Bug 1718212 (CVE-2019-12760)
Summary: | CVE-2019-12760 parso: parsing leads to arbitrary code execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED UPSTREAM | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carl |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-14 11:07:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1718213, 1718214 | ||
Bug Blocks: |
Description
Dhananjay Arunesh
2019-06-07 09:24:16 UTC
Created python-parso tracking bugs for this issue: Affects: fedora-all [bug 1718213] Created python-parso tracking bugs for this issue: Affects: epel-7 [bug 1718214] This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. This is not yet resolved upstream. The upstream commit link in this bug is a gist of a proof of concept exploit. https://github.com/davidhalter/parso/issues/75 Carl, if you read comment 3 you'll see it notes that the progress on fixing this issue is tracked in the dependent bugs: bug 1718213 for Fedora, and bug 1718214 for EPEL 7. There is nothing else to do in this bug since it's just a container that holds security metadata (note that it's filed against the "Security Response / vulnerability" component, not against a specific product/component.) The actual work of fixing this issue needs to happen (and is tracked) in the aforementioned bugs, both of which are in NEW as of right now. The status and resolution of this bug merely reflects the completeness of information about this issue, it holds no meaning with regard to the fixes in any affected component. |