Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Windows installer to use bzip2 1.0.8 #88715

Closed
ssmahato mannequin opened this issue Jul 2, 2021 · 14 comments
Closed

Update Windows installer to use bzip2 1.0.8 #88715

ssmahato mannequin opened this issue Jul 2, 2021 · 14 comments
Assignees
@zooba
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes OS-mac OS-windows release-blocker type-security A security issue

Comments

@ssmahato
Copy link
Mannequin

ssmahato mannequin commented Jul 2, 2021

BPO 44549
Nosy @pfmoore, @ronaldoussoren, @tjguk, @ned-deily, @ambv, @zware, @zooba, @animalize, @corona10, @pablogsal
PRs
  • bpo-44549: Update Windows installer to use BZip2 1.0.8 #27239
  • bpo-44549: Update macOS installer to use bzip2 1.0.8 #27241
  • bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 #31731
  • [3.10] bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31731) #31732
  • [3.9] bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) #31733
  • [3.8] bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) #31734
  • [3.7] bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) #31735
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/zooba'
closed_at = <Date 2022-03-08.13:30:36.844>
created_at = <Date 2021-07-02.10:46:07.548>
labels = ['OS-mac', '3.8', '3.9', 'release-blocker', '3.7', 'type-security', '3.10', '3.11', 'OS-windows']
title = 'Update Windows installer to use bzip2 1.0.8'
updated_at = <Date 2022-03-08.13:30:36.844>
user = 'https://bugs.python.org/ssmahato'

    bugs.python.org fields:

    activity = <Date 2022-03-08.13:30:36.844>
actor = 'steve.dower'
assignee = 'steve.dower'
closed = True
closed_date = <Date 2022-03-08.13:30:36.844>
closer = 'steve.dower'
components = ['macOS', 'Windows']
creation = <Date 2021-07-02.10:46:07.548>
creator = 's.s.mahato'
dependencies = []
files = []
hgrepos = []
issue_num = 44549
keywords = ['patch']
message_count = 14.0
messages = ['396853', '396966', '397752', '397811', '397813', '397853', '397854', '414686', '414687', '414690', '414693', '414695', '414697', '414734']
nosy_count = 11.0
nosy_names = ['paul.moore', 'ronaldoussoren', 'tim.golden', 'ned.deily', 'lukasz.langa', 'zach.ware', 'steve.dower', 'malin', 'corona10', 'pablogsal', 's.s.mahato']
pr_nums = ['27239', '27241', '31731', '31732', '31733', '31734', '31735']
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue44549'
versions = ['Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']
    @ssmahato
    Copy link
    Mannequin Author

    ssmahato mannequin commented Jul 2, 2021

    Python (3.9.5 and 3.9.6 are using Bzip2 1.0.6 which has a known critical vulnerability.
    CVE-2019-12900 (BDSA-2019-1844)
    9.8 Critical NVD CVE-2016-3189 (BDSA-2019-2036).

    Please upgrade the same to a stable version.

    @ssmahato ssmahato mannequin added type-crash A hard crash of the interpreter, possibly with a core dump 3.9 only security fixes OS-windows labels Jul 2, 2021
    @animalize
    Copy link
    Mannequin

    animalize mannequin commented Jul 5, 2021

    If you update python/cpython-source-deps, I can submit a simple PR to python/cpython.

    I want to submit a PR to python/cpython-source-deps, but I think it’s better for a credible person to do this.

    @corona10
    Copy link
    Member

    I request the dependency update to use bzip2 1.0.8 which is the stable version.

    python/cpython-source-deps#25

    @corona10
    Copy link
    Member

    @ned.deily

    Is it possible to update bz2 to 1.0.8 on macOS distribution?
    I found the guide to update the library on Windows but for the macOS version, I can not find.

    @corona10 corona10 added OS-mac type-security A security issue and removed type-crash A hard crash of the interpreter, possibly with a core dump labels Jul 19, 2021
    @corona10
    Copy link
    Member

    Hmm since I am not a distribution expert, I would like to follow other core devs opinions.

    Almost Linux distributions use bzip2 1.0.6 by default.

    @ned-deily
    Copy link
    Member

    Is it possible to update bz2 to 1.0.8 on macOS distribution?

    Thanks for looking into this. As I commented on PR 27241, this change is not needed because current macOS python.org installers dynamically link to the system-provided copies of Bzip2; the code to build a private copy of BZip2 in build-installer.py was only used when building on very old versions of macOS, 10.4 and earlier, versions for which we no longer support building installers. I've submitted another PR to remove that unused code to avoid future confusion.

    @corona10
    Copy link
    Member

    current macOS python.org installers dynamically link to the system-provided copies of Bzip2

    Okay, so this issue looks out of scope to the CPython team if the Windows distribution follows the same policy.

    @steve.dowe

    Can you check about this issue?

    @ned-deily ned-deily added 3.10 only security fixes 3.11 only security fixes labels Mar 4, 2022
    @ned-deily ned-deily changed the title BZip 1.0.6 Critical Vulnerability Update Windows installer to use BZip 1.0.8 Mar 4, 2022
    @ned-deily ned-deily added 3.10 only security fixes 3.11 only security fixes labels Mar 4, 2022
    @ned-deily ned-deily changed the title BZip 1.0.6 Critical Vulnerability Update Windows installer to use BZip 1.0.8 Mar 4, 2022
    @ned-deily ned-deily changed the title Update Windows installer to use BZip 1.0.8 Update Windows installer to use bzip2 1.0.8 Mar 4, 2022
    @ned-deily ned-deily changed the title Update Windows installer to use BZip 1.0.8 Update Windows installer to use bzip2 1.0.8 Mar 4, 2022
    @zooba
    Copy link
    Member

    zooba commented Mar 7, 2022

    cpython-source-deps was updated middle of last year, but apparently we never merged the main repo change to use it. I'll do it now.

    @zooba
    Copy link
    Member

    zooba commented Mar 7, 2022

    Adding RMs - this should get merged before we do any security releases for bpo-46948

    @zooba zooba added 3.7 (EOL) end of life 3.8 only security fixes labels Mar 7, 2022
    @zooba
    Copy link
    Member

    zooba commented Mar 7, 2022

    New changeset 105b9ac by Steve Dower in branch 'main':
    bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31731)
    105b9ac

    @zooba
    Copy link
    Member

    zooba commented Mar 7, 2022

    New changeset 58d576a by Steve Dower in branch '3.10':
    bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732)
    58d576a

    @ned-deily
    Copy link
    Member

    New changeset 4a3c610 by Steve Dower in branch '3.7':
    bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) (GH-31735)
    4a3c610

    @zooba
    Copy link
    Member

    zooba commented Mar 7, 2022

    New changeset e1639f3 by Steve Dower in branch '3.9':
    bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732)
    e1639f3

    @ambv
    Copy link
    Contributor

    ambv commented Mar 8, 2022

    New changeset 6649519 by Steve Dower in branch '3.8':
    bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900 (GH-31732) (GH-31734)
    6649519

    @zooba zooba closed this as completed Mar 8, 2022
    @zooba zooba closed this as completed Mar 8, 2022
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @zooba zooba

    Labels
    3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes OS-mac OS-windows release-blocker type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    4 participants
    @ambv @zooba @corona10 @ned-deily