GNU bug report logs - #46631
Python CVE-2021-3177

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Leo Famulari <leo@HIDDEN>; Keywords: security; dated Fri, 19 Feb 2021 03:22:01 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 46631 <at> debbugs.gnu.org:


Received: (at 46631) by debbugs.gnu.org; 22 Feb 2021 08:08:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 22 03:08:24 2021
Received: from localhost ([127.0.0.1]:55490 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lE6GW-0001Re-M3
	for submit <at> debbugs.gnu.org; Mon, 22 Feb 2021 03:08:24 -0500
Received: from eggs.gnu.org ([209.51.188.92]:57070)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1lE6GU-0001RR-PN
 for 46631 <at> debbugs.gnu.org; Mon, 22 Feb 2021 03:08:23 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:50104)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1lE6GP-0006Wt-Gv; Mon, 22 Feb 2021 03:08:17 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41006 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1lE6GP-00066y-0a; Mon, 22 Feb 2021 03:08:17 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#46631: Python CVE-2021-3177
References: <YDBF+l7hL3IzP185@HIDDEN> <YDBIhd+7XE90GNre@HIDDEN>
 <YDBMpqCk3DBJXvfU@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 4 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 22 Feb 2021 09:08:14 +0100
In-Reply-To: <YDBMpqCk3DBJXvfU@HIDDEN> (Leo Famulari's message of "Fri,
 19 Feb 2021 18:41:26 -0500")
Message-ID: <87pn0sfrtd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46631
Cc: 46631 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi Leo,

Leo Famulari <leo@HIDDEN> skribis:

> From b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@HIDDEN>
> Date: Fri, 19 Feb 2021 18:09:57 -0500
> Subject: [PATCH] gnu: Python: Fix CVE-2021-3177.
>
> * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT.
> [replacement]: New field.
> (python-3.8/fixed): New variable.

[...]

>  (define-public python-3.8
> -  (package (inherit python-2)
> +  (package/inherit python-2
>      (name "python")
> +    (replacement python-3.8/fixed)

You can keep (inherit =E2=80=A6) because the effect of =E2=80=98package/inh=
erit=E2=80=99 is just
to preserve replacements, which is unnecessary here.

Apart from that, the Guix side of things LGTM.

Thanks for working on it!

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#46631; Package guix. Full text available.

Message received at 46631 <at> debbugs.gnu.org:


Received: (at 46631) by debbugs.gnu.org; 19 Feb 2021 23:41:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 19 18:41:42 2021
Received: from localhost ([127.0.0.1]:50632 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lDFOy-0001m3-Lx
	for submit <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:41:42 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:37625)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1lDFOw-0001lp-EM
 for 46631 <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:41:35 -0500
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 0BA675C005E;
 Fri, 19 Feb 2021 18:41:29 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Fri, 19 Feb 2021 18:41:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=/73evAj00i/oHlXzI1P7Cdgg
 99jAplp67XijBF3Elb8=; b=SOa2UxcrbpJJHcqjGiNpNBrR0V3yel4M3YAAqSy0
 q+mvut6U+TEZG0LVgXmX1J0lO69oynj2j4RH1UrTVypB05FkRYNWQ2doR2bOy4Js
 iJoo4B3an7qbn7AgCccYKo9kOrZbMS8xIxi9kLdzw0V/IM8GmcWLl/o4htSnReJp
 VkM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=/73evA
 j00i/oHlXzI1P7Cdgg99jAplp67XijBF3Elb8=; b=Tegm5gloPcQHFRNIY4kemP
 kDBUvXjxkeD/YW9+3cxbn+64tStlqiMe9du2OOdhbXJ7gmPsc6HX3bbdPpOFF7Kl
 /ob/gT31RIqs43cmVywSLIYabzH+kJ8nWT+bywoI9k6hSF6WlTEtgnyGOfaaHuEg
 yfeISTMXOqESfuidmybfa7nNEljnw6Q3BpcIEbjBRT+uatwr/jpM2Tv0Byc1R3+M
 xEeZFtXju9eOBKRk+jOu9U9lZI3CimKRITBkS6Bf2AVm3Hgvffa9zdS+tWSQKbSd
 A9J5yBQJf3GsxYHByDSMmV+1NC+d3H38qqqC3nHy1b/2+wfvtQLsGIpio5GQrOHQ
 ==
X-ME-Sender: <xms:qEwwYCRjImq0z-5kjNhC6UVQHkG92lQL3xWgIz9D2OmvbKEZ_oa2EA>
 <xme:qEwwYHyq3PpB7rUKgiD1k1OEoKp07sdtowhsle39rH2S1gn-qHHn4jrKMlOE54hec
 1TeHClB9c421MlUyg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeejgdduvdcutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtderre
 dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr
 ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedukeevgeetkeeltefgiedtjefgjeekff
 duteehvdfhueekudelieekjeefheffteenucfkphepieelrdduvddtrdelvddrvddtkeen
 ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghose
 hfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:qEwwYP1W0Lps2AGZJdAXPhGRl73JOUnrZkKoxpo45_mFf5uhteYQNQ>
 <xmx:qEwwYODD-5QFN219NLrEds11a4QcmhxnwOB6fvhx0zWxKgc-jXugZw>
 <xmx:qEwwYLhq8a_ys07oS-OynaLPvVgq1PtMMGrouRluvI3ks2n7Hzm0Og>
 <xmx:qUwwYGuOhkYuF2iUYHuP-LLPfQRuGgNX6K7FrJo_NAZJlIruAzK2UA>
Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208])
 by mail.messagingengine.com (Postfix) with ESMTPA id 3CB2C108005C
 for <46631 <at> debbugs.gnu.org>; Fri, 19 Feb 2021 18:41:28 -0500 (EST)
Date: Fri, 19 Feb 2021 18:41:26 -0500
From: Leo Famulari <leo@HIDDEN>
To: 46631 <at> debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Message-ID: <YDBMpqCk3DBJXvfU@HIDDEN>
References: <YDBF+l7hL3IzP185@HIDDEN>
 <YDBIhd+7XE90GNre@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="FYqowmleijQ73pwK"
Content-Disposition: inline
In-Reply-To: <YDBIhd+7XE90GNre@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46631
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--FYqowmleijQ73pwK
Content-Type: multipart/mixed; boundary="3NoRtp2S5MlcyUaO"
Content-Disposition: inline


