Bug 12905 - python-logilab-common new security issues CVE-2014-1838 and CVE-2014-1839
: python-logilab-common new security issues CVE-2014-1838 and CVE-2014-1839
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/588861/
: MGA3TOO has_procedure MGA4-32-OK MGA4...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-28 17:16 CET by David Walser
Modified: 2014-03-03 22:41 CET (History)
4 users (show)

See Also:
Source RPM: python-logilab-common-0.58.3-2.mga3.src.rpm
CVE:
Status comment:


Attachments
test.py (123 bytes, text/x-python)
2014-03-03 12:15 CET, claire robinson
Details

Description David Walser 2014-02-28 17:16:13 CET
OpenSuSE has issued an advisory today (February 28):
http://lists.opensuse.org/opensuse-updates/2014-02/msg00085.html

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2014-03-01 12:45:37 CET
Suggested advisory:
========================

Updated python-logilab-common packages fix security vulnerabilities about temporary file handling (CVE-2014-1838 and CVE-2014-1839).


References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051
https://bugs.gentoo.org/show_bug.cgi?id=499872
https://bugzilla.redhat.com/show_bug.cgi?id=1060304
http://secunia.com/advisories/56720/
http://comments.gmane.org/gmane.comp.security.oss.general/11986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1839

========================

Updated packages in core/updates_testing:
========================
python-logilab-common-0.60.0-3.1.mga4
python3-logilab-common-0.60.0-3.1.mga4
python-logilab-common-0.58.3-2.1.mga3

Source RPMs: 
python-logilab-common-0.60.0-3.1.mga4
python-logilab-common-0.58.3-2.1.mga3
Comment 2 Philippe Makowski 2014-03-01 14:47:00 CET
Mageia4 64

simple test case :

$python
Python 2.7.6 (default, Feb 16 2014, 13:45:03) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from logilab.common.shellutils import globfind
>>> files = set(globfind('/lib/python2.7/site-packages/logilab/common', '*.py'))
>>> print(files)
set(['/lib/python2.7/site-packages/logilab/common/tasksqueue.py', '/lib/python2.7/site-packages/logilab/common/ureports/html_writer.py', '/lib/python2.7/site-packages/logilab/common/shellutils.py', '/lib/python2.7/site-packages/logilab/common/xmlutils.py', '/lib/python2.7/site-packages/logilab/common/hg.py', '/lib/python2.7/site-packages/logilab/common/fileutils.py', '/lib/python2.7/site-packages/logilab/common/deprecation.py', '/lib/python2.7/site-packages/logilab/common/proc.py', '/lib/python2.7/site-packages/logilab/common/debugger.py', '/lib/python2.7/site-packages/logilab/common/__pkginfo__.py', '/lib/python2.7/site-packages/logilab/common/textutils.py', '/lib/python2.7/site-packages/logilab/common/pytest.py', '/lib/python2.7/site-packages/logilab/common/contexts.py', '/lib/python2.7/site-packages/logilab/common/cache.py', '/lib/python2.7/site-packages/logilab/common/table.py', '/lib/python2.7/site-packages/logilab/common/pyro_ext.py', '/lib/python2.7/site-packages/logilab/common/optparser.py', '/lib/python2.7/site-packages/logilab/common/decorators.py', '/lib/python2.7/site-packages/logilab/common/dbf.py', '/lib/python2.7/site-packages/logilab/common/clcommands.py', '/lib/python2.7/site-packages/logilab/common/ureports/docbook_writer.py', '/lib/python2.7/site-packages/logilab/common/ureports/nodes.py', '/lib/python2.7/site-packages/logilab/common/daemon.py', '/lib/python2.7/site-packages/logilab/common/ureports/__init__.py', '/lib/python2.7/site-packages/logilab/common/sphinx_ext.py', '/lib/python2.7/site-packages/logilab/common/compat.py', '/lib/python2.7/site-packages/logilab/common/configuration.py', '/lib/python2.7/site-packages/logilab/common/corbautils.py', '/lib/python2.7/site-packages/logilab/common/vcgutils.py', '/lib/python2.7/site-packages/logilab/common/testlib.py', '/lib/python2.7/site-packages/logilab/common/tree.py', '/lib/python2.7/site-packages/logilab/common/sphinxutils.py', '/lib/python2.7/site-packages/logilab/common/xmlrpcutils.py', '/lib/python2.7/site-packages/logilab/common/cli.py', '/lib/python2.7/site-packages/logilab/common/umessage.py', '/lib/python2.7/site-packages/logilab/common/__init__.py', '/lib/python2.7/site-packages/logilab/common/visitor.py', '/lib/python2.7/site-packages/logilab/common/date.py', '/lib/python2.7/site-packages/logilab/common/urllib2ext.py', '/lib/python2.7/site-packages/logilab/common/registry.py', '/lib/python2.7/site-packages/logilab/common/optik_ext.py', '/lib/python2.7/site-packages/logilab/common/logging_ext.py', '/lib/python2.7/site-packages/logilab/common/changelog.py', '/lib/python2.7/site-packages/logilab/common/ureports/text_writer.py', '/lib/python2.7/site-packages/logilab/common/interface.py', '/lib/python2.7/site-packages/logilab/common/graph.py', '/lib/python2.7/site-packages/logilab/common/modutils.py'])
>>>exit()

