Bug 10791 - python-suds new security issue CVE-2013-2217
: python-suds new security issue CVE-2013-2217
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/559200/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-17 22:00 CEST by David Walser
Modified: 2014-05-08 18:06 CEST (History)
3 users (show)

See Also:
Source RPM: python-suds-0.4.1-3.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-17 22:00:42 CEST
OpenSuSE has issued an advisory today (July 17):
http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-19 16:11:42 CEST
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated python-suds package fixes security vulnerability:

An insecure temporary directory use flaw was found in the way python-suds
performed initialization of its internal file-based URL cache (predictable
location was used for directory to store the cached files). A local attacker
could use this flaw to conduct symbolic link attacks, possibly leading to
their ability for example the SOAP .wsdl metadata to redirect queries to a
different host, than originally intended (CVE-2013-2217).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2217
http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html
========================

Updated packages in core/updates_testing:
========================
python-suds-0.4.1-2.1.mga2
python-suds-0.4.1-3.1.mga3

from SRPMS:
python-suds-0.4.1-2.1.mga2.src.rpm
python-suds-0.4.1-3.1.mga3.src.rpm
Comment 2 Dave Hodgins 2013-07-21 02:54:47 CEST
Testing complete on Mageia 3 i586 and x86_64 using ...
$ cat testsuds
#!/bin/python
from suds.client import Client
url = 'http://schemas.xmlsoap.org/wsdl/'
client = Client(url)
print client

Running it under strace with the core release version shows it's opening
/home/dave/tmp/suds/version

After installing the updates testing version it's opening
/home/dave/tmp/tmpgX_qNi/version

Advisory 10791.adv added to svn.

I'll test Mageia 2 shortly.
Comment 3 Dave Hodgins 2013-07-21 03:06:22 CEST
For Mageia 2, had to fix the shebang in the testsuds script to be
#!/usr/bin/python

Testing complete Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push 10791.adv to updates.
Comment 4 Nicolas Vigier 2013-07-21 12:03:29 CEST
http://advisories.mageia.org/MGASA-2013-0224.html

Note You need to log in before you can comment on or make changes to this bug.