[2/5] python3: add CVE-2007-4559 to whitelist

Submitted by Ross Burton on Nov. 19, 2020, 10:38 a.m. | Patch ID: 178069

Details

Message ID 20201119103813.2726273-2-ross.burton@arm.com
State Accepted
Commit f4c22e83f2e68ff157da5ea1303acc2931d63f5f
Headers show

Commit Message

Ross Burton Nov. 19, 2020, 10:38 a.m.
This issue describes expected behaviour, do not use tarfile with
untrusted data.

Signed-off-by: Ross Burton <ross.burton@arm.com>

---
 meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#144813): https://lists.openembedded.org/g/openembedded-core/message/144813
Mute This Topic: https://lists.openembedded.org/mt/78361985/1003190
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mhalstead@linuxfoundation.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patch hide | download patch | download mbox

diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
index 8fe60ea0160..86077bb1ca8 100644
--- a/meta/recipes-devtools/python/python3_3.9.0.bb
+++ b/meta/recipes-devtools/python/python3_3.9.0.bb
@@ -45,6 +45,8 @@  UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
 CVE_PRODUCT = "python"
 
+# Upstream consider this expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2007-4559"
 # This is not exploitable when glibc has CVE-2016-10739 fixed.
 CVE_CHECK_WHITELIST += "CVE-2019-18348"
 

Comments

Steve Sakoman Nov. 19, 2020, 3:03 p.m.
Is this also suitable for dunfell?

Steve

On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
>

> This issue describes expected behaviour, do not use tarfile with

> untrusted data.

>

> Signed-off-by: Ross Burton <ross.burton@arm.com>

> ---

>  meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++

>  1 file changed, 2 insertions(+)

>

> diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb

> index 8fe60ea0160..86077bb1ca8 100644

> --- a/meta/recipes-devtools/python/python3_3.9.0.bb

> +++ b/meta/recipes-devtools/python/python3_3.9.0.bb

> @@ -45,6 +45,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"

>

>  CVE_PRODUCT = "python"

>

> +# Upstream consider this expected behaviour

> +CVE_CHECK_WHITELIST += "CVE-2007-4559"

>  # This is not exploitable when glibc has CVE-2016-10739 fixed.

>  CVE_CHECK_WHITELIST += "CVE-2019-18348"

>

> --

> 2.25.1

>

>

> 

>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#144822): https://lists.openembedded.org/g/openembedded-core/message/144822
Mute This Topic: https://lists.openembedded.org/mt/78361985/1003190
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mhalstead@linuxfoundation.org]
-=-=-=-=-=-=-=-=-=-=-=-
Ross Burton Nov. 20, 2020, 11:10 a.m.
Yes.

Ross

On Thu, 19 Nov 2020 at 15:03, Steve Sakoman <steve@sakoman.com> wrote:
>

> Is this also suitable for dunfell?

>

> Steve

>

> On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:

> >

> > This issue describes expected behaviour, do not use tarfile with

> > untrusted data.

> >

> > Signed-off-by: Ross Burton <ross.burton@arm.com>

> > ---

> >  meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++

> >  1 file changed, 2 insertions(+)

> >

> > diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb

> > index 8fe60ea0160..86077bb1ca8 100644

> > --- a/meta/recipes-devtools/python/python3_3.9.0.bb

> > +++ b/meta/recipes-devtools/python/python3_3.9.0.bb

> > @@ -45,6 +45,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"

> >

> >  CVE_PRODUCT = "python"

> >

> > +# Upstream consider this expected behaviour

> > +CVE_CHECK_WHITELIST += "CVE-2007-4559"

> >  # This is not exploitable when glibc has CVE-2016-10739 fixed.

> >  CVE_CHECK_WHITELIST += "CVE-2019-18348"

> >

> > --

> > 2.25.1

> >

> >

> > 

> >
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#144848): https://lists.openembedded.org/g/openembedded-core/message/144848
Mute This Topic: https://lists.openembedded.org/mt/78361985/1003190
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mhalstead@linuxfoundation.org]
-=-=-=-=-=-=-=-=-=-=-=-