Bug 6510

Summary: python-feedparser new security issue CVE-2012-2921
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: alien, davidwhodgins, makowski.mageia, shikamaru, stormi-mageia, sysadmin-bugs, tmb, tolhildan_123, wassi
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/498401/
Whiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK, mga2-64-OK
Source RPM: python-feedparser-5.0.1-2.mga2 CVE:
Status comment:
Attachments: ~/.canto/conf.py

Description David Walser 2012-06-19 14:13:19 CEST 
Ubuntu has issued an advisory on May 22:
http://www.ubuntu.com/usn/usn-1449-1/

Fedora has also issued an advisory on May 24:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081655.html

More info is available here:
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2921.html

The issue is fixed upstream in 5.1.2.
David Walser 2012-06-19 14:13:51 CEST

CC: (none) => shikamaru
Whiteboard: (none) => MGA2TOO, MGA1TOO

David Walser 2012-06-19 14:14:02 CEST

CC: (none) => makowski.mageia

David Walser 2012-06-19 14:14:11 CEST

CC: (none) => johnny

Comment 1 Philippe Makowski 2012-06-21 18:50:09 CEST 
5.1.2 is in 1 and 2 updates/testing
Comment 2 David Walser 2012-06-21 19:54:39 CEST 
Thanks Philippe.

Advisory:
========================

Updated python-feedparser package fixes security vulnerability:

Universal Feed Parser (aka feedparser or python-feedparser) before
5.1.2 allows remote attackers to cause a denial of service (memory
consumption) via a crafted XML ENTITY declaration in a non-ASCII
encoded document (CVE-2012-2921).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2921
http://www.ubuntu.com/usn/usn-1449-1/
========================

Updated packages in core/updates_testing:
========================
python-feedparser-5.1.2-1.mga1
python-feedparser-5.1.2-1.mga2

from SRPMS:
python-feedparser-5.1.2-1.mga1.src.rpm
python-feedparser-5.1.2-1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 3 user7 2012-06-23 17:05:58 CEST 
Testing on MGA2, i 586.

CC: (none) => wassi

Comment 4 user7 2012-06-23 17:24:37 CEST 
Testing complete on MGA2, i586. I parsed several RSS (0.91, 1.0, 2.0) and Atom Feeds and encountered no problem whatsoever.

Whiteboard: MGA1TOO => MGA1TOO, MGA2-32-OK

Comment 5 claire robinson 2012-06-24 13:16:38 CEST 
Testing complete x86_64 Mageia 2

Used canto cli feed reader with the attached conf.py

Hardware: i586 => All
Whiteboard: MGA1TOO, MGA2-32-OK => MGA1TOO, MGA2-32-OK mga2-64-OK

Comment 6 claire robinson 2012-06-24 13:19:14 CEST 
Created attachment 2489 [details]
~/.canto/conf.py

These are some random feeds in Atom 1.0, RSS 0.91, RSS 0.92, RSS 1.0 & RSS 2.0
Comment 7 claire robinson 2012-06-24 13:57:15 CEST 
Testing complete x86_64 Mageia 1

Used python command line

$ python
Python 2.7.1 (r271:86832, Sep  5 2011, 14:50:51) 
[GCC 4.5.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import feedparser
>>> d = feedparser.parse('http://danja.typepad.com/fecho/atom.xml')
>>> d = feedparser.parse('http://www.financeinfoline.com/financeinfoline.rss')
>>> d = feedparser.parse('http://www.tapsns.com/blog/index.php/feed/rss/')
>>> d = feedparser.parse('http://www.blogit.com/Blogs/BlogRss.aspx/poetjpb6765')
>>> d = feedparser.parse('http://www.list.co.uk/articles/a-band-called-quinn/articles.xml')

These are the url's from the canto conf. Canto is not packages in Mageia 1

Testing each with d.feed.title, d.feed.link, d.feed.description to check they were read properly.