--3NoRtp2S5MlcyUaO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Feb 19, 2021 at 06:23:49PM -0500, Leo Famulari wrote:
> More weirdness: When I apply the patch to the python-3.8 package (that
> is, without setting up a grafted replacement), it works. So I am
> definitely doing something wrong here.

Here is a new patch that I'm currently building. I think I had composed
the package inheritance incorrectly in my previous patch.

--3NoRtp2S5MlcyUaO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment;
	filename="0001-gnu-Python-Fix-CVE-2021-3177.patch"
Content-Transfer-Encoding: quoted-printable

=46rom b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001
=46rom: Leo Famulari <leo@HIDDEN>
Date: Fri, 19 Feb 2021 18:09:57 -0500
Subject: [PATCH] gnu: Python: Fix CVE-2021-3177.

* gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT.
[replacement]: New field.
(python-3.8/fixed): New variable.
---
 gnu/local.mk                                  |   1 +
 .../patches/python-3.8-CVE-2021-3177.patch    | 194 ++++++++++++++++++
 gnu/packages/python.scm                       |  11 +-
 3 files changed, 205 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/python-3.8-CVE-2021-3177.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 5588cda2e1..26dbcb940f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1526,6 +1526,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/python-3-search-paths.patch		\
   %D%/packages/patches/python-3-fix-tests.patch			\
   %D%/packages/patches/python-3.8-fix-tests.patch		\
+  %D%/packages/patches/python-3.8-CVE-2021-3177.patch		\
   %D%/packages/patches/python-3.9-fix-tests.patch		\
   %D%/packages/patches/python-3.9-CVE-2021-3177.patch		\
   %D%/packages/patches/python-CVE-2018-14647.patch		\
diff --git a/gnu/packages/patches/python-3.8-CVE-2021-3177.patch b/gnu/pack=
ages/patches/python-3.8-CVE-2021-3177.patch
new file mode 100644
index 0000000000..01f6b52865
--- /dev/null
+++ b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch
@@ -0,0 +1,194 @@
+Fix CVE-2021-3177 for Python 3.8:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-3177
+
+Patch copied from upstream source repository:
+
+https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b=
7aa5b5f
+
+From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@HIDDEN>
+Date: Mon, 18 Jan 2021 13:28:52 -0800
+Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode
+ formatting in ctypes param reprs. (GH-24248)
+
+(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
+
+Co-authored-by: Benjamin Peterson <benjamin@HIDDEN>
+
+Co-authored-by: Benjamin Peterson <benjamin@HIDDEN>
+---
+ Lib/ctypes/test/test_parameters.py            | 43 ++++++++++++++++
+ .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst  |  2 +
+ Modules/_ctypes/callproc.c                    | 51 +++++++------------
+ 3 files changed, 64 insertions(+), 32 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-4293=
8.4Zn4Mp.rst
+
+diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_par=
ameters.py
+index e4c25fd880cef..531894fdec838 100644
+--- a/Lib/ctypes/test/test_parameters.py
++++ b/Lib/ctypes/test/test_parameters.py
+@@ -201,6 +201,49 @@ def __dict__(self):
+         with self.assertRaises(ZeroDivisionError):
+             WorseStruct().__setstate__({}, b'foo')
+=20
++    def test_parameter_repr(self):
++        from ctypes import (
++            c_bool,
++            c_char,
++            c_wchar,
++            c_byte,
++            c_ubyte,
++            c_short,
++            c_ushort,
++            c_int,
++            c_uint,
++            c_long,
++            c_ulong,
++            c_longlong,
++            c_ulonglong,
++            c_float,
++            c_double,
++            c_longdouble,
++            c_char_p,
++            c_wchar_p,
++            c_void_p,
++        )
++        self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' a=
t 0x[A-Fa-f0-9]+>$")
++        self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>=
")
++        self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at=
 0x[A-Fa-f0-9]+>$")
++        self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
++        self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>=
")
++        self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511=
)>")
++        self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (51=
1)>")
++        self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]'=
 \(20000\)>$")
++        self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]=
' \(20000\)>$")
++        self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]=
' \(20000\)>$")
++        self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI=
]' \(20000\)>$")
++        self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '=
[liq]' \(20000\)>$")
++        self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam =
'[LIQ]' \(20000\)>$")
++        self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5=
)>")
++        self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.=
5)>")
++        self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (=
1e+300)>")