the same with python3
$ python3
Python 3.3.2 (default, Feb 16 2014, 13:01:24) 
[GCC 4.8.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from logilab.common.shellutils import globfind
>>> files = set(globfind('/lib/python3.3/site-packages/logilab/common', '*.py'))
>>> print(files)
{'/lib/python3.3/site-packages/logilab/common/proc.py', '/lib/python3.3/site-packages/logilab/common/testlib.py', '/lib/python3.3/site-packages/logilab/common/cli.py', '/lib/python3.3/site-packages/logilab/common/ureports/docbook_writer.py', '/lib/python3.3/site-packages/logilab/common/compat.py', '/lib/python3.3/site-packages/logilab/common/textutils.py', '/lib/python3.3/site-packages/logilab/common/fileutils.py', '/lib/python3.3/site-packages/logilab/common/ureports/nodes.py', '/lib/python3.3/site-packages/logilab/common/debugger.py', '/lib/python3.3/site-packages/logilab/common/optparser.py', '/lib/python3.3/site-packages/logilab/common/urllib2ext.py', '/lib/python3.3/site-packages/logilab/common/configuration.py', '/lib/python3.3/site-packages/logilab/common/vcgutils.py', '/lib/python3.3/site-packages/logilab/common/contexts.py', '/lib/python3.3/site-packages/logilab/common/tree.py', '/lib/python3.3/site-packages/logilab/common/umessage.py', '/lib/python3.3/site-packages/logilab/common/clcommands.py', '/lib/python3.3/site-packages/logilab/common/changelog.py', '/lib/python3.3/site-packages/logilab/common/modutils.py', '/lib/python3.3/site-packages/logilab/common/date.py', '/lib/python3.3/site-packages/logilab/common/__init__.py', '/lib/python3.3/site-packages/logilab/common/daemon.py', '/lib/python3.3/site-packages/logilab/common/xmlrpcutils.py', '/lib/python3.3/site-packages/logilab/common/graph.py', '/lib/python3.3/site-packages/logilab/common/pytest.py', '/lib/python3.3/site-packages/logilab/common/optik_ext.py', '/lib/python3.3/site-packages/logilab/common/pyro_ext.py', '/lib/python3.3/site-packages/logilab/common/deprecation.py', '/lib/python3.3/site-packages/logilab/common/decorators.py', '/lib/python3.3/site-packages/logilab/common/shellutils.py', '/lib/python3.3/site-packages/logilab/common/__pkginfo__.py', '/lib/python3.3/site-packages/logilab/common/visitor.py', '/lib/python3.3/site-packages/logilab/common/interface.py', '/lib/python3.3/site-packages/logilab/common/hg.py', '/lib/python3.3/site-packages/logilab/common/logging_ext.py', '/lib/python3.3/site-packages/logilab/common/sphinxutils.py', '/lib/python3.3/site-packages/logilab/common/dbf.py', '/lib/python3.3/site-packages/logilab/common/corbautils.py', '/lib/python3.3/site-packages/logilab/common/registry.py', '/lib/python3.3/site-packages/logilab/common/cache.py', '/lib/python3.3/site-packages/logilab/common/sphinx_ext.py', '/lib/python3.3/site-packages/logilab/common/ureports/__init__.py', '/lib/python3.3/site-packages/logilab/common/table.py', '/lib/python3.3/site-packages/logilab/common/ureports/text_writer.py', '/lib/python3.3/site-packages/logilab/common/ureports/html_writer.py', '/lib/python3.3/site-packages/logilab/common/tasksqueue.py', '/lib/python3.3/site-packages/logilab/common/xmlutils.py'}
>>> exit()
Comment 3 claire robinson 2014-03-03 12:15:01 CET
Created attachment 5023 [details]
test.py

Thanks for the procedure Philippe. Confirmed mga3 64 ok.

Attaching test.py which can be used to test with.

python-logilab-common
---------------------
$ python test.py

Should list lots of *.py files

python3-logilab-common
----------------------
$ python3 test.py

Same, lists lots of *.py files
Comment 4 claire robinson 2014-03-03 12:33:08 CET
Tested OK mga4 32

Couldn't find a PoC so just checking regressions.

Looking at the rpmdiff the affected parts seem to have been removed rather than patched, is this correct Philippe?

http://mageia.madb.org/rpm/diff/application/0/name/python-logilab-common-0.60.0-3.1.mga4.noarch.rpm/source/0/release/4/arch/i586/t_media/5
Comment 5 Philippe Makowski 2014-03-03 17:01:43 CET
(In reply to claire robinson from comment #4)
> Tested OK mga4 32
> 
> Couldn't find a PoC so just checking regressions.
> 
> Looking at the rpmdiff the affected parts seem to have been removed rather
> than patched, is this correct Philippe?
yes for CVE-2014-1838
and for CVE-2014-1839 just a little change that avoid using temp files, and lead to less code.
Comment 6 Shlomi Fish 2014-03-03 17:17:24 CET
Seems to work fine in Mageia 3 i586 (32-bit) in a VM. Installed from core/release and core/updates first, ran the test suite and then I enabled "updates_testing" upgraded and tested again.
Comment 7 Shlomi Fish 2014-03-03 17:34:05 CET
Works fine in a Mageia 3 x86-64 VM. I think the update can be validated now.
Comment 8 Thomas Backlund 2014-03-03 22:37:08 CET
advisory uploaded, validating
Comment 9 Thomas Backlund 2014-03-03 22:41:00 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0118.html

Note You need to log in before you can comment on or make changes to this bug.