Bug 1718212 (CVE-2019-12760)

Summary: CVE-2019-12760 parso: parsing leads to arbitrary code execution
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carl
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-14 11:07:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1718213, 1718214    
Bug Blocks:    

Description Dhananjay Arunesh 2019-06-07 09:24:16 UTC 
A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution.

Upstream commit:
https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7
Comment 1 Dhananjay Arunesh 2019-06-07 09:25:10 UTC 
Created python-parso tracking bugs for this issue:

Affects: fedora-all [bug 1718213]
Comment 2 Dhananjay Arunesh 2019-06-07 09:25:31 UTC 
Created python-parso tracking bugs for this issue:

Affects: epel-7 [bug 1718214]
Comment 3 Product Security DevOps Team 2019-06-10 10:56:54 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 4 Carl George 2019-06-13 13:43:19 UTC 
This is not yet resolved upstream.  The upstream commit link in this bug is a gist of a proof of concept exploit.

https://github.com/davidhalter/parso/issues/75
Comment 5 Martin Prpič 2019-06-14 11:07:11 UTC 
Carl, if you read comment 3 you'll see it notes that the progress on fixing this issue is tracked in the dependent bugs: bug 1718213 for Fedora, and bug 1718214 for EPEL 7. There is nothing else to do in this bug since it's just a container that holds security metadata (note that it's filed against the "Security Response / vulnerability" component, not against a specific product/component.) The actual work of fixing this issue needs to happen (and is tracked) in the aforementioned bugs, both of which are in NEW as of right now. The status and resolution of this bug merely reflects the completeness of information about this issue, it holds no meaning with regard to the fixes in any affected component.