A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. Upstream commit: https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7
Created python-parso tracking bugs for this issue: Affects: fedora-all [bug 1718213]
Created python-parso tracking bugs for this issue: Affects: epel-7 [bug 1718214]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
This is not yet resolved upstream. The upstream commit link in this bug is a gist of a proof of concept exploit. https://github.com/davidhalter/parso/issues/75
Carl, if you read comment 3 you'll see it notes that the progress on fixing this issue is tracked in the dependent bugs: bug 1718213 for Fedora, and bug 1718214 for EPEL 7. There is nothing else to do in this bug since it's just a container that holds security metadata (note that it's filed against the "Security Response / vulnerability" component, not against a specific product/component.) The actual work of fixing this issue needs to happen (and is tracked) in the aforementioned bugs, both of which are in NEW as of right now. The status and resolution of this bug merely reflects the completeness of information about this issue, it holds no meaning with regard to the fixes in any affected component.