Bug 1079300 (CVE-2018-1000030)

The package python27 in SUSE:SLE-11-SP1:Update:Teradata is also affected.

This issue is fixed by upstream patch 6401e5671781eb217ee1afb4603cc0d1b0367ae6. Since that solution had unintended side-effects, another commit was added on top of it in dbf52e02f18dac6f5f0a64f78932f3dc6efc056b. Both patches are submitted to SLE-12-SP1 and SUSE:SLE-11-SP1:Update:Teradata.

I made an honest attempt at back-porting the fixes to SLE-11-SP1 (Python-2.6.9) and managed to apply the first patch, but not the second one. The second patch -- which provides the proper solutions -- has substantial differences with regard to the state of Objects/fileobject.c in that old Python version and I don't think it can be applied.

Patching SLE-10-SP3, which is based on the even older version Python 2.4.2 seems out of question.

Actually I don't see how this issue got a CVE assigned. Where is the security
relevance? Working on the same data from parallel threads without explicit
synchronization is always a bad idea. Once can argue that builtin Python
object should survive this without corruption. And I think this is what this
bug is actually about.

But how should an attacker exploit this issue? It requires a program that
operates without sense in parallel on the same file objects. And even then you
need some additional attack vector.

Red Hat seems to have come to the same conclusion:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1000030

Investing effort in a complex backport for such a kind of "vulnerability" is
not helpful in my opinion.

SUSE-SU-2018:1372-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1068664,1079300
CVE References: CVE-2017-1000158,CVE-2018-1000030
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    python-base-2.7.13-28.3.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python-base-2.7.13-28.3.2
SUSE Linux Enterprise Server 12-SP3 (src):    python-2.7.13-28.3.2, python-base-2.7.13-28.3.2, python-doc-2.7.13-28.3.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    python-2.7.13-28.3.2, python-base-2.7.13-28.3.2
SUSE Enterprise Storage 5 (src):    python-2.7.13-28.3.2
SUSE CaaS Platform ALL (src):    python-2.7.13-28.3.2, python-base-2.7.13-28.3.2
OpenStack Cloud Magnum Orchestration 7 (src):    python-2.7.13-28.3.2, python-base-2.7.13-28.3.2

openSUSE-SU-2018:1415-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1068664,1079300
CVE References: CVE-2017-1000158,CVE-2018-1000030
Sources used:
openSUSE Leap 42.3 (src):    python-2.7.13-27.3.1, python-base-2.7.13-27.3.1, python-doc-2.7.13-27.3.1

Since the security impact is negligible we will not fix this for older python versions due to the risk of introducing regressions. I added a note to the CVE pages to reflect this

SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

This is an autogenerated message for OBS integration:
This bug (1079300) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

This is an autogenerated message for OBS integration:
This bug (1079300) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python

This is an autogenerated message for OBS integration:
This bug (1079300) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python