Python CVE-2021-3177

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 19 Feb 2021 04:21
(address . bug-guix@gnu.org)
YC8uvtnvGyXcCno1@jasmine.lan
Quoting from MITRE:

------
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution in certain
Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This
occurs because sprintf is used unsafely.
------

There is not yet an upstream release to fix the issue in the 3.8 series
that we distribute. I believe there are patches we can cherry-pick. Can
somebody find them?

I assume that Python is considered to be "graft-able". Can anyone
confirm?

The upstream bug report:
L
L
Ludovic Courtès wrote on 19 Feb 2021 16:35
(name . Leo Famulari)(address . leo@famulari.name)(address . 46631@debbugs.gnu.org)
87h7m8kr41.fsf@gnu.org
Hi,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (3 lines)
> I assume that Python is considered to be "graft-able". Can anyone
> confirm?

Yes, I think so.

Ludo’.
L
L
Leo Famulari wrote on 20 Feb 2021 00:12
Re: Python CVE-2021-3177
(address . 46631@debbugs.gnu.org)
YDBF+l7hL3IzP185@jasmine.lan
I pushed a fix for Python 3.9 in commit
f08c7cb0c75e7d5305c82d6a4af68ddf74fb08b1.

But, we use Python 3.8 for everything, and my patch (attached) fails to
apply for some reason. It does work when I apply the new bug fix patch
"by hand" onto the Guix source code for our current python-3.8 package.
L
L
Leo Famulari wrote on 20 Feb 2021 00:23
(address . 46631@debbugs.gnu.org)
YDBIhd+7XE90GNre@jasmine.lan
On Fri, Feb 19, 2021 at 06:12:58PM -0500, Leo Famulari wrote:
Toggle quote (4 lines)
> But, we use Python 3.8 for everything, and my patch (attached) fails to
> apply for some reason. It does work when I apply the new bug fix patch
> "by hand" onto the Guix source code for our current python-3.8 package.

More weirdness: When I apply the patch to the python-3.8 package (that
is, without setting up a grafted replacement), it works. So I am
definitely doing something wrong here.
L
L
Leo Famulari wrote on 20 Feb 2021 00:41
(address . 46631@debbugs.gnu.org)
YDBMpqCk3DBJXvfU@jasmine.lan
On Fri, Feb 19, 2021 at 06:23:49PM -0500, Leo Famulari wrote:
Toggle quote (4 lines)
> More weirdness: When I apply the patch to the python-3.8 package (that
> is, without setting up a grafted replacement), it works. So I am
> definitely doing something wrong here.

Here is a new patch that I'm currently building. I think I had composed
the package inheritance incorrectly in my previous patch.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmAwTKYACgkQJkb6MLrK
fwimUhAAlX8e0kgBeeWDRR0Sqyq5lLQx3nzQnZf48cIYb6VMgGa3J9jFE+JtlY/N
yaJBJ0OtVd0yct9g5CQCjcjIdbW0MP4nqHNo/Qn0H8fNxehZvw7SZkUEiK90ZIE0
ZKIS2cSY8XtJUirPiQFLMgUl4nJ2y7nKXLTVRrauwmvfVocWlXdz74lUv7yO3YEI
MU3f6GTMoN9AOqBlIYaA2IhDGjKWHBHHWPvpOwG/0wixPPI33hzuFIecD4rzX0Fq
lngTlo/AwAo1MOSislEP17OkETSOfFURN3p5S8mP83+JQ9atp9BLGYq6FenaN8db
JrB+R/3G4NelbsiS2LDDmfOQdvnvLNXILxOI+vJG2jMEm0JC+IODbGVJc15445SG
X836RLlUoOp7PelER5TnUNKPJPrODFly3gM6hARlFaRQt1W7Yu0IBEnds9DeOCW4
zrX1stVGj4XSRkGYJNLgAGBV2XnHoHcoU1VNyRt90PWiO89UpbL5CnEV0zTIYWS8
wtZ4gKVVr/H5HB97zAWLQJlKlnm1FlPOZg4FO1PUiEfXZNPbk7MPAi0amIYeM2PA
thKi9fumJ/r/P5cepCcEzsKTce27EOEBVaF9mw+BYhbq9ZguGMqJzgOLxQvSiJOt
0qnqnNPNAUnjZAZiX7xYff5GZ2kXKfGi+rjFehySVd+qnMboRCY=
=mqC7
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 22 Feb 2021 09:08
Re: bug#46631: Python CVE-2021-3177
(name . Leo Famulari)(address . leo@famulari.name)(address . 46631@debbugs.gnu.org)
87pn0sfrtd.fsf@gnu.org
Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (11 lines)
> From b62969d52add462fc1b8b4bd1e0a3c4d53a39864 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 19 Feb 2021 18:09:57 -0500
> Subject: [PATCH] gnu: Python: Fix CVE-2021-3177.
>
> * gnu/packages/patches/python-3.8-CVE-2021-3177.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/python.scm (python-3.8): Define with PACKAGE/INHERIT.
> [replacement]: New field.
> (python-3.8/fixed): New variable.

[...]

Toggle quote (6 lines)
> (define-public python-3.8
> - (package (inherit python-2)
> + (package/inherit python-2
> (name "python")
> + (replacement python-3.8/fixed)

You can keep (inherit …) because the effect of ‘package/inherit’ is just
to preserve replacements, which is unnecessary here.

Apart from that, the Guix side of things LGTM.

Thanks for working on it!

Ludo’.
L
L
Ludovic Courtès wrote on 22 Feb 2021 10:15
control message for bug #46631
(address . control@debbugs.gnu.org)
87ft1oea5d.fsf@gnu.org
tags 46631 + security
quit
L
L
Leo Famulari wrote on 23 Feb 2021 20:16
Re: bug#46631: Python CVE-2021-3177
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 46631-done@debbugs.gnu.org)
YDVUppIfrq7dViXv@jasmine.lan
On Mon, Feb 22, 2021 at 09:08:14AM +0100, Ludovic Courtès wrote:
Toggle quote (3 lines)
> You can keep (inherit …) because the effect of ‘package/inherit’ is just
> to preserve replacements, which is unnecessary here.

I used to know that... it's been a while and I forgot, and had trouble
understanding the package/inherit docstring. So I pushed a commit that I
hope clarifies it.

Toggle quote (2 lines)
> Apart from that, the Guix side of things LGTM.

Pushed as 84e082e31706411e7f9c3189a83f8ed0b4016fe7

Toggle quote (2 lines)
> Thanks for working on it!

Thanks for the review!
Closed
?