++        self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam (=
'd' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
++        self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z=
' \(0x[A-Fa-f0-9]+\)>$")
++        self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z=
' \(0x[A-Fa-f0-9]+\)>$")
++        self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' =
\(0x0*12\)>$")
++
+ ################################################################
+=20
+ if __name__ =3D=3D '__main__':
+#diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4=
Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+#new file mode 100644
+#index 0000000000000..7df65a156feab
+#--- /dev/null
+#+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+#@@ -0,0 +1,2 @@
+#+Avoid static buffers when computing the repr of :class:`ctypes.c_double`=
 and
+#+:class:`ctypes.c_longdouble` values.
+diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
+index a9b8675cd951b..de75918d49f37 100644
+--- a/Modules/_ctypes/callproc.c
++++ b/Modules/_ctypes/callproc.c
+@@ -484,58 +484,47 @@ is_literal_char(unsigned char c)
+ static PyObject *
+ PyCArg_repr(PyCArgObject *self)
+ {
+-    char buffer[256];
+     switch(self->tag) {
+     case 'b':
+     case 'B':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.b);
+-        break;
+     case 'h':
+     case 'H':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.h);
+-        break;
+     case 'i':
+     case 'I':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.i);
+-        break;
+     case 'l':
+     case 'L':
+-        sprintf(buffer, "<cparam '%c' (%ld)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
+             self->tag, self->value.l);
+-        break;
+=20
+     case 'q':
+     case 'Q':
+-        sprintf(buffer,
+-#ifdef MS_WIN32
+-            "<cparam '%c' (%I64d)>",
+-#else
+-            "<cparam '%c' (%lld)>",
+-#endif
++        return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
+             self->tag, self->value.q);
+-        break;
+     case 'd':
+-        sprintf(buffer, "<cparam '%c' (%f)>",
+-            self->tag, self->value.d);
+-        break;
+-    case 'f':
+-        sprintf(buffer, "<cparam '%c' (%f)>",
+-            self->tag, self->value.f);
+-        break;
+-
++    case 'f': {
++        PyObject *f =3D PyFloat_FromDouble((self->tag =3D=3D 'f') ? self-=
>value.f : self->value.d);
++        if (f =3D=3D NULL) {
++            return NULL;
++        }
++        PyObject *result =3D PyUnicode_FromFormat("<cparam '%c' (%R)>", s=
elf->tag, f);
++        Py_DECREF(f);
++        return result;
++    }
+     case 'c':
+         if (is_literal_char((unsigned char)self->value.c)) {
+-            sprintf(buffer, "<cparam '%c' ('%c')>",
++            return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
+                 self->tag, self->value.c);
+         }
+         else {
+-            sprintf(buffer, "<cparam '%c' ('\\x%02x')>",
++            return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>",
+                 self->tag, (unsigned char)self->value.c);
+         }
+-        break;
+=20
+ /* Hm, are these 'z' and 'Z' codes useful at all?
+    Shouldn't they be replaced by the functionality of c_string
+@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self)
+     case 'z':
+     case 'Z':
+     case 'P':
+-        sprintf(buffer, "<cparam '%c' (%p)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%p)>",
+             self->tag, self->value.p);
+         break;
+=20
+     default:
+         if (is_literal_char((unsigned char)self->tag)) {
+-            sprintf(buffer, "<cparam '%c' at %p>",
++            return PyUnicode_FromFormat("<cparam '%c' at %p>",
+                 (unsigned char)self->tag, (void *)self);
+         }
+         else {
+-            sprintf(buffer, "<cparam 0x%02x at %p>",
++            return PyUnicode_FromFormat("<cparam 0x%02x at %p>",
+                 (unsigned char)self->tag, (void *)self);
+         }
+-        break;
+     }
+-    return PyUnicode_FromString(buffer);
+ }
+=20
+ static PyMemberDef PyCArgType_members[] =3D {
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 730c371fda..fc28d0e3f8 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -362,8 +362,9 @@ data types.")
     (properties `((superseded . ,python-2)))))
=20
 (define-public python-3.8
-  (package (inherit python-2)
+  (package/inherit python-2
     (name "python")
+    (replacement python-3.8/fixed)
     (version "3.8.2")
     (source (origin
               (method url-fetch)
@@ -521,6 +522,14 @@ data types.")
                                         (version-major+minor version)
                                         "/site-packages"))))))))
=20
+(define python-3.8/fixed
+  (package
+    (inherit python-3.8)
+    (source (origin
+              (inherit (package-source python-3.8))
+              (patches (append (search-patches "python-3.8-CVE-2021-3177.p=
atch")
+                               (origin-patches (package-source python-3.8)=
)))))))
+
 (define-public python-3.9
   (package (inherit python-3.8)
     (name "python-next")
--=20
2.30.1


