Bug#930356: CVE-2019-12760

2019-07-21 Thread Marco Villegas
Just to mention that one of the authors of parso actually closed the related issue[1] pointing to the commit mentioned by Nicholas, 19de3eb. In the same comment, a new issue about replacing pickle[2] was created to avoid the problem altogether, and the author suggest it will not happen soon. This

Bug#930356: CVE-2019-12760

2019-07-10 Thread Nicholas D Steeves
CCing the Security Team as well On Fri, Jun 21, 2019 at 01:15:23PM +0200, Piotr Ożarowski wrote: > Hi Andreas, > > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 > > > > > > Patch is at > > > https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 > > > > I know yo

Bug#930356: CVE-2019-12760

2019-06-22 Thread Nicholas D Steeves
Control: forwarded -1 https://github.com/davidhalter/parso/issues/75 I wonder if this is going to pan out like CVE-2014-3539...unpatched upstream for five years. But on the upside, it's more difficult to exploit and lower severity. On a related note, could Rope's "signature verification [for] pi

Processed: Re: Bug#930356: CVE-2019-12760

2019-06-22 Thread Debian Bug Tracking System
Processing control commands: > forwarded -1 https://github.com/davidhalter/parso/issues/75 Bug #930356 [src:parso] CVE-2019-12760 Set Bug forwarded-to-address to 'https://github.com/davidhalter/parso/issues/75'. -- 930356: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930356 Debian Bug Trac

Bug#930356: CVE-2019-12760

2019-06-21 Thread Simon McVittie
On Fri, 21 Jun 2019 at 13:15:23 +0200, Piotr Ożarowski wrote: > that's because python-jedi is a mutli-tarball source package and parso > was part of it at the beginning. Last time I checked gbp didn't > support it (or I don't know how to use it) so it was easier for me to > keep it outside DPMT. I

Bug#930356: CVE-2019-12760

2019-06-21 Thread Andreas Tille
Hi Piotr, On Fri, Jun 21, 2019 at 01:15:23PM +0200, Piotr Ożarowski wrote: > >https://github.com/davidhalter/parso/issues/75 > > > > I understand that it is not fixed but the authors do not consider the > > issue serious. Could you please give some comment from an insiders > > point of view

Bug#930356: CVE-2019-12760

2019-06-21 Thread Piotr Ożarowski
Hi Andreas, > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 > > > > Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 > > I know you are usually pretty quick in solving serious issues. I tried > to check the issue and think the link provided for a p

Bug#930356: CVE-2019-12760

2019-06-19 Thread Andreas Tille
Hi Piotr > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 > > Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 I know you are usually pretty quick in solving serious issues. I tried to check the issue and think the link provided for a patch is just po

Bug#930356: CVE-2019-12760

2019-06-11 Thread Moritz Muehlenhoff
Source: parso Severity: grave Tags: security Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 Cheers, Moritz