classification
Title: BZip 1.0.6 Critical Vulnerability
Type: security Stage: patch review
Components: macOS, Windows Versions: Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: corona10, malin, ned.deily, paul.moore, ronaldoussoren, s.s.mahato, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2021-07-02 10:46 by s.s.mahato, last changed 2021-07-20 06:35 by corona10.

Pull Requests
URL Status Linked Edit
PR 27239 open corona10, 2021-07-19 15:47
PR 27241 closed corona10, 2021-07-19 16:01
Messages (7)
msg396853 - (view) Author: siddhartha shankar mahato (s.s.mahato) Date: 2021-07-02 10:46
Python (3.9.5 and 3.9.6 are using Bzip2 1.0.6 which has a known critical vulnerability. 
CVE-2019-12900 (BDSA-2019-1844)
9.8 Critical NVD CVE-2016-3189 (BDSA-2019-2036).

Please upgrade the same to a stable version.
msg396966 - (view) Author: Ma Lin (malin) * Date: 2021-07-05 04:08
If you update python/cpython-source-deps, I can submit a simple PR to python/cpython.

I want to submit a PR to python/cpython-source-deps, but I think it’s better for a credible person to do this.
msg397752 - (view) Author: Dong-hee Na (corona10) * (Python committer) Date: 2021-07-18 14:06
I request the dependency update to use bzip2 1.0.8 which is the stable version.

https://github.com/python/cpython-source-deps/pull/25
msg397811 - (view) Author: Dong-hee Na (corona10) * (Python committer) Date: 2021-07-19 15:54
@ned.deily

Is it possible to update bz2 to 1.0.8 on macOS distribution?
I found the guide to update the library on Windows but for the macOS version, I can not find.
msg397813 - (view) Author: Dong-hee Na (corona10) * (Python committer) Date: 2021-07-19 16:18
Hmm since I am not a distribution expert, I would like to follow other core devs opinions.

Almost Linux distributions use bzip2 1.0.6 by default.
msg397853 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-07-20 06:31
> Is it possible to update bz2 to 1.0.8 on macOS distribution?

Thanks for looking into this. As I commented on PR 27241, this change is not needed because current macOS python.org installers dynamically link to the system-provided copies of Bzip2; the code to build a private copy of BZip2 in build-installer.py was only used when building on very old versions of macOS, 10.4 and earlier, versions for which we no longer support building installers. I've submitted another PR to remove that unused code to avoid future confusion.
msg397854 - (view) Author: Dong-hee Na (corona10) * (Python committer) Date: 2021-07-20 06:35
> current macOS python.org installers dynamically link to the system-provided copies of Bzip2

Okay, so this issue looks out of scope to the CPython team if the Windows distribution follows the same policy.

@steve.dowe

Can you check about this issue?
History
Date User Action Args
2021-07-20 06:35:45corona10setmessages: + msg397854
2021-07-20 06:31:09ned.deilysetmessages: + msg397853
2021-07-19 16:18:20corona10setmessages: + msg397813
2021-07-19 16:04:39corona10setnosy: + ronaldoussoren
type: crash -> security
components: + macOS
2021-07-19 16:01:44corona10setpull_requests: + pull_request25790
2021-07-19 15:54:40corona10setnosy: + ned.deily
messages: + msg397811
2021-07-19 15:47:23corona10setkeywords: + patch
stage: patch review
pull_requests: + pull_request25788
2021-07-18 14:06:15corona10setmessages: + msg397752
2021-07-18 13:40:46corona10setnosy: + corona10
2021-07-05 04:08:06malinsetnosy: + malin
messages: + msg396966
2021-07-02 10:46:07s.s.mahatocreate