gnu/packages/patches/python-3.8-CVE-2021-3177.patch b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch new file mode 100644 index 0000000000..01f6b52865 --- /dev/null +++ b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch @@ -0,0 +1,194 @@ +Fix CVE-2021-3177 for Python 3.8: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 + +Patch copied from upstream source repository: + +https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f + +From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@HIDDEN> +Date: Mon, 18 Jan 2021 13:28:52 -0800 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24248) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson <benjamin@HIDDEN> + +Co-authored-by: Benjamin Peterson <benjamin@HIDDEN> +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") ++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") ++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") ++ + ################################################################ + + if __name__ == '__main__': +#diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#new file mode 100644 +#index 0000000000000..7df65a156feab +#--- /dev/null +#+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +#@@ -0,0 +1,2 @@ +#+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and +#+:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index a9b8675cd951b..de75918d49f37 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "<cparam '%c' (%ld)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%ld)>", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "<cparam '%c' (%I64d)>", +-#else +- "<cparam '%c' (%lld)>", +-#endif ++ return PyUnicode_FromFormat("<cparam '%c' (%lld)>", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "<cparam '%c' ('%c')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('%c')>", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "<cparam '%c' ('\\x%02x')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "<cparam '%c' (%p)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%p)>", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "<cparam '%c' at %p>", ++ return PyUnicode_FromFormat("<cparam '%c' at %p>", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "<cparam 0x%02x at %p>", ++ return PyUnicode_FromFormat("<cparam 0x%02x at %p>", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 730c371fda..bcf1bfd706 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -364,6 +364,7 @@ data types.") (define-public python-3.8 (package (inherit python-2) (name "python") + (replacement python-3.8/fixed) (version "3.8.2") (source (origin (method url-fetch) @@ -521,6 +522,13 @@ data types.") (version-major+minor version) "/site-packages")))))))) +(define-public python-3.8/fixed + (package/inherit python-3.8 + (source (origin + (inherit (package-source python-3.8)) + (patches (append (search-patches "python-3.8-CVE-2021-3177.patch") + (origin-patches (package-source python-3.8)))))))) + (define-public python-3.9 (package (inherit python-3.8) (name "python-next") -- 2.30.1 --/YZKjQU8EkpL8FB1--
bug-guix@HIDDEN
:bug#46631
; Package guix
.
Full text available.Received: (at 46631) by debbugs.gnu.org; 19 Feb 2021 15:35:36 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 19 10:35:36 2021 Received: from localhost ([127.0.0.1]:50182 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lD7oe-0006wd-8t for submit <at> debbugs.gnu.org; Fri, 19 Feb 2021 10:35:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:55856) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1lD7ob-0006wN-L8 for 46631 <at> debbugs.gnu.org; Fri, 19 Feb 2021 10:35:34 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50729) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1lD7oW-0006ga-Ce; Fri, 19 Feb 2021 10:35:28 -0500 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=49944 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1lD7oV-0004pC-H3; Fri, 19 Feb 2021 10:35:27 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Leo Famulari <leo@HIDDEN> Subject: Re: bug#46631: Python CVE-2021-3177 References: <YC8uvtnvGyXcCno1@HIDDEN> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 1 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 19 Feb 2021 16:35:26 +0100 In-Reply-To: <YC8uvtnvGyXcCno1@HIDDEN> (Leo Famulari's message of "Thu, 18 Feb 2021 22:21:34 -0500") Message-ID: <87h7m8kr41.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46631 Cc: 46631 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi, Leo Famulari <leo@HIDDEN> skribis: > I assume that Python is considered to be "graft-able". Can anyone > confirm? Yes, I think so. Ludo=E2=80=99.
bug-guix@HIDDEN
:bug#46631
; Package guix
.