--3NoRtp2S5MlcyUaO--

--FYqowmleijQ73pwK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmAwTKYACgkQJkb6MLrK
fwimUhAAlX8e0kgBeeWDRR0Sqyq5lLQx3nzQnZf48cIYb6VMgGa3J9jFE+JtlY/N
yaJBJ0OtVd0yct9g5CQCjcjIdbW0MP4nqHNo/Qn0H8fNxehZvw7SZkUEiK90ZIE0
ZKIS2cSY8XtJUirPiQFLMgUl4nJ2y7nKXLTVRrauwmvfVocWlXdz74lUv7yO3YEI
MU3f6GTMoN9AOqBlIYaA2IhDGjKWHBHHWPvpOwG/0wixPPI33hzuFIecD4rzX0Fq
lngTlo/AwAo1MOSislEP17OkETSOfFURN3p5S8mP83+JQ9atp9BLGYq6FenaN8db
JrB+R/3G4NelbsiS2LDDmfOQdvnvLNXILxOI+vJG2jMEm0JC+IODbGVJc15445SG
X836RLlUoOp7PelER5TnUNKPJPrODFly3gM6hARlFaRQt1W7Yu0IBEnds9DeOCW4
zrX1stVGj4XSRkGYJNLgAGBV2XnHoHcoU1VNyRt90PWiO89UpbL5CnEV0zTIYWS8
wtZ4gKVVr/H5HB97zAWLQJlKlnm1FlPOZg4FO1PUiEfXZNPbk7MPAi0amIYeM2PA
thKi9fumJ/r/P5cepCcEzsKTce27EOEBVaF9mw+BYhbq9ZguGMqJzgOLxQvSiJOt
0qnqnNPNAUnjZAZiX7xYff5GZ2kXKfGi+rjFehySVd+qnMboRCY=
=mqC7
-----END PGP SIGNATURE-----

--FYqowmleijQ73pwK--




Information forwarded to bug-guix@HIDDEN:
bug#46631; Package guix. Full text available.

Message received at 46631 <at> debbugs.gnu.org:


Received: (at 46631) by debbugs.gnu.org; 19 Feb 2021 23:23:59 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 19 18:23:59 2021
Received: from localhost ([127.0.0.1]:50612 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lDF7v-0001Lx-0O
	for submit <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:23:59 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:58101)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1lDF7t-0001Lk-7T
 for 46631 <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:23:57 -0500
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id E72DF5C00F8;
 Fri, 19 Feb 2021 18:23:51 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Fri, 19 Feb 2021 18:23:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=qoAeZDQTL2Dc2NI4T/tDLABR
 /W48Klt2UjGGyn2SJC4=; b=MhZxTdS2N+/C/D/uXd5/CLZ4ryHHIqSA3QDrXGI1
 0YVk9uqaqLNVp1vg/KOtZ1fN5hkknjUFsdRhpbscgHb56yLlMH1DMGaCm+AwrQYN
 HewT5L0gmc+7dOMnVycbXqCCIY/L+QOiXVhX7taltEz4WXbPTRcQ5TZJezap1n+o
 Rbo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=qoAeZD
 QTL2Dc2NI4T/tDLABR/W48Klt2UjGGyn2SJC4=; b=nHMcWKXtCC4U1B6PBiFKBA
 RpGK3xjGETq5cBNlJkL5nlOL1WOUA1QNbEYnEqarS4yeyh0vBOP2Rj8LYEgyAHEL
 WZY2+J3YGaoH1fm55NBEUGT/K5x5WV78Me+Nu95Lmou/vANGPvH4VgojomgmcBfG
 j0k3bweIKbRj4RGmZvpMXzAEVAgupa2IUavUhvLBvyber3DEZdCgQyQOF5fuC0eK
 FJc8wSbcjexp2hXa0n6lpkUaAxb1lXFHMUPqJe9Q3Iep31L3zpCvshlW4uvNPoZf
 Yd0ukPqoVNR+KFxfMXEpQQ6XbOwA1v2ZQvWw9jUUUiu3GVUKGdApc3aAvLl5GPkQ
 ==
X-ME-Sender: <xms:h0gwYLZg_GKmLujbBnDfznA3OlcJz_R2tgLeBCllB1I_-uumw8sWYA>
 <xme:h0gwYKbNFigTTwcGJqrdIdfoIaApctUaIulbIxNSZKjYiFbalKFxRM1G4SJAqt9Gl
 6GBx6YufVN9_YoJWw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeejgddtkecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehttdertd
 dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr
 ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeukeektdffvddtudegjeegtdevhfeufe
 eivdejiedtieegtdevjedvjeehffevgfenucfkphepieelrdduvddtrdelvddrvddtkeen
 ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghose
 hfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:h0gwYN8L4Q6D8XZI3q-jgyNHHth4jDnJNGN-Mx4jS-o7HZfX9AqOOg>
 <xmx:h0gwYBrU8x56SWsEpIOyUA_tKZu1qhLY9iHONBAym1ZoXrZ6iaGYug>
 <xmx:h0gwYGpvnI5jybksGzBLGLQ_AFkAUrT5mleBg1gSUXks1GKIL6V2FQ>
 <xmx:h0gwYD3sNxN0lz1AGbZzVLkjs8z7aHfUbXu0QMi2h0dQNKqi1cYuLw>
Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208])
 by mail.messagingengine.com (Postfix) with ESMTPA id 1C38B240062
 for <46631 <at> debbugs.gnu.org>; Fri, 19 Feb 2021 18:23:51 -0500 (EST)
Date: Fri, 19 Feb 2021 18:23:49 -0500
From: Leo Famulari <leo@HIDDEN>
To: 46631 <at> debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Message-ID: <YDBIhd+7XE90GNre@HIDDEN>
References: <YDBF+l7hL3IzP185@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YDBF+l7hL3IzP185@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46631
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

