OpenSuSE has issued an advisory on March 3: http://lists.opensuse.org/opensuse-updates/2015-03/msg00004.html They added this patch: https://build.opensuse.org/package/view_file/openSUSE:13.2:Update/python-rope/CVE-2014-3539-disable-doa.patch?expand=1 The note at the top is interesting in that it doesn't actually fix the issue, it just makes it so that it isn't exploitable in the default configuration. That appears to be the only "fix" available, so we should probably mention that in the advisory. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
References: https://bugzilla.redhat.com/show_bug.cgi?id=1116485 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3539 Mga4 done, Mga5 freeze push asked
Assignee: makowski.mageia => qa-bugs
CC: (none) => remiWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
python-rope-0.9.4-9.mga5 uploaded for Cauldron. Advisory still to come.
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
Note that I didn't include the "updated package fixes" line at the top of the advisory, since this update doesn't fix the issue, it just hides it by default. Note that the patch also documents this issue in the configuration file itself, so no README.urpmi is necessary to alert users of the issue. Advisory: ======================== The python-rope utility has been caught passing remotely supplied data to pickle.load(), enabling possible code-execution attacks. This can happen when the 'perform_doa' (dynamic object analysis) option is enabled, which it previously had been by default. This update changes the default configuration to disable this option. This only mitigates the issue, as it will still be vulnerable if the option is enabled. If 'perform_doa' is enabled, python-rope can be persuaded to open under some circumstances a network port for short moment of time, which can be used to push commands to the running process, so the process could run some commands under the privileges of the user running python-rope. Anyone who enables this option is advised to make sure the computer is protected by a firewall. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3539 http://lists.opensuse.org/opensuse-updates/2015-03/msg00004.html ======================== Updated packages in core/updates_testing: ======================== python-rope-0.9.4-4.1.mga4 from python-rope-0.9.4-4.1.mga4.src.rpm
Anyone has a (simple) idea how to test this. $ urpmq --whatrequires python-rope anjuta python-rope spyder Neither anjuta nor spyder seem "simple".
CC: (none) => herman.viaene
Try the quick start examples.. http://rope.sourceforge.net/library.html#examples
Even the first two from here is really enough to show it imports ok and can be used.. http://rope.sourceforge.net/library.html#making-a-project import rope.base.project myproject = rope.base.project.Project('/path/to/myproject')
Whiteboard: (none) => has_procedure
Testing on Mageia4x64 real hardware, using procedure given by Claire in comment 6 With current package : -------------------- python-rope-0.9.4-4.mga4 Created a python script = rope_test.py import rope.base.project myproject = rope.base.project.Project('/home/zitounu/qa/mytestproject') In console, ran python script in verbose mode : $ python -v rope_test.py # installing zipimport hook import zipimport # builtin # installed zipimport hook # /usr/lib64/python2.7/site.pyc matches /usr/lib64/python2.7/site.py import site # precompiled from /usr/lib64/python2.7/site.pyc (...) # cleanup __builtin__ # cleanup ints: 168 unfreed ints # cleanup floats: 32 unfreed floats Verified mytestproject had been created : $ cd mytestproject/ $ ls -a ./ ../ .ropeproject/ $ cd .ropeproject/ $ ls -a ./ ../ config.py Removed mytestproject : $ cd ../.. $ rm -r -f mytestproject/ To updated testing package : -------------------------- python-rope-0.9.4-4.1.mga4 $ python -v rope_test.py # installing zipimport hook import zipimport # builtin # installed zipimport hook # /usr/lib64/python2.7/site.pyc matches /usr/lib64/python2.7/site.py import site # precompiled from /usr/lib64/python2.7/site.pyc (...) # cleanup sys # cleanup __builtin__ # cleanup ints: 180 unfreed ints # cleanup floats: 32 unfreed floats Verified mytestproject/.ropeproject/config.py had been created. Edited config.py ($ nano mytestproject/.ropeproject/config.py) : # The default ``config.py`` def set_prefs(prefs): """This function is called before opening the project""" (...) def project_opened(project): """This function is called after opening the project""" # Do whatever you like here! That seems OK.
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
Testing on Mageia4x32 real hardware, using same procedure as previous comment From current package : -------------------- python-rope-0.9.4-4.mga4 To updated testing package : -------------------------- python-rope-0.9.4-4.1.mga4 All OK.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0122.html
Status: NEW => RESOLVEDResolution: (none) => FIXED