Bug 11169 - python-setuptools new security issue CVE-2013-1633
: python-setuptools new security issue CVE-2013-1633
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/565814/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-6...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-05 18:53 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
3 users (show)

See Also:
Source RPM: python-setuptools-0.6.28-6.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-09-05 18:53:17 CEST
Fedora has issued an advisory on August 16:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115118.html

The update is for python-virtualenv, but the advisory says that it bundles python-setuptools, which actually contains the flaw.  The RedHat bug says python-setuptools before 0.7 is affected, which would mean that Cauldron is OK, but Mageia 2 and Mageia 3 are affected.  I don't know if our python-virtualenv bundles it too.  python-distribute may be affected as well.

https://bugzilla.redhat.com/show_bug.cgi?id=994182

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2013-09-05 20:09:47 CEST
So :
For python-virtualenv :
update mga2 and mga3 to python-virtualenv-1.10.1 , bump mga4 release

For python-setuptools :
update mga2 and mga3 to python-setuptools 0.9.5 should be safe

Agree ?
Comment 2 David Walser 2013-09-05 20:34:14 CEST
Any reason for 0.9.5 as opposed to 0.9.8?
Comment 3 David Walser 2013-09-05 20:35:05 CEST
Also, what to do about python-distribute?  Will the updated setuptools obsolete it?
Comment 4 Philippe Makowski 2013-09-05 20:44:35 CEST
python-distribute and python-setuptools are the same package
Comment 5 David Walser 2013-09-05 20:51:46 CEST
(In reply to Philippe Makowski from comment #4)
> python-distribute and python-setuptools are the same package

Not on Mageia 3.
Comment 6 Philippe Makowski 2013-09-05 21:56:38 CEST
that's a non sense python-distribute and python-setuptools are the same code
python-distribute should be removed
Comment 7 David Walser 2013-09-05 22:00:41 CEST
Packages can't be removed from a stable release, but you could make the python-setuptools update provide/obsolete python-distribute, so that if any users have it installed, it'll get replaced automatically with the update.
Comment 8 Philippe Makowski 2013-09-06 19:20:00 CEST
(In reply to David Walser from comment #2)
> Any reason for 0.9.5 as opposed to 0.9.8?

could be 0.9.8 yes, it is just that 0.9.5 was in cauldron for some times, without trouble but 0.9.8 wasn't
Comment 9 Philippe Makowski 2013-09-06 23:25:50 CEST
python3-setuptools-0.9.8-1.1.mga2.noarch 
python3-pkg-resources-0.9.8-1.1.mga2.noarch
python-pkg-resources-0.9.8-1.1.mga2.noarch
python-setuptools-0.9.8-1.1.mga2.noarch 
python-setuptools-0.9.8-1.1.mga2.src

python3-setuptools-0.9.8-2.1.mga3.noarch 
python3-pkg-resources-0.9.8-2.1.mga3.noarch
python-setuptools-0.9.8-2.1.mga3.noarch 
python-pkg-resources-0.9.8-2.1.mga3.noarch
python-setuptools-0.9.8-2.1.mga3.src

python-virtualenv-1.10.1-0.1.mga2.noarch
python-virtualenv-1.10.1-0.1.mga2.src 

python-virtualenv-1.10.1-1.1.mga3.noarch
python-virtualenv-1.10.1-1.1.mga3.src 

are uploaded

python-setuptools update provide/obsolete python-distribute
Comment 10 David Walser 2013-09-07 00:06:06 CEST
Thanks Philippe!

Advisory:
========================

Updated python-setuptools and python-virtualenv packages fix security
vulnerabilities:

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the
PyPI repository, and does not perform integrity checks on package contents,
which allows man-in-the-middle attackers to execute arbitrary code via a
crafted response to the default use of the product (CVE-2013-1633).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1633
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115118.html
========================

Updated packages in core/updates_testing:
========================
python3-setuptools-0.9.8-1.1.mga2
python3-pkg-resources-0.9.8-1.1.mga2
python-pkg-resources-0.9.8-1.1.mga2
python-setuptools-0.9.8-1.1.mga2
python-virtualenv-1.10.1-0.1.mga2
python3-setuptools-0.9.8-2.1.mga3
python3-pkg-resources-0.9.8-2.1.mga3
python-setuptools-0.9.8-2.1.mga3
python-pkg-resources-0.9.8-2.1.mga3
python-virtualenv-1.10.1-1.1.mga3

from SRPMS:
python-setuptools-0.9.8-1.1.mga2.src.rpm
python-virtualenv-1.10.1-0.1.mga2.src.rpm
python-setuptools-0.9.8-2.1.mga3.src.rpm
python-virtualenv-1.10.1-1.1.mga3.src.rpm
Comment 11 Dave Hodgins 2013-09-07 23:32:00 CEST
Advisory 11169.adv committed to svn.
Comment 12 Dave Hodgins 2013-09-11 00:49:09 CEST
For testing, using easy_install --dry-run test. Also easy-install-2.7 and
easy-install-3.2.
Confirmed that before installing the update all three were reading from
Reading http://pypi.python.org/simple/test/
After installing the update, all three are reading from
Reading https://pypi.python.org/simple/test/

Testing complete Mageia 2 and 3, one arch on each since it's a noarch package.

Someone from the sysadmin team please push 11169.adv to updates.
Comment 13 Nicolas Vigier 2013-09-13 22:20:59 CEST
http://advisories.mageia.org/MGASA-2013-0274.html

Note You need to log in before you can comment on or make changes to this bug.