Bug 1824446 (CVE-2019-17514) - CVE-2019-17514 python: potentially misleading information about whether sorting in library/glob.html
Summary: CVE-2019-17514 python: potentially misleading information about whether sorti...
Alias: CVE-2019-17514
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1824447 1824448 1824450 1824451 1824452 1824453 1824454 1824455
Blocks: 1824456
TreeView+ depends on / blocked
Reported: 2020-04-16 09:15 UTC by Dhananjay Arunesh
Modified: 2020-04-20 15:51 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-04-20 15:26:06 UTC

Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-04-16 09:15:42 UTC
A vulnerability was found in library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.


Comment 1 Dhananjay Arunesh 2020-04-16 09:17:18 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1824450]

Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1824454]

Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1824448]
Affects: fedora-all [bug 1824453]

Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1824451]

Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1824447]
Affects: fedora-all [bug 1824452]

Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1824455]

Comment 2 Miro Hrončok 2020-04-16 09:28:49 UTC
Dhananjay, what can I do to stop more EPEL python36 security bugzillas? The package has been retired in EPEL 6 months ago.

Comment 3 Riccardo Schirone 2020-04-16 12:03:48 UTC
This does not seem to me like a real flaw. It was not even a bug actually, but just a slightly misleading documentation. I don't think this is a good use of a CVE, but rather a CVE should be assigned to particular programs that wrongly assume the sorting of that function. Victor, what do you think?

Comment 4 Dhananjay Arunesh 2020-04-20 11:36:39 UTC
In reply to comment #2:
> Dhananjay, what can I do to stop more EPEL python36 security bugzillas? The
> package has been retired in EPEL 6 months ago.

removed python36 for epel and updated my manifest file.

Comment 5 Victor Stinner 2020-04-20 14:59:37 UTC
CVE-2019-17514 should be rejected: the behavior is intentional, it is not a vulnerability. os.listdir() and glob.glob() are not sorted on purpose.

See this discussion for more details:

The "fix" was to ensure that the intentional behavior is properly documented:

"The list is in arbitrary order"

"Whether or not the results are sorted depends on the file system."

Python issues:

* https://bugs.python.org/issue21748 closed as "not a bug"
* https://bugs.python.org/issue30461 closed as "rejected"
* https://bugs.python.org/issue33275 fixed by documenting the behavior

Comment 6 Riccardo Schirone 2020-04-20 15:26:06 UTC
Closing as NOTABUG according to comment 3 and comment 5.

Note You need to log in before you can comment on or make changes to this bug.