>>> quit()

to exit.

Whiteboard: MGA1TOO, MGA2-32-OK mga2-64-OK => MGA1TOO, MGA2-32-OK mga2-64-OK mga1-64-OK

Comment 8 Tolhildan Karker 2012-06-25 18:43:15 CEST 
Mageia 2 with update-testing enabled I have regression issue. The permission of the file top_level.txt is wrong. 

rw------- 1 root root 11 jun 21 18:46 /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/top_level.txt

CC: (none) => tolhildan_123

Comment 9 claire robinson 2012-06-26 12:36:22 CEST 
All files in that directory are the same, is that a bug?

On Mageia 1 /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info is a file and not a directory.

Mageia 2..

# ll /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/
total 156
-rw------- 1 root root      1 Jun 21 17:46 dependency_links.txt
-rw------- 1 root root   1222 Jun 21 17:46 PKG-INFO
-rw------- 1 root root 141396 Jun 21 17:46 SOURCES.txt
-rw------- 1 root root     11 Jun 21 17:46 top_level.txt
Comment 10 claire robinson 2012-06-26 12:43:52 CEST 
Checked Mageia 1 again with update candidate and it seems it too is the same.

In release versions this is not a directory, it is a file. Update candidates install the above directory structure in place of the file

Mageia 1

# ll /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/
total 152
-rw------- 1 root root      1 Jun 21 17:49 dependency_links.txt
-rw------- 1 root root   1222 Jun 21 17:49 PKG-INFO
-rw------- 1 root root 141396 Jun 21 17:49 SOURCES.txt
-rw------- 1 root root     11 Jun 21 17:49 top_level.txt

Mageia 2 in comment 9
Comment 11 David Walser 2012-06-26 13:49:18 CEST 
IIRC, replacing a directory with a file (or maybe the other way around) is dangerous and needs special handling in the SPEC or cpio will choke when upgrading the package.  I guess we need to make sure upgrading from the old version works OK.
Johnny A. Solbu 2012-06-26 13:49:53 CEST

CC: johnny => (none)

Comment 12 Philippe Makowski 2012-06-27 18:42:50 CEST 
I will take care of the permission problem.
Seems that someone disabled the correction I made in the past :(
Comment 13 Philippe Makowski 2012-06-27 19:03:32 CEST 
new version of 5.1.2 is in 1 and 2 updates/testing
Comment 14 Dave Hodgins 2012-07-04 03:06:29 CEST 
Testing complete on Mageia 1 i586 with the 5.1.2.2 version.

Removing the ok whiteboard comments as retesting is needed with the
new version.

For testing, I used rss2email.

I'll test Mageia 2 i586 shortly.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO, MGA2-32-OK mga2-64-OK mga1-64-OK => MGA1TOO, mga1-32-OK

Comment 15 Dave Hodgins 2012-07-04 03:20:23 CEST 
Testing complete on Mageia 2 i586, again using rss2email.

Whiteboard: MGA1TOO, mga1-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK

Comment 16 Samuel Verschelde 2012-07-08 15:26:36 CEST 
Testing complete on Mageia 1 x86_64 using procedure from comment #7

CC: (none) => stormi
Whiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK

Comment 17 AL13N 2012-07-09 22:25:42 CEST 
Testing complet on, Mageia 2 x86_64 using procedure from comment #7

i did notice that the last link didn't have a description. donno if that's normal.

the rest was ok.

CC: (none) => alien

Comment 18 Samuel Verschelde 2012-07-09 22:54:22 CEST 
(In reply to comment #17)
> i did notice that the last link didn't have a description. donno if that's
> normal.

at least it's not a regression, I get the same with the previous version, so I guess that comes from the feed. Thanks for testing.

Update validated.

See comment #2 for advisory and package list.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK, mga2-64-OK

Comment 19 Thomas Backlund 2012-07-10 14:06:01 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0157

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED