Discussion:
Bug#930356: CVE-2019-12760
(too old to reply)
Moritz Muehlenhoff
2019-06-11 11:10:02 UTC
Permalink
Source: parso
Severity: grave
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212

Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7

Cheers,
Moritz
Andreas Tille
2019-06-19 16:00:02 UTC
Permalink
Hi Piotr
Post by Moritz Muehlenhoff
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212
Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7
I know you are usually pretty quick in solving serious issues. I tried
to check the issue and think the link provided for a patch is just
pointing to a proof of concept exploit. When reading the discussion
here

https://github.com/davidhalter/parso/issues/75

I understand that it is not fixed but the authors do not consider the
issue serious. Could you please give some comment from an insiders
point of view (which I'm not). I'm just caring since several Debian
Science dependencies are about to be removed from testing due to this
bug.

Kind regards

Andreas.

PS: Is there any reason why this package is not on Salsa and not
team maintained?
--
http://fam-tille.de
Piotr Ożarowski
2019-06-21 11:30:02 UTC
Permalink
Hi Andreas,
Post by Andreas Tille
Post by Moritz Muehlenhoff
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212
Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7
I know you are usually pretty quick in solving serious issues. I tried
to check the issue and think the link provided for a patch is just
pointing to a proof of concept exploit. When reading the discussion
here
https://github.com/davidhalter/parso/issues/75
I understand that it is not fixed but the authors do not consider the
issue serious. Could you please give some comment from an insiders
point of view (which I'm not). I'm just caring since several Debian
Science dependencies are about to be removed from testing due to this
bug.
I don't consider it that serious as well. I'll wait for upstream to
provide a proper fix. If there will be no such fix in time, I guess I can
just disable cache if security team insists.
Post by Andreas Tille
PS: Is there any reason why this package is not on Salsa and not
team maintained?
that's because python-jedi is a mutli-tarball source package and parso
was part of it at the beginning. Last time I checked gbp didn't
support it (or I don't know how to use it) so it was easier for me to
keep it outside DPMT. I guess there's no reason not to move parso into
DPMT now.
Marco Villegas
2019-07-21 14:40:03 UTC
Permalink
Just to mention that one of the authors of parso actually closed the
related issue[1] pointing to the commit mentioned by Nicholas, 19de3eb.

In the same comment, a new issue about replacing pickle[2] was created
to avoid the problem altogether, and the author suggest it will not
happen soon.

This probably means that we want to go with the approach suggested by
Piotr to disable cache if we want to avoid the removal.

1: https://github.com/davidhalter/parso/issues/75
2: https://github.com/davidhalter/parso/issues/79

Best,

-Marco

Loading...