GNU bug report logs - #46631
Python CVE-2021-3177

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Fri, 19 Feb 2021 03:22:01 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46631 in the body.
You can then email your comments to 46631 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 03:22:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 19 Feb 2021 03:22:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: Python CVE-2021-3177
Date: Thu, 18 Feb 2021 22:21:34 -0500

Quoting from MITRE:

------
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution in certain
Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This
occurs because sprintf is used unsafely. 
------
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177

There is not yet an upstream release to fix the issue in the 3.8 series
that we distribute. I believe there are patches we can cherry-pick. Can
somebody find them?

I assume that Python is considered to be "graft-able". Can anyone
confirm?

The upstream bug report:
https://bugs.python.org/issue42938
Information forwarded to bug-guix <at> gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 15:36:01 GMT) Full text and rfc822 format available.

Message #8 received at 46631 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 46631 <at> debbugs.gnu.org
Subject: Re: bug#46631: Python CVE-2021-3177
Date: Fri, 19 Feb 2021 16:35:26 +0100

Hi,

Leo Famulari <leo <at> famulari.name> skribis:

> I assume that Python is considered to be "graft-able". Can anyone
> confirm?

Yes, I think so.

Ludo’.
Information forwarded to bug-guix <at> gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 23:14:01 GMT) Full text and rfc822 format available.

Message #11 received at 46631 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 46631 <at> debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Date: Fri, 19 Feb 2021 18:12:58 -0500

[Message part 1 (text/plain, inline)]
I pushed a fix for Python 3.9 in commit
f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1.

But, we use Python 3.8 for everything, and my patch (attached) fails to
apply for some reason. It does work when I apply the new bug fix patch
"by hand" onto the Guix source code for our current python-3.8 package.

[0001-gnu-Python-Fix-CVE-2021-3177.patch (text/plain, attachment)]
Information forwarded to bug-guix <at> gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 23:24:01 GMT) Full text and rfc822 format available.

Message #14 received at 46631 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 46631 <at> debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Date: Fri, 19 Feb 2021 18:23:49 -0500

On Fri, Feb 19, 2021 at 06:12:58PM -0500, Leo Famulari wrote:
> But, we use Python 3.8 for everything, and my patch (attached) fails to
> apply for some reason. It does work when I apply the new bug fix patch
> "by hand" onto the Guix source code for our current python-3.8 package.

More weirdness: When I apply the patch to the python-3.8 package (that
is, without setting up a grafted replacement), it works. So I am
definitely doing something wrong here.
Information forwarded to bug-guix <at> gnu.org:
bug#46631; Package guix. (Fri, 19 Feb 2021 23:42:01 GMT) Full text and rfc822 format available.

Message #17 received at 46631 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 46631 <at> debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Date: Fri, 19 Feb 2021 18:41:26 -0500

[Message part 1 (text/plain, inline)]
On Fri, Feb 19, 2021 at 06:23:49PM -0500, Leo Famulari wrote:
> More weirdness: When I apply the patch to the python-3.8 package (that
> is, without setting up a grafted replacement), it works. So I am
> definitely doing something wrong here.

Here is a new patch that I'm currently building. I think I had composed
the package inheritance incorrectly in my previous patch.

[0001-gnu-Python-Fix-CVE-2021-3177.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#46631; Package guix. (Mon, 22 Feb 2021 08:09:01 GMT) Full text and rfc822 format available.

Message #20 received at 46631 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 46631 <at> debbugs.gnu.org
Subject: Re: bug#46631: Python CVE-2021-3177
Date: Mon, 22 Feb 2021 09:08:14 +0100

Hi Leo,

Leo Famulari <leo <at> famulari.name> skribis:

> From b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Fri, 19 Feb 2021 18:09:57 -0500
> Subject: [PATCH] gnu: Python: Fix CVE-2021-3177.
>
> * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT.
> [replacement]: New field.
> (python-3.8/fixed): New variable.

[...]

>  (define-public python-3.8
> -  (package (inherit python-2)
> +  (package/inherit python-2
>      (name "python")
> +    (replacement python-3.8/fixed)

You can keep (inherit …) because the effect of ‘package/inherit’ is just
to preserve replacements, which is unnecessary here.

Apart from that, the Guix side of things LGTM.

Thanks for working on it!

Ludo’.
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 22 Feb 2021 09:16:02 GMT) Full text and rfc822 format available.
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Tue, 23 Feb 2021 19:18:02 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Tue, 23 Feb 2021 19:18:02 GMT) Full text and rfc822 format available.

Message #27 received at 46631-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 46631-done <at> debbugs.gnu.org
Subject: Re: bug#46631: Python CVE-2021-3177
Date: Tue, 23 Feb 2021 14:16:54 -0500

On Mon, Feb 22, 2021 at 09:08:14AM +0100, Ludovic Courtès wrote:
> You can keep (inherit …) because the effect of ‘package/inherit’ is just
> to preserve replacements, which is unnecessary here.

I used to know that... it's been a while and I forgot, and had trouble
understanding the package/inherit docstring. So I pushed a commit that I
hope clarifies it.

> Apart from that, the Guix side of things LGTM.

Pushed as 84e082e31706411e7f9c3189a83f8ed0b4016fe7

> Thanks for working on it!

Thanks for the review!
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 24 Mar 2021 11:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 3 years and 25 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.