Re: [Jython-dev] Query related to Python issue CVE-2021-29921 and its impact on jython2.5.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Aditya.

[Aditya]
> We are using jython2.5.3 version in our product.
> And we have few query related to the new issue reported
> through CVE-2021-29921 at Python stream (in respect to jython streams).
> CVE-2021-29921 : - "ipaddress leading zeros in IPv4 address"
> From these below links we can check the code fixes against this CVE.
>
https://github.com/python/cpython/pull/12577https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc
> That is Lib/ipaddress.py file having the fix in python 3.9 or 3.10
streams.
> But when we checked the jython2.5.3 libraries , found a file
> named "Lib/_google_ipaddr_r234.py" which containing code module as below

********************
def _parse_octet(self, octet_str):

# Disallow leading zeroes, because no clear standard exists on
# whether these should be interpreted as decimal or octal.
if octet_int > 255 or (octet_str[0] == '0' and len(octet_str) > 1):
    raise ValueError
    return octet_int
********************

[Aditya]
> Below are our queries:
> Are the code fix done in python streams and the present code snippet in
jython2.5.3 Lib/_google_ipaddr_r234.py similar?

Yes. They are trying to achieve exactly the same thing: to prevent octal
numbers being used in IP addresses.

The difference is that the google IP address library never accepted octal
numbers. This is the purpose of the "octet_str[0] == '0'" check.

The cpython ipaddress library did not previously carry out this check,
which is why it was susceptible to the exploit in question, and why it had
to be fixed.

[Aditya]
> Is above jython's code module addressing the same issue ?

Yes.

[Aditya]
> Can we assume that the jython 2.5.3 libraries already contains the fixes
for
> CVE-2021-29921?

Yes.

You can verify this by trying to parse an IP address containing octal,
using jython. It should give you a ValueError exception. Try the IP address
from the CVE: "010.8.8.8".

> Some other queries:How do we know jython 2.5.3 libraries internally
pointing
> to which python version exactly?
> Can you please share any links/references which shows that "which Jython
> version supports which exact python version"? or you suggest any views how
> to check.Please provide your suggestions for above queries.

I'll leave that to someone else to answer.

Alan.