Bug#930356: CVE-2019-12760
Just to mention that one of the authors of parso actually closed the related issue[1] pointing to the commit mentioned by Nicholas, 19de3eb. In the same comment, a new issue about replacing pickle[2] was created to avoid the problem altogether, and the author suggest it will not happen soon. This probably means that we want to go with the approach suggested by Piotr to disable cache if we want to avoid the removal. 1: https://github.com/davidhalter/parso/issues/75 2: https://github.com/davidhalter/parso/issues/79 Best, -Marco
Bug#930356: CVE-2019-12760
CCing the Security Team as well On Fri, Jun 21, 2019 at 01:15:23PM +0200, Piotr Ożarowski wrote: > Hi Andreas, > > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 > > > > > > Patch is at > > > https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 > > > > I know you are usually pretty quick in solving serious issues. I tried > > to check the issue and think the link provided for a patch is just > > pointing to a proof of concept exploit. When reading the discussion > > here > > > >https://github.com/davidhalter/parso/issues/75 > > > > I understand that it is not fixed but the authors do not consider the > > issue serious. Could you please give some comment from an insiders > > point of view (which I'm not). I'm just caring since several Debian > > Science dependencies are about to be removed from testing due to this > > bug. > > I don't consider it that serious as well. I'll wait for upstream to > provide a proper fix. If there will be no such fix in time, I guess I can > just disable cache if security team insists. > So upstream closed the issue marked at the forwarded URL for this bug, saying they'll address it with documentation. I hope that more documentation is forthcoming, because a quick search only found this commit: https://github.com/davidhalter/parso/commit/19de3eb5ca1ae9e7994f8d72f83328d83538fd16 Dear Security Team, does that seem like it's sufficient? Cheers, Nicholas signature.asc Description: PGP signature
Bug#930356: CVE-2019-12760
Control: forwarded -1 https://github.com/davidhalter/parso/issues/75 I wonder if this is going to pan out like CVE-2014-3539...unpatched upstream for five years. But on the upside, it's more difficult to exploit and lower severity. On a related note, could Rope's "signature verification [for] pickled data" form the basis of a solution? https://github.com/python-rope/rope/commit/b01da7aab5cd02129941d2a900e6e5e3b5f7d4fb Alternatively, if Debian doesn't have any network-enabled packages that use Parso, could the severity of this bug be lowered? Cheers, Nicholas signature.asc Description: PGP signature
Processed: Re: Bug#930356: CVE-2019-12760
Processing control commands: > forwarded -1 https://github.com/davidhalter/parso/issues/75 Bug #930356 [src:parso] CVE-2019-12760 Set Bug forwarded-to-address to 'https://github.com/davidhalter/parso/issues/75'. -- 930356: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930356 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#930356: CVE-2019-12760
On Fri, 21 Jun 2019 at 13:15:23 +0200, Piotr Ożarowski wrote: > that's because python-jedi is a mutli-tarball source package and parso > was part of it at the beginning. Last time I checked gbp didn't > support it (or I don't know how to use it) so it was easier for me to > keep it outside DPMT. I guess there's no reason not to move parso into > DPMT now. gbp can do multi-tarball source packages with "component =" in debian/gbp.conf. Take a look at yquake2 in contrib for a working example. smcv
Bug#930356: CVE-2019-12760
Hi Piotr, On Fri, Jun 21, 2019 at 01:15:23PM +0200, Piotr Ożarowski wrote: > >https://github.com/davidhalter/parso/issues/75 > > > > I understand that it is not fixed but the authors do not consider the > > issue serious. Could you please give some comment from an insiders > > point of view (which I'm not). I'm just caring since several Debian > > Science dependencies are about to be removed from testing due to this > > bug. > > I don't consider it that serious as well. I'll wait for upstream to > provide a proper fix. If there will be no such fix in time, I guess I can > just disable cache if security team insists. Thanks for mentioning. I consider it important to mention it here in the bug report to inform maintainers of reverse dependencies. Is there any active discussion with security team and if yes where can I read about it? > > PS: Is there any reason why this package is not on Salsa and not > > team maintained? > > that's because python-jedi is a mutli-tarball source package and parso > was part of it at the beginning. Last time I checked gbp didn't > support it (or I don't know how to use it) so it was easier for me to > keep it outside DPMT. I guess there's no reason not to move parso into > DPMT now. I confirm that I personally also have no idea how to deal with multi-tarball source packages using gbp (except may be when maintaining only debian/ dir in Git. If that issue does not exist any more it might be helpful to move parso now. Thanks for maintaining parso Andreas. -- http://fam-tille.de
Bug#930356: CVE-2019-12760
Hi Andreas, > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 > > > > Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 > > I know you are usually pretty quick in solving serious issues. I tried > to check the issue and think the link provided for a patch is just > pointing to a proof of concept exploit. When reading the discussion > here > >https://github.com/davidhalter/parso/issues/75 > > I understand that it is not fixed but the authors do not consider the > issue serious. Could you please give some comment from an insiders > point of view (which I'm not). I'm just caring since several Debian > Science dependencies are about to be removed from testing due to this > bug. I don't consider it that serious as well. I'll wait for upstream to provide a proper fix. If there will be no such fix in time, I guess I can just disable cache if security team insists. > PS: Is there any reason why this package is not on Salsa and not > team maintained? that's because python-jedi is a mutli-tarball source package and parso was part of it at the beginning. Last time I checked gbp didn't support it (or I don't know how to use it) so it was easier for me to keep it outside DPMT. I guess there's no reason not to move parso into DPMT now.
Bug#930356: CVE-2019-12760
Hi Piotr > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 > > Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 I know you are usually pretty quick in solving serious issues. I tried to check the issue and think the link provided for a patch is just pointing to a proof of concept exploit. When reading the discussion here https://github.com/davidhalter/parso/issues/75 I understand that it is not fixed but the authors do not consider the issue serious. Could you please give some comment from an insiders point of view (which I'm not). I'm just caring since several Debian Science dependencies are about to be removed from testing due to this bug. Kind regards Andreas. PS: Is there any reason why this package is not on Salsa and not team maintained? -- http://fam-tille.de
Bug#930356: CVE-2019-12760
Source: parso Severity: grave Tags: security Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 Cheers, Moritz