Bug 12905

Suggested advisory:
========================

Updated python-logilab-common packages fix security vulnerabilities about temporary file handling (CVE-2014-1838 and CVE-2014-1839).


References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051
https://bugs.gentoo.org/show_bug.cgi?id=499872
https://bugzilla.redhat.com/show_bug.cgi?id=1060304
http://secunia.com/advisories/56720/
http://comments.gmane.org/gmane.comp.security.oss.general/11986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1839

========================

Updated packages in core/updates_testing:
========================
python-logilab-common-0.60.0-3.1.mga4
python3-logilab-common-0.60.0-3.1.mga4
python-logilab-common-0.58.3-2.1.mga3

Source RPMs: 
python-logilab-common-0.60.0-3.1.mga4
python-logilab-common-0.58.3-2.1.mga3

Assignee: makowski.mageia => qa-bugs

Mageia4 64

simple test case :

$python
Python 2.7.6 (default, Feb 16 2014, 13:45:03) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from logilab.common.shellutils import globfind
>>> files = set(globfind('/lib/python2.7/site-packages/logilab/common', '*.py'))
>>> print(files)
set(['/lib/python2.7/site-packages/logilab/common/tasksqueue.py', '/lib/python2.7/site-packages/logilab/common/ureports/html_writer.py', '/lib/python2.7/site-packages/logilab/common/shellutils.py', '/lib/python2.7/site-packages/logilab/common/xmlutils.py', '/lib/python2.7/site-packages/logilab/common/hg.py', '/lib/python2.7/site-packages/logilab/common/fileutils.py', '/lib/python2.7/site-packages/logilab/common/deprecation.py', '/lib/python2.7/site-packages/logilab/common/proc.py', '/lib/python2.7/site-packages/logilab/common/debugger.py', '/lib/python2.7/site-packages/logilab/common/__pkginfo__.py', '/lib/python2.7/site-packages/logilab/common/textutils.py', '/lib/python2.7/site-packages/logilab/common/pytest.py', '/lib/python2.7/site-packages/logilab/common/contexts.py', '/lib/python2.7/site-packages/logilab/common/cache.py', '/lib/python2.7/site-packages/logilab/common/table.py', '/lib/python2.7/site-packages/logilab/common/pyro_ext.py', '/lib/python2.7/site-packages/logilab/common/optparser.py', '/lib/python2.7/site-packages/logilab/common/decorators.py', '/lib/python2.7/site-packages/logilab/common/dbf.py', '/lib/python2.7/site-packages/logilab/common/clcommands.py', '/lib/python2.7/site-packages/logilab/common/ureports/docbook_writer.py', '/lib/python2.7/site-packages/logilab/common/ureports/nodes.py', '/lib/python2.7/site-packages/logilab/common/daemon.py', '/lib/python2.7/site-packages/logilab/common/ureports/__init__.py', '/lib/python2.7/site-packages/logilab/common/sphinx_ext.py', '/lib/python2.7/site-packages/logilab/common/compat.py', '/lib/python2.7/site-packages/logilab/common/configuration.py', '/lib/python2.7/site-packages/logilab/common/corbautils.py', '/lib/python2.7/site-packages/logilab/common/vcgutils.py', '/lib/python2.7/site-packages/logilab/common/testlib.py', '/lib/python2.7/site-packages/logilab/common/tree.py', '/lib/python2.7/site-packages/logilab/common/sphinxutils.py', '/lib/python2.7/site-packages/logilab/common/xmlrpcutils.py', '/lib/python2.7/site-packages/logilab/common/cli.py', '/lib/python2.7/site-packages/logilab/common/umessage.py', '/lib/python2.7/site-packages/logilab/common/__init__.py', '/lib/python2.7/site-packages/logilab/common/visitor.py', '/lib/python2.7/site-packages/logilab/common/date.py', '/lib/python2.7/site-packages/logilab/common/urllib2ext.py', '/lib/python2.7/site-packages/logilab/common/registry.py', '/lib/python2.7/site-packages/logilab/common/optik_ext.py', '/lib/python2.7/site-packages/logilab/common/logging_ext.py', '/lib/python2.7/site-packages/logilab/common/changelog.py', '/lib/python2.7/site-packages/logilab/common/ureports/text_writer.py', '/lib/python2.7/site-packages/logilab/common/interface.py', '/lib/python2.7/site-packages/logilab/common/graph.py', '/lib/python2.7/site-packages/logilab/common/modutils.py'])
>>>exit()

