Bug 1824446 (CVE-2019-17514)
Summary: | CVE-2019-17514 python: potentially misleading information about whether sorting in library/glob.html | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carl, cstratak, dmalcolm, hhorak, jorton, kevin, m.cyprian, mhroncok, mplch, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, steve.traylen, TicoTimo, tomspur, torsava, vstinner |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-20 15:26:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1824447, 1824448, 1824450, 1824451, 1824452, 1824453, 1824454, 1824455 | ||
Bug Blocks: | 1824456 |
Description
Dhananjay Arunesh
2020-04-16 09:15:42 UTC
Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1824450] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1824454] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1824448] Affects: fedora-all [bug 1824453] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1824451] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1824447] Affects: fedora-all [bug 1824452] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1824455] Dhananjay, what can I do to stop more EPEL python36 security bugzillas? The package has been retired in EPEL 6 months ago. This does not seem to me like a real flaw. It was not even a bug actually, but just a slightly misleading documentation. I don't think this is a good use of a CVE, but rather a CVE should be assigned to particular programs that wrongly assume the sorting of that function. Victor, what do you think? In reply to comment #2: > Dhananjay, what can I do to stop more EPEL python36 security bugzillas? The > package has been retired in EPEL 6 months ago. removed python36 for epel and updated my manifest file. CVE-2019-17514 should be rejected: the behavior is intentional, it is not a vulnerability. os.listdir() and glob.glob() are not sorted on purpose. See this discussion for more details: https://discuss.python.org/t/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies/2583 The "fix" was to ensure that the intentional behavior is properly documented: https://docs.python.org/dev/library/os.html#os.listdir "The list is in arbitrary order" https://docs.python.org/dev/library/glob.html#glob.glob "Whether or not the results are sorted depends on the file system." Python issues: * https://bugs.python.org/issue21748 closed as "not a bug" * https://bugs.python.org/issue30461 closed as "rejected" * https://bugs.python.org/issue33275 fixed by documenting the behavior |