10791 – python-suds new security issue CVE-2013-2217

Bug 10791 - python-suds new security issue CVE-2013-2217

Summary: python-suds new security issue CVE-2013-2217

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/559200/
Whiteboard:	MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2013-07-17 22:00 CEST by David Walser
Modified:	2014-05-08 18:06 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	python-suds-0.4.1-3.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-07-17 22:00:42 CEST

OpenSuSE has issued an advisory today (July 17):
http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2013-07-17 22:00:58 CEST

CC: (none) => makowski.mageia
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-07-19 16:11:42 CEST

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated python-suds package fixes security vulnerability:

An insecure temporary directory use flaw was found in the way python-suds
performed initialization of its internal file-based URL cache (predictable
location was used for directory to store the cached files). A local attacker
could use this flaw to conduct symbolic link attacks, possibly leading to
their ability for example the SOAP .wsdl metadata to redirect queries to a
different host, than originally intended (CVE-2013-2217).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2217
http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html
========================

Updated packages in core/updates_testing:
========================
python-suds-0.4.1-2.1.mga2
python-suds-0.4.1-3.1.mga3

from SRPMS:
python-suds-0.4.1-2.1.mga2.src.rpm
python-suds-0.4.1-3.1.mga3.src.rpm

CC: (none) => boklm
Version: Cauldron => 3
Assignee: boklm => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 Dave Hodgins 2013-07-21 02:54:47 CEST

Testing complete on Mageia 3 i586 and x86_64 using ...
$ cat testsuds
#!/bin/python
from suds.client import Client
url = 'http://schemas.xmlsoap.org/wsdl/'
client = Client(url)
print client

Running it under strace with the core release version shows it's opening
/home/dave/tmp/suds/version

After installing the updates testing version it's opening
/home/dave/tmp/tmpgX_qNi/version

Advisory 10791.adv added to svn.

I'll test Mageia 2 shortly.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2013-07-21 03:06:22 CEST

For Mageia 2, had to fix the shebang in the testsuds script to be
#!/usr/bin/python

Testing complete Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push 10791.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Nicolas Vigier 2013-07-21 12:03:29 CEST

http://advisories.mageia.org/MGASA-2013-0224.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:39 CEST

CC: boklm => (none)

Note You need to log in before you can comment on or make changes to this bug.