Re: [Jython-dev] Query related to Python issue CVE-2021-29921 and its impact on jython2.5.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Team,

Thanks @Alan Kennedy<mailto:jyt...@xh...> for your valuable response. It will help us further in our analysis task.

Please respond for the below  queries ,
******************************

  *   How do we know jython 2.5.3 libraries internally pointing to which python version exactly?
  *   Can you please share any links/references which shows that "which Jython version supports which exact python version"? or you suggest any views how to check.
***************************

Thanks
Aditya Raj

From: Alan Kennedy <jyt...@xh...>
Sent: 06 May 2021 18:31
To: Aditya Raj <adi...@al...>
Cc: jyt...@li...; Prashant Kumar <pra...@al...>; Rajkumar.doger <Raj...@al...>
Subject: Re: [Jython-dev] Query related to Python issue CVE-2021-29921 and its impact on jython2.5.3

** This mail has been sent from an external source **

Hi Aditya.

[Aditya]
> We are using jython2.5.3 version in our product.
> And we have few query related to the new issue reported
> through CVE-2021-29921 at Python stream (in respect to jython streams).
> CVE-2021-29921 : - "ipaddress leading zeros in IPv4 address"
> From these below links we can check the code fixes against this CVE.
> https://github.com/python/cpython/pull/12577https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_python_cpython_pull_12577https-3A__github.com_python_cpython_commit_60ce8f0be6354ad565393ab449d8de5d713f35bc&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=x2F8TIrWKPLgQQ-jWZRIhhsYt__5tfDVNSymLY7FFv8&m=HCfmkAm-DnGJb0LFbpCcohgNNhpKkNgl1YjFMSGrgfs&s=heD58uvzDOQpPyEjQOJyAVWAD0AapdzEhdjXAZHMVUU&e=>
> That is Lib/ipaddress.py file having the fix in python 3.9 or 3.10 streams.
> But when we checked the jython2.5.3 libraries , found a file
> named "Lib/_google_ipaddr_r234.py" which containing code module as below

********************
def _parse_octet(self, octet_str):

# Disallow leading zeroes, because no clear standard exists on
# whether these should be interpreted as decimal or octal.
if octet_int > 255 or (octet_str[0] == '0' and len(octet_str) > 1):
    raise ValueError
    return octet_int
********************

[Aditya]
> Below are our queries:
> Are the code fix done in python streams and the present code snippet in jython2.5.3 Lib/_google_ipaddr_r234.py similar?

Yes. They are trying to achieve exactly the same thing: to prevent octal numbers being used in IP addresses.

The difference is that the google IP address library never accepted octal numbers. This is the purpose of the "octet_str[0] == '0'" check.

The cpython ipaddress library did not previously carry out this check, which is why it was susceptible to the exploit in question, and why it had to be fixed.

[Aditya]
> Is above jython's code module addressing the same issue ?

Yes.

[Aditya]
> Can we assume that the jython 2.5.3 libraries already contains the fixes for
> CVE-2021-29921?

Yes.

You can verify this by trying to parse an IP address containing octal, using jython. It should give you a ValueError exception. Try the IP address from the CVE: "010.8.8.8".

> Some other queries:How do we know jython 2.5.3 libraries internally pointing
> to which python version exactly?
> Can you please share any links/references which shows that "which Jython
> version supports which exact python version"? or you suggest any views how
> to check.Please provide your suggestions for above queries.

I'll leave that to someone else to answer.

Alan.

=====================================================
Please refer to https://northamerica.altran.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================