On Fri, Feb 19, 2021 at 06:12:58PM -0500, Leo Famulari wrote:
> But, we use Python 3.8 for everything, and my patch (attached) fails to
> apply for some reason. It does work when I apply the new bug fix patch
> "by hand" onto the Guix source code for our current python-3.8 package.

More weirdness: When I apply the patch to the python-3.8 package (that
is, without setting up a grafted replacement), it works. So I am
definitely doing something wrong here.




Information forwarded to bug-guix@HIDDEN:
bug#46631; Package guix. Full text available.

Message received at 46631 <at> debbugs.gnu.org:


Received: (at 46631) by debbugs.gnu.org; 19 Feb 2021 23:13:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 19 18:13:15 2021
Received: from localhost ([127.0.0.1]:50600 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lDExS-00015X-Bj
	for submit <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:13:15 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:41195)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1lDExO-000151-GR
 for 46631 <at> debbugs.gnu.org; Fri, 19 Feb 2021 18:13:09 -0500
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id 7F8655C00C3;
 Fri, 19 Feb 2021 18:13:00 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Fri, 19 Feb 2021 18:13:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:subject:message-id:mime-version:content-type; s=
 mesmtp; bh=2lOgx7UgEp86JOay2r39emB8w+E3d8i/q8qD2ljJlgY=; b=jmTVo
 MGByTF/Sjj5XYZ9pjXrOhktp+6Yy7xs/NSotxwf1ePas7qeZiQNpYPV831w6dgbk
 bXXZyz6mt4JJngW+2InbJb5Ikmk6qCKwyvMrTRCAWdOdw0CRGAIiqY85OxzX+B2u
 p/8fMi1meT/Egb9rPFXrTrxtKgSH0EXPuQTfhQ=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=2lOgx7UgEp86JOay2r39emB8w+E3d
 8i/q8qD2ljJlgY=; b=Hu94rLijc++4U+BjiL8fCJHumbbalZasJYBCmwO/hSRPn
 +GbZeFPgupaEGdX1c/GMjBWrRYLEZ2iMUrFIDnfyM7O1KrctOvp6A1DrwFh+gBcu
 2LeSHHyeR+RjMA2SZwBm9RoOcVtYZPdAUrFd6uZ7nAUeYZ5WwPKQsacDxWJhAIGL
 TItpd3UypEWpt6MqakqRATvjN1SJnH13R+SE/QLzaFUF43V7BPGOZNuDQDwcFZJl
 NN4dNz3pusErORLsrVUJf5ySaFCPEVX1mkXVEvbEige6Vq8fyxD/ewyEq2MJbEOT
 lWgzQKVTjFQqdegDYjyibGOUcir/gXRQ+q9Zw76QQ==
X-ME-Sender: <xms:_EUwYHA3fnPIYU2owLx_3QMUxhN6EtFRpIaSD_rQW3a4XHnohkTR4Q>
 <xme:_EUwYPil7kmyVYKJoQOw-ndO-pt06D5adFpTbbCd4C2B0Ws280FmtaELn_Ayo4mOT
 XqCjWTs_UDj7zLQVg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeejgddtiecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehmtderredttd
 dvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdr
 nhgrmhgvqeenucggtffrrghtthgvrhhnpeelleefvdffudeiueeihfeiiedvgeekheejie
 evhfeiteejfeefhfeglefhfffgieenucfkphepieelrdduvddtrdelvddrvddtkeenucev
 lhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrg
 hmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:_EUwYL_7zly7Ngvoca9SVtbiOhla2ZNDlOiYsRKjGwrjSqYerOSy_g>
 <xmx:_EUwYL-_h9FIW12zr75p7C20zIQei1fd-EcHaN-q-7jd0WsHM5K73w>
 <xmx:_EUwYEAr0VRHfGpaw8nFxGLyK8lnHimth3Wetu9eilCYkJdJAy2ooQ>
 <xmx:_EUwYAq-3nVvkLCcji3EgISJv9MTeTNRDPV2j7oKqhVYFoS3TiB59g>
Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208])
 by mail.messagingengine.com (Postfix) with ESMTPA id 5B3EA108005C
 for <46631 <at> debbugs.gnu.org>; Fri, 19 Feb 2021 18:13:00 -0500 (EST)
Date: Fri, 19 Feb 2021 18:12:58 -0500
From: Leo Famulari <leo@HIDDEN>
To: 46631 <at> debbugs.gnu.org
Subject: Re: Python CVE-2021-3177
Message-ID: <YDBF+l7hL3IzP185@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="/YZKjQU8EkpL8FB1"
Content-Disposition: inline
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46631
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--/YZKjQU8EkpL8FB1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I pushed a fix for Python 3.9 in commit
f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1.