the same with python3
$ python3
Python 3.3.2 (default, Feb 16 2014, 13:01:24) 
[GCC 4.8.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from logilab.common.shellutils import globfind
>>> files = set(globfind('/lib/python3.3/site-packages/logilab/common', '*.py'))
>>> print(files)
{'/lib/python3.3/site-packages/logilab/common/proc.py', '/lib/python3.3/site-packages/logilab/common/testlib.py', '/lib/python3.3/site-packages/logilab/common/cli.py', '/lib/python3.3/site-packages/logilab/common/ureports/docbook_writer.py', '/lib/python3.3/site-packages/logilab/common/compat.py', '/lib/python3.3/site-packages/logilab/common/textutils.py', '/lib/python3.3/site-packages/logilab/common/fileutils.py', '/lib/python3.3/site-packages/logilab/common/ureports/nodes.py', '/lib/python3.3/site-packages/logilab/common/debugger.py', '/lib/python3.3/site-packages/logilab/common/optparser.py', '/lib/python3.3/site-packages/logilab/common/urllib2ext.py', '/lib/python3.3/site-packages/logilab/common/configuration.py', '/lib/python3.3/site-packages/logilab/common/vcgutils.py', '/lib/python3.3/site-packages/logilab/common/contexts.py', '/lib/python3.3/site-packages/logilab/common/tree.py', '/lib/python3.3/site-packages/logilab/common/umessage.py', '/lib/python3.3/site-packages/logilab/common/clcommands.py', '/lib/python3.3/site-packages/logilab/common/changelog.py', '/lib/python3.3/site-packages/logilab/common/modutils.py', '/lib/python3.3/site-packages/logilab/common/date.py', '/lib/python3.3/site-packages/logilab/common/__init__.py', '/lib/python3.3/site-packages/logilab/common/daemon.py', '/lib/python3.3/site-packages/logilab/common/xmlrpcutils.py', '/lib/python3.3/site-packages/logilab/common/graph.py', '/lib/python3.3/site-packages/logilab/common/pytest.py', '/lib/python3.3/site-packages/logilab/common/optik_ext.py', '/lib/python3.3/site-packages/logilab/common/pyro_ext.py', '/lib/python3.3/site-packages/logilab/common/deprecation.py', '/lib/python3.3/site-packages/logilab/common/decorators.py', '/lib/python3.3/site-packages/logilab/common/shellutils.py', '/lib/python3.3/site-packages/logilab/common/__pkginfo__.py', '/lib/python3.3/site-packages/logilab/common/visitor.py', '/lib/python3.3/site-packages/logilab/common/interface.py', '/lib/python3.3/site-packages/logilab/common/hg.py', '/lib/python3.3/site-packages/logilab/common/logging_ext.py', '/lib/python3.3/site-packages/logilab/common/sphinxutils.py', '/lib/python3.3/site-packages/logilab/common/dbf.py', '/lib/python3.3/site-packages/logilab/common/corbautils.py', '/lib/python3.3/site-packages/logilab/common/registry.py', '/lib/python3.3/site-packages/logilab/common/cache.py', '/lib/python3.3/site-packages/logilab/common/sphinx_ext.py', '/lib/python3.3/site-packages/logilab/common/ureports/__init__.py', '/lib/python3.3/site-packages/logilab/common/table.py', '/lib/python3.3/site-packages/logilab/common/ureports/text_writer.py', '/lib/python3.3/site-packages/logilab/common/ureports/html_writer.py', '/lib/python3.3/site-packages/logilab/common/tasksqueue.py', '/lib/python3.3/site-packages/logilab/common/xmlutils.py'}
>>> exit()

CC: (none) => makowski.mageia
Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO, MGA3TOO, MGA4-64-OK, has_procedure

Created attachment 5023 [details]
test.py

Thanks for the procedure Philippe. Confirmed mga3 64 ok.

Attaching test.py which can be used to test with.

python-logilab-common
---------------------
$ python test.py

Should list lots of *.py files

python3-logilab-common
----------------------
$ python3 test.py

Same, lists lots of *.py files

Tested OK mga4 32

Couldn't find a PoC so just checking regressions.

Looking at the rpmdiff the affected parts seem to have been removed rather than patched, is this correct Philippe?

http://mageia.madb.org/rpm/diff/application/0/name/python-logilab-common-0.60.0-3.1.mga4.noarch.rpm/source/0/release/4/arch/i586/t_media/5

(In reply to claire robinson from comment #4)
> Tested OK mga4 32
> 
> Couldn't find a PoC so just checking regressions.
> 
> Looking at the rpmdiff the affected parts seem to have been removed rather
> than patched, is this correct Philippe?
yes for CVE-2014-1838
and for CVE-2014-1839 just a little change that avoid using temp files, and lead to less code.

Seems to work fine in Mageia 3 i586 (32-bit) in a VM. Installed from core/release and core/updates first, ran the test suite and then I enabled "updates_testing" upgraded and tested again.

CC: (none) => shlomif
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK

Works fine in a Mageia 3 x86-64 VM. I think the update can be validated now.

Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

advisory uploaded, validating

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => tmb, sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2014-0118.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED