FS#68063 - [security][python2] backport 3 security fixes - courtesy of Gentoo and Fedora backporting efforts

Attached to Project: Arch Linux
Opened by Siegfried Metz (NiceGuy) - Thursday, 01 October 2020, 01:53 GMT
Last edited by Felix Yan (felixonmars) - Saturday, 20 March 2021, 20:50 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

Security fixes for Python 2.7: [1]:
*) CVE-2019-20907 (python2: python: infinite loop in the tarfile module via crafted TAR archive),
*) CVE-2020-8492 (python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS),
*) CVE-2020-26116 (python27: python: CRLF injection via HTTP request method in httplib/http.client)

Python 2 is already end of life and does not receive any further updates or security updates officially any more. As EOL is a matter of fact, all GNU/Linux Distributions, BSDs, other OSes are still vulnerable to Python2's found vulnerabilites with no upstream backporting effort.

There is, however, at least one highly active Gentoo developer in the name of Michał Górny (which I hope he isn't offended by using his name and blog post here), who made sure certain security vulnerabilites effecting Python3 also got backported to Python2, which he described in his blog post [2], which I got aware of.
He also made sure Pypy{2,3} 7.3.2 got security fixes applied, so it's his effort I want to congratulate and thank.

Basically, Gentoo [3] and Fedora backported CVE-2019-20907 (infinite loop in tarfile), CVE-2020-8492 (ReDoS in basic HTTP auth handling) and bpo-39603 (header injection via HTTP method). Mostly because the patch from Python 3 applied cleanly to Python 2.7.


That makes Gentoo and Fedora the first distributions to backport security fixes to Python 2, although EOL'ed.

Arch should follow suit and apply those backports and security fixes. Yes, those backports are unofficial and initially only for Python3 and I am aware that Arch follows the rule to prefer "vanilla" packages. In this special case, however, there is no more upstream effort to begin with.

Even, maybe, a lot of us 'Archers' got rid of Python2 (via sudo pacman -Rscn python2, for instance), we are all stuck for a longer period than we all want with Python2 in the form of still used Python2 MAKEDEPENDS in a lot of packages. Even though Python2 is no more installed, certain Arch officially built packages with Python2 MAKEDEPENDS make use all vulnerable, if no backports are applied.

We all want to get rid of Python2 by now, but the truth is we are not there yet. None of the GNU/Linux distributions are. So at least we should apply a few selected security fixes to Python2 to make it less vulnerable, until the time we surely sunset all of the Python2 packages for good (hopefully in the not so distant future).


[1]:
Bug 1856485 - CVE-2019-20907 python2: python: Avoid infinite loop when reading specially crafted TAR files
https://bugzilla.redhat.com/show_bug.cgi?id=1856485
https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9251de272

Bug 1809065 - CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
https://bugzilla.redhat.com/show_bug.cgi?id=1809065

Bug 1883244 - CVE-2020-26116 python27: python: CRLF injection via HTTP request method in httplib/http.client
https://bugzilla.redhat.com/show_bug.cgi?id=1883244

[2]: https://blogs.gentoo.org/mgorny/2020/09/12/new-vulnerability-fixes-in-python-2-7-and-pypy/
[3]: https://dev.gentoo.org/~mgorny/dist/python/python-gentoo-patches-2.7.18-r3.tar.xz

3 patches inside python-gentoo-patches-2.7.18-r3.xz:
0017-bpo-39017-Avoid-infinite-loop-in-the-tarfile-module-.patch
0018-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
0019-bpo-39603-Prevent-header-injection-in-http-methods-G.patch

Additional info:
* >=python-2.7.18-2

Steps to reproduce:
Apply the 3 security patches by Gentoo/Fedora on top of Python2 and be a bit more "safer" by those backports.
This task depends upon

Closed by  Felix Yan (felixonmars)
Saturday, 20 March 2021, 20:50 GMT
Reason for closing:  Fixed
Additional comments about closing:  python2 2.7.18-3
Comment by Jelle van der Waa (jelly) - Saturday, 20 February 2021, 15:27 GMT Comment by Jonas Witschel (diabonas) - Sunday, 21 February 2021, 11:19 GMT
Python 2.7 appears to be affected by CVE-2021-23336 as well, cf. e.g. https://github.com/python/cpython/blob/8d21aa21f2cbc6d50aab3f420bb23be1d081dac4/Lib/urlparse.py#L445 As far as I am aware, there have been no efforts at backporting the fix https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92 yet.
Comment by loqs (loqs) - Monday, 22 February 2021, 10:58 GMT
The updated Gentoo python patch archive [1] contains:

0007-3.6-closes-bpo-42938-Replace-snprintf-with-Python-un.patch
0024-3.6-bpo-42967-only-use-as-a-query-string-separator-G.patch

[1] https://dev.gentoo.org/~mgorny/dist/python/python-gentoo-patches-2.7.18_p7.tar.xz
Comment by loqs (loqs) - Wednesday, 10 March 2021, 18:33 GMT
There is also CVE-2020-27619 0005-bpo-41944-No-longer-call-eval-on-content-received-vi.patch and patch py2-ize-the-CJK-codec-test.patch [1]
There are still outstanding issues with the modified tests. Hopefully someone can fix the patch.

Attached PKGBUILD.diff adds patches for the six CVEs mentioned and two other security fixes:
0004-bpo-42051-Reject-XML-entity-declarations-in-plist-fi.patch
0006-bpo-40791-Make-compare_digest-more-constant-time.-GH.patch

[1] https://gitweb.gentoo.org/fork/cpython.git/commit/?h=gentoo-2.7-vanilla&id=ed1aa2f4738efe948242f252bcb0aa0b4314d2a2
Comment by Felix Yan (felixonmars) - Monday, 15 March 2021, 15:04 GMT
Updated in python2 2.7.18-3. Sorry for the delay.

Loading...