But, we use Python 3.8 for everything, and my patch (attached) fails to
apply for some reason. It does work when I apply the new bug fix patch
"by hand" onto the Guix source code for our current python-3.8 package.

--/YZKjQU8EkpL8FB1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment;
	filename="0001-gnu-Python-Fix-CVE-2021-3177.patch"

From 3cc80457d26c725da61307755716db18ff88d28e Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@HIDDEN>
Date: Fri, 19 Feb 2021 18:09:57 -0500
Subject: [PATCH] gnu: Python: Fix CVE-2021-3177.

* gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/python.scm (python-3.8)[replacement]: New field.
(python-3.8/fixed): New variable.
---
 gnu/local.mk                                  |   1 +
 .../patches/python-3.8-CVE-2021-3177.patch    | 194 ++++++++++++++++++
 gnu/packages/python.scm                       |   8 +
 3 files changed, 203 insertions(+)
 create mode 100644 gnu/packages/patches/python-3.8-CVE-2021-3177.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 5588cda2e1..26dbcb940f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1526,6 +1526,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-3-search-paths.patch		\
   %D%/packages/patches/python-3-fix-tests.patch			\
   %D%/packages/patches/python-3.8-fix-tests.patch		\
+  %D%/packages/patches/python-3.8-CVE-2021-3177.patch		\
   %D%/packages/patches/python-3.9-fix-tests.patch		\
   %D%/packages/patches/python-3.9-CVE-2021-3177.patch		\
   %D%/packages/patches/python-CVE-2018-14647.patch		\
diff --git a/gnu/packages/patches/python-3.8-CVE-2021-3177.patch b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch
new file mode 100644
index 0000000000..01f6b52865
--- /dev/null
+++ b/gnu/packages/patches/python-3.8-CVE-2021-3177.patch
@@ -0,0 +1,194 @@
+Fix CVE-2021-3177 for Python 3.8:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177
+
+Patch copied from upstream source repository:
+
+https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f
+
+From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@HIDDEN>
+Date: Mon, 18 Jan 2021 13:28:52 -0800
+Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode
+ formatting in ctypes param reprs. (GH-24248)
+
+(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
+
+Co-authored-by: Benjamin Peterson <benjamin@HIDDEN>
+
+Co-authored-by: Benjamin Peterson <benjamin@HIDDEN>
+---
+ Lib/ctypes/test/test_parameters.py            | 43 ++++++++++++++++
+ .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst  |  2 +
+ Modules/_ctypes/callproc.c                    | 51 +++++++------------
+ 3 files changed, 64 insertions(+), 32 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+
+diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py
+index e4c25fd880cef..531894fdec838 100644
+--- a/Lib/ctypes/test/test_parameters.py
++++ b/Lib/ctypes/test/test_parameters.py
+@@ -201,6 +201,49 @@ def __dict__(self):
+         with self.assertRaises(ZeroDivisionError):
+             WorseStruct().__setstate__({}, b'foo')
+ 
++    def test_parameter_repr(self):
++        from ctypes import (
++            c_bool,
++            c_char,
++            c_wchar,
++            c_byte,
++            c_ubyte,
++            c_short,
++            c_ushort,
++            c_int,
++            c_uint,
++            c_long,
++            c_ulong,
++            c_longlong,
++            c_ulonglong,
++            c_float,
++            c_double,
++            c_longdouble,
++            c_char_p,
++            c_wchar_p,
++            c_void_p,
++        )
++        self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$")
++        self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>")
++        self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$")
++        self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>")
++        self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>")
++        self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>")
++        self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>")
++        self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
++        self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
++        self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$")
++        self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$")
++        self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$")
++        self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$")
++        self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
++        self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>")
++        self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>")
++        self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$")
++        self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$")
++        self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$")
++        self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$")
++
+ ################################################################
+ 
+ if __name__ == '__main__':
+#diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+#new file mode 100644
+#index 0000000000000..7df65a156feab
+#--- /dev/null
+#+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst
+#@@ -0,0 +1,2 @@
+#+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and
+#+:class:`ctypes.c_longdouble` values.
+diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
+index a9b8675cd951b..de75918d49f37 100644
+--- a/Modules/_ctypes/callproc.c
++++ b/Modules/_ctypes/callproc.c
+@@ -484,58 +484,47 @@ is_literal_char(unsigned char c)
+ static PyObject *
+ PyCArg_repr(PyCArgObject *self)
+ {
+-    char buffer[256];
+     switch(self->tag) {
+     case 'b':
+     case 'B':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.b);
+-        break;
+     case 'h':
+     case 'H':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.h);
+-        break;
+     case 'i':
+     case 'I':
+-        sprintf(buffer, "<cparam '%c' (%d)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%d)>",
+             self->tag, self->value.i);
+-        break;
+     case 'l':
+     case 'L':
+-        sprintf(buffer, "<cparam '%c' (%ld)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%ld)>",
+             self->tag, self->value.l);
+-        break;
+ 
+     case 'q':
+     case 'Q':
+-        sprintf(buffer,
+-#ifdef MS_WIN32
+-            "<cparam '%c' (%I64d)>",
+-#else
+-            "<cparam '%c' (%lld)>",
+-#endif
++        return PyUnicode_FromFormat("<cparam '%c' (%lld)>",
+             self->tag, self->value.q);
+-        break;
+     case 'd':
+-        sprintf(buffer, "<cparam '%c' (%f)>",
+-            self->tag, self->value.d);
+-        break;
+-    case 'f':
+-        sprintf(buffer, "<cparam '%c' (%f)>",
+-            self->tag, self->value.f);
+-        break;
+-
++    case 'f': {
++        PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d);
++        if (f == NULL) {
++            return NULL;
++        }
++        PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f);
++        Py_DECREF(f);
++        return result;
++    }
+     case 'c':
+         if (is_literal_char((unsigned char)self->value.c)) {
+-            sprintf(buffer, "<cparam '%c' ('%c')>",
++            return PyUnicode_FromFormat("<cparam '%c' ('%c')>",
+                 self->tag, self->value.c);
+         }
+         else {
+-            sprintf(buffer, "<cparam '%c' ('\\x%02x')>",
++            return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>",
+                 self->tag, (unsigned char)self->value.c);
+         }
+-        break;
+ 
+ /* Hm, are these 'z' and 'Z' codes useful at all?
+    Shouldn't they be replaced by the functionality of c_string
+@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self)
+     case 'z':
+     case 'Z':
+     case 'P':
+-        sprintf(buffer, "<cparam '%c' (%p)>",
++        return PyUnicode_FromFormat("<cparam '%c' (%p)>",
+             self->tag, self->value.p);
+         break;
+ 
+     default:
+         if (is_literal_char((unsigned char)self->tag)) {
+-            sprintf(buffer, "<cparam '%c' at %p>",
++            return PyUnicode_FromFormat("<cparam '%c' at %p>",
+                 (unsigned char)self->tag, (void *)self);
+         }
+         else {
+-            sprintf(buffer, "<cparam 0x%02x at %p>",
++            return PyUnicode_FromFormat("<cparam 0x%02x at %p>",
+                 (unsigned char)self->tag, (void *)self);
+         }
+-        break;
+     }
+-    return PyUnicode_FromString(buffer);
+ }
+ 
+ static PyMemberDef PyCArgType_members[] = {
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 730c371fda..bcf1bfd706 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -364,6 +364,7 @@ data types.")
 (define-public python-3.8
   (package (inherit python-2)
     (name "python")
+    (replacement python-3.8/fixed)
     (version "3.8.2")
     (source (origin
               (method url-fetch)
@@ -521,6 +522,13 @@ data types.")
                                         (version-major+minor version)
                                         "/site-packages"))))))))
 
