OpenSuSE has issued an advisory today (February 28): http://lists.opensuse.org/opensuse-updates/2014-02/msg00085.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Suggested advisory: ======================== Updated python-logilab-common packages fix security vulnerabilities about temporary file handling (CVE-2014-1838 and CVE-2014-1839). References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051 https://bugs.gentoo.org/show_bug.cgi?id=499872 https://bugzilla.redhat.com/show_bug.cgi?id=1060304 http://secunia.com/advisories/56720/ http://comments.gmane.org/gmane.comp.security.oss.general/11986 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1838 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1839 ======================== Updated packages in core/updates_testing: ======================== python-logilab-common-0.60.0-3.1.mga4 python3-logilab-common-0.60.0-3.1.mga4 python-logilab-common-0.58.3-2.1.mga3 Source RPMs: python-logilab-common-0.60.0-3.1.mga4 python-logilab-common-0.58.3-2.1.mga3
Assignee: makowski.mageia => qa-bugs
Mageia4 64 simple test case : $python Python 2.7.6 (default, Feb 16 2014, 13:45:03) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from logilab.common.shellutils import globfind >>> files = set(globfind('/lib/python2.7/site-packages/logilab/common', '*.py')) >>> print(files) set(['/lib/python2.7/site-packages/logilab/common/tasksqueue.py', '/lib/python2.7/site-packages/logilab/common/ureports/html_writer.py', '/lib/python2.7/site-packages/logilab/common/shellutils.py', '/lib/python2.7/site-packages/logilab/common/xmlutils.py', '/lib/python2.7/site-packages/logilab/common/hg.py', '/lib/python2.7/site-packages/logilab/common/fileutils.py', '/lib/python2.7/site-packages/logilab/common/deprecation.py', '/lib/python2.7/site-packages/logilab/common/proc.py', '/lib/python2.7/site-packages/logilab/common/debugger.py', '/lib/python2.7/site-packages/logilab/common/__pkginfo__.py', '/lib/python2.7/site-packages/logilab/common/textutils.py', '/lib/python2.7/site-packages/logilab/common/pytest.py', '/lib/python2.7/site-packages/logilab/common/contexts.py', '/lib/python2.7/site-packages/logilab/common/cache.py', '/lib/python2.7/site-packages/logilab/common/table.py', '/lib/python2.7/site-packages/logilab/common/pyro_ext.py', '/lib/python2.7/site-packages/logilab/common/optparser.py', '/lib/python2.7/site-packages/logilab/common/decorators.py', '/lib/python2.7/site-packages/logilab/common/dbf.py', '/lib/python2.7/site-packages/logilab/common/clcommands.py', '/lib/python2.7/site-packages/logilab/common/ureports/docbook_writer.py', '/lib/python2.7/site-packages/logilab/common/ureports/nodes.py', '/lib/python2.7/site-packages/logilab/common/daemon.py', '/lib/python2.7/site-packages/logilab/common/ureports/__init__.py', '/lib/python2.7/site-packages/logilab/common/sphinx_ext.py', '/lib/python2.7/site-packages/logilab/common/compat.py', '/lib/python2.7/site-packages/logilab/common/configuration.py', '/lib/python2.7/site-packages/logilab/common/corbautils.py', '/lib/python2.7/site-packages/logilab/common/vcgutils.py', '/lib/python2.7/site-packages/logilab/common/testlib.py', '/lib/python2.7/site-packages/logilab/common/tree.py', '/lib/python2.7/site-packages/logilab/common/sphinxutils.py', '/lib/python2.7/site-packages/logilab/common/xmlrpcutils.py', '/lib/python2.7/site-packages/logilab/common/cli.py', '/lib/python2.7/site-packages/logilab/common/umessage.py', '/lib/python2.7/site-packages/logilab/common/__init__.py', '/lib/python2.7/site-packages/logilab/common/visitor.py', '/lib/python2.7/site-packages/logilab/common/date.py', '/lib/python2.7/site-packages/logilab/common/urllib2ext.py', '/lib/python2.7/site-packages/logilab/common/registry.py', '/lib/python2.7/site-packages/logilab/common/optik_ext.py', '/lib/python2.7/site-packages/logilab/common/logging_ext.py', '/lib/python2.7/site-packages/logilab/common/changelog.py', '/lib/python2.7/site-packages/logilab/common/ureports/text_writer.py', '/lib/python2.7/site-packages/logilab/common/interface.py', '/lib/python2.7/site-packages/logilab/common/graph.py', '/lib/python2.7/site-packages/logilab/common/modutils.py']) >>>exit() the same with python3 $ python3 Python 3.3.2 (default, Feb 16 2014, 13:01:24) [GCC 4.8.2] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from logilab.common.shellutils import globfind >>> files = set(globfind('/lib/python3.3/site-packages/logilab/common', '*.py')) >>> print(files) {'/lib/python3.3/site-packages/logilab/common/proc.py', '/lib/python3.3/site-packages/logilab/common/testlib.py', '/lib/python3.3/site-packages/logilab/common/cli.py', '/lib/python3.3/site-packages/logilab/common/ureports/docbook_writer.py', '/lib/python3.3/site-packages/logilab/common/compat.py', '/lib/python3.3/site-packages/logilab/common/textutils.py', '/lib/python3.3/site-packages/logilab/common/fileutils.py', '/lib/python3.3/site-packages/logilab/common/ureports/nodes.py', '/lib/python3.3/site-packages/logilab/common/debugger.py', '/lib/python3.3/site-packages/logilab/common/optparser.py', '/lib/python3.3/site-packages/logilab/common/urllib2ext.py', '/lib/python3.3/site-packages/logilab/common/configuration.py', '/lib/python3.3/site-packages/logilab/common/vcgutils.py', '/lib/python3.3/site-packages/logilab/common/contexts.py', '/lib/python3.3/site-packages/logilab/common/tree.py', '/lib/python3.3/site-packages/logilab/common/umessage.py', '/lib/python3.3/site-packages/logilab/common/clcommands.py', '/lib/python3.3/site-packages/logilab/common/changelog.py', '/lib/python3.3/site-packages/logilab/common/modutils.py', '/lib/python3.3/site-packages/logilab/common/date.py', '/lib/python3.3/site-packages/logilab/common/__init__.py', '/lib/python3.3/site-packages/logilab/common/daemon.py', '/lib/python3.3/site-packages/logilab/common/xmlrpcutils.py', '/lib/python3.3/site-packages/logilab/common/graph.py', '/lib/python3.3/site-packages/logilab/common/pytest.py', '/lib/python3.3/site-packages/logilab/common/optik_ext.py', '/lib/python3.3/site-packages/logilab/common/pyro_ext.py', '/lib/python3.3/site-packages/logilab/common/deprecation.py', '/lib/python3.3/site-packages/logilab/common/decorators.py', '/lib/python3.3/site-packages/logilab/common/shellutils.py', '/lib/python3.3/site-packages/logilab/common/__pkginfo__.py', '/lib/python3.3/site-packages/logilab/common/visitor.py', '/lib/python3.3/site-packages/logilab/common/interface.py', '/lib/python3.3/site-packages/logilab/common/hg.py', '/lib/python3.3/site-packages/logilab/common/logging_ext.py', '/lib/python3.3/site-packages/logilab/common/sphinxutils.py', '/lib/python3.3/site-packages/logilab/common/dbf.py', '/lib/python3.3/site-packages/logilab/common/corbautils.py', '/lib/python3.3/site-packages/logilab/common/registry.py', '/lib/python3.3/site-packages/logilab/common/cache.py', '/lib/python3.3/site-packages/logilab/common/sphinx_ext.py', '/lib/python3.3/site-packages/logilab/common/ureports/__init__.py', '/lib/python3.3/site-packages/logilab/common/table.py', '/lib/python3.3/site-packages/logilab/common/ureports/text_writer.py', '/lib/python3.3/site-packages/logilab/common/ureports/html_writer.py', '/lib/python3.3/site-packages/logilab/common/tasksqueue.py', '/lib/python3.3/site-packages/logilab/common/xmlutils.py'} >>> exit()
CC: (none) => makowski.mageiaWhiteboard: MGA4TOO, MGA3TOO => MGA4TOO, MGA3TOO, MGA4-64-OK, has_procedure
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO, MGA4-64-OK, has_procedure => MGA3TOO MGA4-64-OK has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/588861/
Created attachment 5023 [details] test.py Thanks for the procedure Philippe. Confirmed mga3 64 ok. Attaching test.py which can be used to test with. python-logilab-common --------------------- $ python test.py Should list lots of *.py files python3-logilab-common ---------------------- $ python3 test.py Same, lists lots of *.py files
Tested OK mga4 32 Couldn't find a PoC so just checking regressions. Looking at the rpmdiff the affected parts seem to have been removed rather than patched, is this correct Philippe? http://mageia.madb.org/rpm/diff/application/0/name/python-logilab-common-0.60.0-3.1.mga4.noarch.rpm/source/0/release/4/arch/i586/t_media/5
Whiteboard: MGA3TOO MGA4-64-OK has_procedure => MGA3TOO has_procedure feedback mga4-32-ok? MGA4-64-OK
(In reply to claire robinson from comment #4) > Tested OK mga4 32 > > Couldn't find a PoC so just checking regressions. > > Looking at the rpmdiff the affected parts seem to have been removed rather > than patched, is this correct Philippe? yes for CVE-2014-1838 and for CVE-2014-1839 just a little change that avoid using temp files, and lead to less code.
Whiteboard: MGA3TOO has_procedure feedback mga4-32-ok? MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK
Seems to work fine in Mageia 3 i586 (32-bit) in a VM. Installed from core/release and core/updates first, ran the test suite and then I enabled "updates_testing" upgraded and tested again.
CC: (none) => shlomifWhiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK
Works fine in a Mageia 3 x86-64 VM. I think the update can be validated now.
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK
advisory uploaded, validating
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisoryCC: (none) => tmb, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0118.html
Status: NEW => RESOLVEDResolution: (none) => FIXED