Bug 14873

Summary: python-pyxdg new security issue CVE-2014-1624
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Philippe Makowski <makowski.mageia>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/627324/
Whiteboard:
Source RPM: python-pyxdg-0.25-7.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-12-22 20:38:22 CET 
Fedora has issued an advisory on December 5:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146459.html

This sounds like /tmp symlink attack issue, which wouldn't be exploitable as of Mageia 4 due to the protected_symlinks feature in the kernel.  If that's all it is, we don't need to issue an update for Mageia 4, but we should still patch it in Cauldron as it's still a bug.

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2014-12-24 15:27:00 CET 
(In reply to David Walser from comment #0)

> This sounds like /tmp symlink attack issue, which wouldn't be exploitable as
> of Mageia 4 due to the protected_symlinks feature in the kernel.  If that's
> all it is, we don't need to issue an update for Mageia 4

It is the case, so I will patch only the Cauldron package.
Comment 2 Philippe Makowski 2014-12-25 16:42:08 CET 
done python-pyxdg-0.25-8.mga5

Status: NEW => RESOLVED
Resolution: (none) => FIXED