Menu
▾
▴
Re: [Jython-dev] Query related to Python issue CVE-2021-29921 and its impact on jython2.5.3
|
From: Jeff A. <ja...@fa...> - 2021-05-12 20:25:29
|
Hi Aditya. The version of Python supported by Jython is shown in the major.minor version, so Jython 2.5.3 supports Python 2.5. Python does not introduce new language features between minor version numbers, so that's the version of Python. I think you want to know what version of the built-in modules and standard library are the same in a given micro-version (bug-fix version) of Jython and CPython. The accurate answer is "none of them". In the journey towards a bug-fix version we bring in as much of the stdlib as we safely can, and can manage to make pass most of its tests. Python 2.7, which we've been implementing for as long as I've been contributing, was a bit special in this respect. Having been declared the last ever Python 2, it saw quite a lot of library movement. We generally say Jython 2.7.2 is roughly CPython 2.7.9, but it's not a precise statement. Only examining the code (diff, say) could give a precise answer. Jeff Jeff Allen On 12/05/2021 13:29, Aditya Raj via Jython-dev wrote: > > Hi Team, > > Thanks @Alan Kennedy <mailto:jyt...@xh...> for your valuable > response. It will help us further in our analysis task. > > Please respond for the below queries , > > ****************************** > > * How do we know jython 2.5.3 libraries internally pointing to which > python version exactly? > * Can you please share any links/references which shows that "which > Jython version supports which exact python version"? or you > suggest any views how to check. > > *************************** > > Thanks > > Aditya Raj > > *From:*Alan Kennedy <jyt...@xh...> > *Sent:* 06 May 2021 18:31 > *To:* Aditya Raj <adi...@al...> > *Cc:* jyt...@li...; Prashant Kumar > <pra...@al...>; Rajkumar.doger <Raj...@al...> > *Subject:* Re: [Jython-dev] Query related to Python issue > CVE-2021-29921 and its impact on jython2.5.3 > > ** This mail has been sent from an external source ** > > Hi Aditya. > > [Aditya] > > > We are using jython2.5.3 version in our product. > > > And we have few query related to the new issue reported > > > through CVE-2021-29921 at Python stream (in respect to jython streams). > > > CVE-2021-29921 : - "ipaddress leading zeros in IPv4 address" > > > From these below links we can check the code fixes against this CVE. > > > > https://github.com/python/cpython/pull/12577https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_python_cpython_pull_12577https-3A__github.com_python_cpython_commit_60ce8f0be6354ad565393ab449d8de5d713f35bc&d=DwMFaQ&c=cxWN2QSDopt5SklNfbjIjg&r=x2F8TIrWKPLgQQ-jWZRIhhsYt__5tfDVNSymLY7FFv8&m=HCfmkAm-DnGJb0LFbpCcohgNNhpKkNgl1YjFMSGrgfs&s=heD58uvzDOQpPyEjQOJyAVWAD0AapdzEhdjXAZHMVUU&e=> > > > That is Lib/ipaddress.py file having the fix in python 3.9 or 3.10 > streams. > > > But when we checked the jython2.5.3 libraries , found a file > > > named "Lib/_google_ipaddr_r234.py" which containing code module as below > > ******************** > > def _parse_octet(self, octet_str): > > # Disallow leading zeroes, because no clear standard exists on > > # whether these should be interpreted as decimal or octal. > > if octet_int > 255 or (octet_str[0] == '0' and len(octet_str) > 1): > > raise ValueError > > return octet_int > > ******************** > > [Aditya] > > > Below are our queries: > > > Are the code fix done in python streams and the present code snippet > in jython2.5.3 Lib/_google_ipaddr_r234.py similar? > > Yes. They are trying to achieve exactly the same thing: to prevent > octal numbers being used in IP addresses. > > The difference is that the google IP address library never accepted > octal numbers. This is the purpose of the "octet_str[0] == '0'" check. > > The cpython ipaddress library did not previously carry out this check, > which is why it was susceptible to the exploit in question, and why it > had to be fixed. > > [Aditya] > > > Is above jython's code module addressing the same issue ? > > Yes. > > [Aditya] > > > Can we assume that the jython 2.5.3 libraries already contains the > fixes for > > > CVE-2021-29921? > > Yes. > > You can verify this by trying to parse an IP address containing octal, > using jython. It should give you a ValueError exception. Try the IP > address from the CVE: "010.8.8.8". > > > Some other queries:How do we know jython 2.5.3 libraries internally > pointing > > > to which python version exactly? > > > Can you please share any links/references which shows that "which Jython > > > version supports which exact python version"? or you suggest any > views how > > > to check.Please provide your suggestions for above queries. > > I'll leave that to someone else to answer. > > Alan. > > ===================================================== > Please refer to https://northamerica.altran.com/email-disclaimer > for important disclosures regarding this electronic communication. > ===================================================== > > > _______________________________________________ > Jython-dev mailing list > Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-dev |
