Bug 10791

Summary: python-suds new security issue CVE-2013-2217
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, makowski.mageia, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/559200/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: python-suds-0.4.1-3.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-07-17 22:00:42 CEST 
OpenSuSE has issued an advisory today (July 17):
http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-07-17 22:00:58 CEST

CC: (none) => makowski.mageia
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-07-19 16:11:42 CEST 
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated python-suds package fixes security vulnerability:

An insecure temporary directory use flaw was found in the way python-suds
performed initialization of its internal file-based URL cache (predictable
location was used for directory to store the cached files). A local attacker
could use this flaw to conduct symbolic link attacks, possibly leading to
their ability for example the SOAP .wsdl metadata to redirect queries to a
different host, than originally intended (CVE-2013-2217).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2217
http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html
========================

Updated packages in core/updates_testing:
========================
python-suds-0.4.1-2.1.mga2
python-suds-0.4.1-3.1.mga3

from SRPMS:
python-suds-0.4.1-2.1.mga2.src.rpm
python-suds-0.4.1-3.1.mga3.src.rpm

CC: (none) => boklm
Version: Cauldron => 3
Assignee: boklm => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 Dave Hodgins 2013-07-21 02:54:47 CEST 
Testing complete on Mageia 3 i586 and x86_64 using ...
$ cat testsuds
#!/bin/python
from suds.client import Client
url = 'http://schemas.xmlsoap.org/wsdl/'
client = Client(url)
print client

Running it under strace with the core release version shows it's opening
/home/dave/tmp/suds/version

After installing the updates testing version it's opening
/home/dave/tmp/tmpgX_qNi/version

Advisory 10791.adv added to svn.

I'll test Mageia 2 shortly.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2013-07-21 03:06:22 CEST 
For Mageia 2, had to fix the shebang in the testsuds script to be
#!/usr/bin/python

Testing complete Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push 10791.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Nicolas Vigier 2013-07-21 12:03:29 CEST 
http://advisories.mageia.org/MGASA-2013-0224.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:39 CEST

CC: boklm => (none)