Full text available.Received: (at submit) by debbugs.gnu.org; 19 Feb 2021 03:21:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 18 22:21:43 2021 Received: from localhost ([127.0.0.1]:48583 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1lCwMR-0001Ck-9N for submit <at> debbugs.gnu.org; Thu, 18 Feb 2021 22:21:43 -0500 Received: from lists.gnu.org ([209.51.188.17]:57416) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1lCwMP-0001Cc-NH for submit <at> debbugs.gnu.org; Thu, 18 Feb 2021 22:21:42 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42900) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1lCwMP-0008Pi-HF for bug-guix@HIDDEN; Thu, 18 Feb 2021 22:21:41 -0500 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:42015) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1lCwMN-00071U-Jm for bug-guix@HIDDEN; Thu, 18 Feb 2021 22:21:41 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id C113EC79; Thu, 18 Feb 2021 22:21:37 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 18 Feb 2021 22:21:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=p2GuoJtMRPEqWaWHvpOz5VT9yNrfY+3zCEPG9oKXJbU=; b=QURD+ X8tpFlMH98mavf6JIyv+Tmv6f4kPaOkIjXEyE2ZL/dAklyKsuX+mZ6djaOnEA1AR S6Tv+a9vkPgSR3TOZU5CxuxMz4g3rpP3GS1jZ6oqz6sbpGNciYBYGvxghwRLwc0X 5bXjXInbioztEECrWu9/A9DXSBFF1e/w7SpnB8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=p2GuoJtMRPEqWaWHvpOz5VT9yNrfY +3zCEPG9oKXJbU=; b=F29dZGCdqmx+ZO8JojJo2L2wnh7206e15O+kZl1DiEL1k asqRB2vIzL5k9pT6VOLROUXLrvYfv4sqdospJxZCvGgFn6hQuMvfm7ASTMw76Sju sHArQehyx79Y5xph0wuYUh3R4eGyf117g0cC41IuSNLGJcXG60URXYC4SCAjkGy8 fXfgB/mcTcUvu8pk/RqtwWFer6Bo/NsNR1+9cMWpLl3InhqxpyHxabPhmWZG44ww ictOFDM1HQ92DeIqnkN7FHI80yqgu5WyRrxIJf/VFKbexCQod83wSCAeF27g7Ygc BO9qGgXupFxy0GXRUSJH6YgxY9HIUtP27vELMvy8Q== X-ME-Sender: <xms:wS4vYGVsIXkm7mRGPiLYZRENMItfX24dBhoBKOWuwkE5wXlh-HMrjA> <xme:wS4vYF3tN1ItzW_uEqUDAWpwwFC1Itu06wb21lICayhoxxHbojTjWrg7QfXUM0XT1 RwrLnnZeN2xNtItKw> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeehgdehiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehttdertddttd dvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdr nhgrmhgvqeenucggtffrrghtthgvrhhnpeffueeuieeuieefuefgteeghfelgeefvedvtd duvedtgffffeeiteeviefgveetheenucffohhmrghinhepmhhithhrvgdrohhrghdpphih thhhohhnrdhorhhgnecukfhppeeiledruddvtddrledvrddvtdeknecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhi rdhnrghmvg X-ME-Proxy: <xmx:wS4vYD0imKG89kqQ3gIltsZhuoxu9G8nED4nEYTAeshEK2T1UtwuuA> <xmx:wS4vYI_dJl04mNwm0rXIcbY2N6ZuLN0GHV2FOVmblrUpNYNbXxSvQw> <xmx:wS4vYA1RAOF8syJ5bTmNjWF4Gnn0Fmq1OxLWi81b5i9UO7D5Z8js3Q> <xmx:wS4vYIWl_yUQHF1aWjw92TfYhsvHck1YaV9S_i-yew4Mqc9idmXtzg> Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 383EF24005A for <bug-guix@HIDDEN>; Thu, 18 Feb 2021 22:21:37 -0500 (EST) Date: Thu, 18 Feb 2021 22:21:34 -0500 From: Leo Famulari <leo@HIDDEN> To: bug-guix@HIDDEN Subject: Python CVE-2021-3177 Message-ID: <YC8uvtnvGyXcCno1@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=64.147.123.20; envelope-from=leo@HIDDEN; helo=wout4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.4 (--) Quoting from MITRE: ------ Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. ------ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 There is not yet an upstream release to fix the issue in the 3.8 series that we distribute. I believe there are patches we can cherry-pick. Can somebody find them? I assume that Python is considered to be "graft-able". Can anyone confirm? The upstream bug report: https://bugs.python.org/issue42938
Leo Famulari <leo@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#46631
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.