+(define-public python-3.8/fixed
+  (package/inherit python-3.8
+    (source (origin
+              (inherit (package-source python-3.8))
+              (patches (append (search-patches "python-3.8-CVE-2021-3177.patch")
+                               (origin-patches (package-source python-3.8))))))))
+
 (define-public python-3.9
   (package (inherit python-3.8)
     (name "python-next")
-- 
2.30.1


--/YZKjQU8EkpL8FB1--




Information forwarded to bug-guix@HIDDEN:
bug#46631; Package guix. Full text available.

Message received at 46631 <at> debbugs.gnu.org:


Received: (at 46631) by debbugs.gnu.org; 19 Feb 2021 15:35:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 19 10:35:36 2021
Received: from localhost ([127.0.0.1]:50182 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lD7oe-0006wd-8t
	for submit <at> debbugs.gnu.org; Fri, 19 Feb 2021 10:35:36 -0500
Received: from eggs.gnu.org ([209.51.188.92]:55856)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1lD7ob-0006wN-L8
 for 46631 <at> debbugs.gnu.org; Fri, 19 Feb 2021 10:35:34 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:50729)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>)
 id 1lD7oW-0006ga-Ce; Fri, 19 Feb 2021 10:35:28 -0500
Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=49944 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>)
 id 1lD7oV-0004pC-H3; Fri, 19 Feb 2021 10:35:27 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#46631: Python CVE-2021-3177
References: <YC8uvtnvGyXcCno1@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 1 =?utf-8?Q?Vent=C3=B4se?= an 229 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 19 Feb 2021 16:35:26 +0100
In-Reply-To: <YC8uvtnvGyXcCno1@HIDDEN> (Leo Famulari's message of "Thu,
 18 Feb 2021 22:21:34 -0500")
Message-ID: <87h7m8kr41.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46631
Cc: 46631 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi,

Leo Famulari <leo@HIDDEN> skribis:

> I assume that Python is considered to be "graft-able". Can anyone
> confirm?

