Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken

[Emilio Pozuelo Monfort]

Hi,

On 19/03/2020 13:01, Simon McVittie wrote:
> On Thu, 19 Mar 2020 at 12:33:09 +0100, Etienne Allovon wrote:
>> Subject: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie
>> (security) is broken
> 
> Debian 8 'jessie' is no longer supported by the mainstream Debian
> security team

Etienne probably meant that the update comes from jessie-security, which is 
correct.

> or by the maintainers of individual packages. Instead, it

That's not necessarily correct. While many maintainers don't care about LTS,
some others do and they help provide security updates in coordination with the
LTS team.

> is maintained by the Debian LTS subproject. Please contact the debian-lts
> mailing list  if you encounter regressions
> in jessie or jessie-security packages.
> 
> (LTS people: please see the bug for details, and please make sure the
> message is getting out to LTS users that they should be contacting the
> LTS team and not the bug tracking system.)

Actually the bug tracker is a good place to report regressions in LTS, just like
it's fine for stable. reportbug has a feature to Cc the security team or the LTS
list if it detects that the package comes from such a suite. That probably
didn't work here because it was a follow-up to an already opened bug, but in
general I wouldn't see an issue with reporting a bug against the package.

In any case, thanks Etienne for reporting this regression, and thank you Simon
for letting us know.

Cheers,
Emilio

Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken

[Etienne Allovon]

Chris Lamb wrote:


I have just uploaded 14.0.2-3+deb8u2 and DLA-2145-2 will be announced
after sending this email. Thank you again for raising this issue.


Thanks a lot for this quick fix !
I will test it as soon as it'll be available in the repo.

Regards,

Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken

[Chris Lamb]

Chris Lamb wrote:

> I will take charge of fixing this in jessie with the utmost urgency.

I have just uploaded 14.0.2-3+deb8u2 and DLA-2145-2 will be announced
after sending this email. Thank you again for raising this issue.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken

[Chris Lamb]

Hi all,

> Please, can you […] revert this patch and re-publish the working (but
> security flawed) 14.0.2-3 twisted version ?

I will take charge of fixing this in jessie with the utmost urgency.

Thank you for raising this issue.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken

[Simon McVittie]

On Thu, 19 Mar 2020 at 12:33:09 +0100, Etienne Allovon wrote:
> Subject: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie
> (security) is broken

Debian 8 'jessie' is no longer supported by the mainstream Debian
security team or by the maintainers of individual packages. Instead, it
is maintained by the Debian LTS subproject. Please contact the debian-lts
mailing list  if you encounter regressions
in jessie or jessie-security packages.

(LTS people: please see the bug for details, and please make sure the
message is getting out to LTS users that they should be contacting the
LTS team and not the bug tracking system.)

If you do not have a specific reason to stay on Debian 8 'jessie',
also consider upgrading to Debian 9 'stretch', and then from there to
Debian 10 'buster', which is the current stable release.

smcv

Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken

[Etienne Allovon]

Subject: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie 
(security) is broken

Followup-For: Bug #953950
Package: python-twisted-web
Version: 14.0.2-3+deb8u1

Dear Maintainer,

After upgrading to latest jessie, I got the new python-twisted* 
packages

in version 14.0.2-3+deb8u1.

This version breaks my python service using twisted.web with the 
following stack trace:



2020-03-19 11:04:22,645 [7586] (ERROR) (twisted): Unhandled Error
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 
88, in callWithLogger

return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 
73, in callWithContext

return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", 
line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, 
**kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", 
line 81, in callWithContext

return func(*args,**kw)
---  ---
  File 
"/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 
614, in _doReadOrWrite

why = selectable.doRead()
  File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 
214, in doRead

return self._dataReceived(data)
  File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 
220, in _dataReceived

rval = self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/dist-packages/twisted/protocols/basic.py", 
line 571, in dataReceived

why = self.lineReceived(line)
  File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 
1663, in lineReceived

self.headerReceived(self.__header)
  File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 
1685, in headerReceived

if not self._maybeChooseTransferDecoder(header, data):
exceptions.AttributeError: HTTPChannel instance has no attribute 
'_maybeChooseTransferDecoder'



To investigate I downloaded the twisted-python sources and see that two 
patches were added :


1) debian/patches/CVE-2020-10108_CVE-2020-10108.patch
2) debian/patches/CVE-2020-10108_CVE-2020-10109.patch

(side note: patch #2 is void )

Patch #1 is supposed to fix CVE-2020-10108.

But, as far as I understand, is incorrect for this version 14.0.2-3 :
- it adds a method _maybeChooseTransferDecoder in class HTTPFactory
- and it adds in headerReceived method of class HTTPChannel a call to 
self._maybeChooseTransferDecoder

- but HTTPChannel AFAIU has no dependency whatsoever with HTTPFactory
- therefore this call is broken


After digging in twisted git repo 
(https://github.com/twisted/twisted/commits/trunk/src/twisted/web/http.py)
it seems that this debian/patches/CVE-2020-10108_CVE-2020-10108.patch 
patch

was more or less taken from this upstream commit
https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281#diff-a31693cfdecc4bc57f3dd9ce31445237

But in this upstream commit the _maybeChooseTransferDecoder method is 
added in the HTTPChannel class.



Please, can you revert this patch and re-publish the working (but 
security flawed) 14.0.2-3 twisted version ?

Or fix this patch ?

Many thanks


-- System Information:
Debian Release: 8.9
  APT prefers oldoldstable-updates
  APT policy: (500, 'oldoldstable-updates'), (500, 'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-twisted-web depends on:
ii  python   2.7.9-1
ii  python-twisted-core  14.0.2-3+deb8u1

python-twisted-web recommends no packages.

python-twisted-web suggests no packages.

-- no debconf information