Bug 11169

Summary: python-setuptools new security issue CVE-2013-1633
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, makowski.mageia, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/565814/
Whiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: python-setuptools-0.6.28-6.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-09-05 18:53:17 CEST 
Fedora has issued an advisory on August 16:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115118.html

The update is for python-virtualenv, but the advisory says that it bundles python-setuptools, which actually contains the flaw.  The RedHat bug says python-setuptools before 0.7 is affected, which would mean that Cauldron is OK, but Mageia 2 and Mageia 3 are affected.  I don't know if our python-virtualenv bundles it too.  python-distribute may be affected as well.

https://bugzilla.redhat.com/show_bug.cgi?id=994182

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-05 18:53:23 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 Philippe Makowski 2013-09-05 20:09:47 CEST 
So :
For python-virtualenv :
update mga2 and mga3 to python-virtualenv-1.10.1 , bump mga4 release

For python-setuptools :
update mga2 and mga3 to python-setuptools 0.9.5 should be safe

Agree ?
Comment 2 David Walser 2013-09-05 20:34:14 CEST 
Any reason for 0.9.5 as opposed to 0.9.8?
Comment 3 David Walser 2013-09-05 20:35:05 CEST 
Also, what to do about python-distribute?  Will the updated setuptools obsolete it?
Comment 4 Philippe Makowski 2013-09-05 20:44:35 CEST 
python-distribute and python-setuptools are the same package
Comment 5 David Walser 2013-09-05 20:51:46 CEST 
(In reply to Philippe Makowski from comment #4)
> python-distribute and python-setuptools are the same package

Not on Mageia 3.
Comment 6 Philippe Makowski 2013-09-05 21:56:38 CEST 
that's a non sense python-distribute and python-setuptools are the same code
python-distribute should be removed
Comment 7 David Walser 2013-09-05 22:00:41 CEST 
Packages can't be removed from a stable release, but you could make the python-setuptools update provide/obsolete python-distribute, so that if any users have it installed, it'll get replaced automatically with the update.
Comment 8 Philippe Makowski 2013-09-06 19:20:00 CEST 
(In reply to David Walser from comment #2)
> Any reason for 0.9.5 as opposed to 0.9.8?

could be 0.9.8 yes, it is just that 0.9.5 was in cauldron for some times, without trouble but 0.9.8 wasn't
Comment 9 Philippe Makowski 2013-09-06 23:25:50 CEST 
python3-setuptools-0.9.8-1.1.mga2.noarch 
python3-pkg-resources-0.9.8-1.1.mga2.noarch
python-pkg-resources-0.9.8-1.1.mga2.noarch
python-setuptools-0.9.8-1.1.mga2.noarch 
python-setuptools-0.9.8-1.1.mga2.src

python3-setuptools-0.9.8-2.1.mga3.noarch 
python3-pkg-resources-0.9.8-2.1.mga3.noarch
python-setuptools-0.9.8-2.1.mga3.noarch 
python-pkg-resources-0.9.8-2.1.mga3.noarch
python-setuptools-0.9.8-2.1.mga3.src

python-virtualenv-1.10.1-0.1.mga2.noarch
python-virtualenv-1.10.1-0.1.mga2.src 

python-virtualenv-1.10.1-1.1.mga3.noarch
python-virtualenv-1.10.1-1.1.mga3.src 

are uploaded

python-setuptools update provide/obsolete python-distribute
Comment 10 David Walser 2013-09-07 00:06:06 CEST 
Thanks Philippe!

Advisory:
========================

Updated python-setuptools and python-virtualenv packages fix security
vulnerabilities:

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the
PyPI repository, and does not perform integrity checks on package contents,
which allows man-in-the-middle attackers to execute arbitrary code via a
crafted response to the default use of the product (CVE-2013-1633).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1633
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115118.html
========================

Updated packages in core/updates_testing:
========================
python3-setuptools-0.9.8-1.1.mga2
python3-pkg-resources-0.9.8-1.1.mga2
python-pkg-resources-0.9.8-1.1.mga2
python-setuptools-0.9.8-1.1.mga2
python-virtualenv-1.10.1-0.1.mga2
python3-setuptools-0.9.8-2.1.mga3
python3-pkg-resources-0.9.8-2.1.mga3
python-setuptools-0.9.8-2.1.mga3
python-pkg-resources-0.9.8-2.1.mga3
python-virtualenv-1.10.1-1.1.mga3

from SRPMS:
python-setuptools-0.9.8-1.1.mga2.src.rpm
python-virtualenv-1.10.1-0.1.mga2.src.rpm
python-setuptools-0.9.8-2.1.mga3.src.rpm
python-virtualenv-1.10.1-1.1.mga3.src.rpm

CC: (none) => makowski.mageia
Assignee: makowski.mageia => qa-bugs

Comment 11 Dave Hodgins 2013-09-07 23:32:00 CEST 
Advisory 11169.adv committed to svn.

CC: (none) => davidwhodgins

Comment 12 Dave Hodgins 2013-09-11 00:49:09 CEST 
For testing, using easy_install --dry-run test. Also easy-install-2.7 and
easy-install-3.2.
Confirmed that before installing the update all three were reading from
Reading http://pypi.python.org/simple/test/
After installing the update, all three are reading from
Reading https://pypi.python.org/simple/test/

Testing complete Mageia 2 and 3, one arch on each since it's a noarch package.

Someone from the sysadmin team please push 11169.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 13 Nicolas Vigier 2013-09-13 22:20:59 CEST 
http://advisories.mageia.org/MGASA-2013-0274.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:54 CEST

CC: boklm => (none)