14873 – python-pyxdg new security issue CVE-2014-1624

Bug 14873 - python-pyxdg new security issue CVE-2014-1624

Summary: python-pyxdg new security issue CVE-2014-1624

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Philippe Makowski
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/627324/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-12-22 20:38 CET by David Walser
Modified:	2014-12-25 16:42 CET (History)
CC List:	0 users

See Also:
Source RPM:	python-pyxdg-0.25-7.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-12-22 20:38:22 CET

Fedora has issued an advisory on December 5:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146459.html

This sounds like /tmp symlink attack issue, which wouldn't be exploitable as of Mageia 4 due to the protected_symlinks feature in the kernel.  If that's all it is, we don't need to issue an update for Mageia 4, but we should still patch it in Cauldron as it's still a bug.

Reproducible: 

Steps to Reproduce:

Comment 1 Philippe Makowski 2014-12-24 15:27:00 CET

(In reply to David Walser from comment #0)

> This sounds like /tmp symlink attack issue, which wouldn't be exploitable as
> of Mageia 4 due to the protected_symlinks feature in the kernel.  If that's
> all it is, we don't need to issue an update for Mageia 4

It is the case, so I will patch only the Cauldron package.

Comment 2 Philippe Makowski 2014-12-25 16:42:08 CET

done python-pyxdg-0.25-8.mga5

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.