Bug#1089235: marked as done (python3.13: CVE-2024-12254)

[Debian Bug Tracking System]

Your message dated Thu, 12 Dec 2024 16:15:52 +0100
with message-id <z1r-km9ap6zs4...@eldamar.lan>
and subject line Re: Accepted python3.13 3.13.1-2 (source) into unstable
has caused the Debian Bug report #1089235,
regarding python3.13: CVE-2024-12254
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1089235: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089235
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: python3.13
Version: 3.13.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/python/cpython/issues/127655
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:python3.12 3.12.8-1
Control: retitle -2 python3.12: CVE-2024-12254

Hi,

The following vulnerability was published for python3.{12,13}.

CVE-2024-12254[0]:
| Starting in Python 3.12.0, the
| asyncio._SelectorSocketTransport.writelines()  method would not
| "pause" writing and signal to the Protocol to drain  the buffer to
| the wire once the write buffer reached the "high-water  mark".
| Because of this, Protocols would not periodically drain the write
| buffer potentially leading to memory exhaustion.      This
| vulnerability likely impacts a small number of users, you must be
| using  Python 3.12.0 or later, on macOS or Linux, using the asyncio
| module  with protocols, and using .writelines() method which had new
| zero-copy-on-write behavior in Python 3.12.0 and later. If not all
| of  these factors are true then your usage of Python is unaffected.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-12254
    https://www.cve.org/CVERecord?id=CVE-2024-12254
[1] https://github.com/python/cpython/issues/127655
[2] https://github.com/python/cpython/pull/127656

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: python3.13
Source-Version: 3.13.1-2

On Thu, Dec 12, 2024 at 10:37:00AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Thu, 12 Dec 2024 11:12:28 +0100
> Source: python3.13
> Architecture: source
> Version: 3.13.1-2
> Distribution: unstable
> Urgency: medium
> Maintainer: Matthias Klose <d...@debian.org>
> Changed-By: Matthias Klose <d...@debian.org>
> Changes:
>  python3.13 (3.13.1-2) unstable; urgency=medium
>  .
>    * Update to the 3.13 branch 2024-12-12.
>      - Fix issue #127655, CVE-2024-12254.
>    * Add support for OpenSSL 3.4, issue #127330.
>    * Mark test_structseq as failing on Ubuntu/armhf.
> Checksums-Sha1:
>  ff564cced36098eaeb57930410b5c7c108323158 3984 python3.13_3.13.1-2.dsc
>  9c67ab978e693d1c9fb532bd2c94a7ae38ffafa6 286724 
> python3.13_3.13.1-2.debian.tar.xz
>  5815fc6193f856c6794144f4b48fc2191bbfc8a2 10676 
> python3.13_3.13.1-2_source.buildinfo
> Checksums-Sha256:
>  5e335bcd91b1c20c61f03e206198ab40672319d61f9dd0d4f71b396ac090aea1 3984 
> python3.13_3.13.1-2.dsc
>  fa3d210cf453d98e485d59837e06c86802b35c574f2f656896cd220999fab53c 286724 
> python3.13_3.13.1-2.debian.tar.xz
>  52e143177dd4573610f08debf4baf8b43f539add89be8a295bf74e057c4431a2 10676 
> python3.13_3.13.1-2_source.buildinfo
> Files:
>  1675d7450b2ff255b14734ec45c8f8ad 3984 python optional python3.13_3.13.1-2.dsc
>  610609ca410cdff443ba18f28fa5355b 286724 python optional 
> python3.13_3.13.1-2.debian.tar.xz
>  ef29787fb6f77b07aaae6cfaf5bac57c 10676 python optional 
> python3.13_3.13.1-2_source.buildinfo
> -----BEGIN PGP SIGNATURE-----
> 
> iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmdat08QHGRva29AZGVi
> aWFuLm9yZwAKCRC9fqpgd4+m9eRKEADXx6WPlaN9hhtutOI1Lhf6lbswf/Moh5Ea
> CcM+QIRKCORalaG7hJCKskH7GbhUFLJFR0ziSC9WspPtfSHFiG8z5XFFO/z/e9LK
> vFUqYMhR3zjg2F4Fb5dxWclqffUIHQy1vN8io4036yALr8flI0ZzhX1WKR+i1MT6
> JJzZV3MZIQiUitJTDRhK5/BXTrJgL+uTRBAXD+eFfnhSEbM0SIimjYuvArvAShUy
> 77cokxUEtLdcTtL6jPzXY4V4XuoWo3mzjRae0j3cpNJc6Pe6bbcBq9/AYfqrr7ok
> tucaaJcWj2FQLxh+n7sxRmgJX0A54sNuJaJEj5aqYS7lj9/xfudWJf3GHGHUC/Og
> kAP1nAg1oVZ47Bib0krdA/9uKXuNT/J+KAV5gzzdDiMRnjddbxZBG4d9V+Zm+lvy
> 3WI6WrUE8DGpog+qDpebCZLj5+pEoAicGm8rrNCz24I3G96fdm7d82vl54kFVdI3
> 3/fQtWAMb7+YUu6ERyXmwupu2dz6rAsdiYb0RKJJPbQGhom1hcGwIHAStbOoZm0x
> 2xCQn+5NhiyXKxfSZS7hNYUUKwuwZl60dVoSVl7W5zxx979oA4RpryhNzPFVy7DX
> s74BA9IJgozNT8ZYNWCHcBTrOzHoT558BZKF66WyEIuq/3lOUywUpyxi/xsw4QHJ
> qddulNP8qA==
> =Yfgj
> -----END PGP SIGNATURE-----

--- End Message ---