Yes, I think so.

Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#46631; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 19 Feb 2021 03:21:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 18 22:21:43 2021
Received: from localhost ([127.0.0.1]:48583 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lCwMR-0001Ck-9N
	for submit <at> debbugs.gnu.org; Thu, 18 Feb 2021 22:21:43 -0500
Received: from lists.gnu.org ([209.51.188.17]:57416)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1lCwMP-0001Cc-NH
 for submit <at> debbugs.gnu.org; Thu, 18 Feb 2021 22:21:42 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:42900)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1lCwMP-0008Pi-HF
 for bug-guix@HIDDEN; Thu, 18 Feb 2021 22:21:41 -0500
Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:42015)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1lCwMN-00071U-Jm
 for bug-guix@HIDDEN; Thu, 18 Feb 2021 22:21:41 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.west.internal (Postfix) with ESMTP id C113EC79;
 Thu, 18 Feb 2021 22:21:37 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Thu, 18 Feb 2021 22:21:37 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:subject:message-id:mime-version:content-type; s=
 mesmtp; bh=p2GuoJtMRPEqWaWHvpOz5VT9yNrfY+3zCEPG9oKXJbU=; b=QURD+
 X8tpFlMH98mavf6JIyv+Tmv6f4kPaOkIjXEyE2ZL/dAklyKsuX+mZ6djaOnEA1AR
 S6Tv+a9vkPgSR3TOZU5CxuxMz4g3rpP3GS1jZ6oqz6sbpGNciYBYGvxghwRLwc0X
 5bXjXInbioztEECrWu9/A9DXSBFF1e/w7SpnB8=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=p2GuoJtMRPEqWaWHvpOz5VT9yNrfY
 +3zCEPG9oKXJbU=; b=F29dZGCdqmx+ZO8JojJo2L2wnh7206e15O+kZl1DiEL1k
 asqRB2vIzL5k9pT6VOLROUXLrvYfv4sqdospJxZCvGgFn6hQuMvfm7ASTMw76Sju
 sHArQehyx79Y5xph0wuYUh3R4eGyf117g0cC41IuSNLGJcXG60URXYC4SCAjkGy8
 fXfgB/mcTcUvu8pk/RqtwWFer6Bo/NsNR1+9cMWpLl3InhqxpyHxabPhmWZG44ww
 ictOFDM1HQ92DeIqnkN7FHI80yqgu5WyRrxIJf/VFKbexCQod83wSCAeF27g7Ygc
 BO9qGgXupFxy0GXRUSJH6YgxY9HIUtP27vELMvy8Q==
X-ME-Sender: <xms:wS4vYGVsIXkm7mRGPiLYZRENMItfX24dBhoBKOWuwkE5wXlh-HMrjA>
 <xme:wS4vYF3tN1ItzW_uEqUDAWpwwFC1Itu06wb21lICayhoxxHbojTjWrg7QfXUM0XT1
 RwrLnnZeN2xNtItKw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjeehgdehiecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehttdertddttd
 dvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdr
 nhgrmhgvqeenucggtffrrghtthgvrhhnpeffueeuieeuieefuefgteeghfelgeefvedvtd
 duvedtgffffeeiteeviefgveetheenucffohhmrghinhepmhhithhrvgdrohhrghdpphih
 thhhohhnrdhorhhgnecukfhppeeiledruddvtddrledvrddvtdeknecuvehluhhsthgvrh
 fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhi
 rdhnrghmvg
X-ME-Proxy: <xmx:wS4vYD0imKG89kqQ3gIltsZhuoxu9G8nED4nEYTAeshEK2T1UtwuuA>
 <xmx:wS4vYI_dJl04mNwm0rXIcbY2N6ZuLN0GHV2FOVmblrUpNYNbXxSvQw>
 <xmx:wS4vYA1RAOF8syJ5bTmNjWF4Gnn0Fmq1OxLWi81b5i9UO7D5Z8js3Q>
 <xmx:wS4vYIWl_yUQHF1aWjw92TfYhsvHck1YaV9S_i-yew4Mqc9idmXtzg>
Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208])
 by mail.messagingengine.com (Postfix) with ESMTPA id 383EF24005A
 for <bug-guix@HIDDEN>; Thu, 18 Feb 2021 22:21:37 -0500 (EST)
Date: Thu, 18 Feb 2021 22:21:34 -0500
From: Leo Famulari <leo@HIDDEN>
To: bug-guix@HIDDEN
Subject: Python CVE-2021-3177
Message-ID: <YC8uvtnvGyXcCno1@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Received-SPF: pass client-ip=64.147.123.20; envelope-from=leo@HIDDEN;
 helo=wout4-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Quoting from MITRE:

------
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution in certain
Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This
occurs because sprintf is used unsafely. 
------
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177

There is not yet an upstream release to fix the issue in the 3.8 series
that we distribute. I believe there are patches we can cherry-pick. Can
somebody find them?

I assume that Python is considered to be "graft-able". Can anyone
confirm?

The upstream bug report:
https://bugs.python.org/issue42938




Acknowledgement sent to Leo Famulari <leo@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#46631; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 22 Feb 2021 09:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.