Ubuntu
python2.7 package

Regression - upate python2.7 for cover CVE-2021-3177 modifying unicode parts cause serious regressions

Bug #1916893 reported by Leonidas S. Barbosa
282
This bug affects 8 people
Affects Status Importance Assigned to Milestone
python2.7 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Scenario]
A security update was made for python2.7 in xenial and bionic that can cause a serious regression since it is modifying unicode code for python2.7.

[Issue]
It can cause a serious break in the way python prints, rprs, unicode information, causing serious damage for any application that is running python2.7 in that scenario.

[More info]
https://ubuntu.com/security/CVE-2021-3177

See original description

CVE References

Leonidas S. Barbosa (leosilvab)
information type: Public → Private Security
Leonidas S. Barbosa (leosilvab)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Possibly relevant part of bionic autopkgtest:

test test_ctypes failed -- Traceback (most recent call last):
  File "/usr/lib/python2.7/ctypes/test/test_parameters.py", line 232, in test_parameter_repr
    self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>")
TypeError: wrong type

======================================================================
ERROR: test_parameter_repr (ctypes.test.test_parameters.SimpleTypesTestCase)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python2.7/ctypes/test/test_parameters.py", line 232, in test_parameter_repr
    self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>")
TypeError: wrong type

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

FYI, the package in hirsute-proposed with a different fix is failing in a different way:

0:01:56 load avg: 1.03 [ 97/398] test_ctypes
/usr/lib/python2.7/threading.py:846: DeprecationWarning: sys.exc_clear() not supported in 3.x; use except clauses
  self.__exc_clear()
test test_ctypes failed -- Traceback (most recent call last):
  File "/usr/lib/python2.7/ctypes/test/test_parameters.py", line 244, in test_parameter_repr
    self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>")
AssertionError: "<cparam 'f' (\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xd0\xab9g\xf7\x7f)>" != "<cparam 'f' (1.5)>"

0:01:58 load avg: 1.03 [ 98/398/1] test_datetime -- test_ctypes failed

Steve Beattie (sbeattie)
information type: Private Security → Public Security
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Regression update reverting the CVE-2021-3177 patch was made: https://ubuntu.com/security/notices/USN-4754-2

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python2.7 (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

New updates have been released with a fixed security patch:

https://ubuntu.com/security/notices/USN-4754-4

Changed in python2.7 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.