Bug 15427 - python-rope new security issue CVE-2014-3539
Summary: python-rope new security issue CVE-2014-3539
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/635489/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2015-03-04 20:06 CET by David Walser
Modified: 2015-04-01 14:14 CEST (History)
4 users (show)

See Also:
Source RPM: python-rope-0.9.4-8.mga5.src.rpm
Status comment:


Description David Walser 2015-03-04 20:06:56 CET
OpenSuSE has issued an advisory on March 3:

They added this patch:

The note at the top is interesting in that it doesn't actually fix the issue, it just makes it so that it isn't exploitable in the default configuration.  That appears to be the only "fix" available, so we should probably mention that in the advisory.

Mageia 4 is also affected.


Steps to Reproduce:
David Walser 2015-03-04 20:07:04 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Philippe Makowski 2015-03-08 13:01:44 CET

Assignee: makowski.mageia => qa-bugs

Rémi Verschelde 2015-03-08 19:30:38 CET

CC: (none) => remi
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 2 David Walser 2015-03-08 21:18:02 CET
python-rope-0.9.4-9.mga5 uploaded for Cauldron.

Advisory still to come.

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 3 David Walser 2015-03-08 22:04:38 CET
Note that I didn't include the "updated package fixes" line at the top of the advisory, since this update doesn't fix the issue, it just hides it by default.

Note that the patch also documents this issue in the configuration file itself, so no README.urpmi is necessary to alert users of the issue.


The python-rope utility has been caught passing remotely supplied data to pickle.load(), enabling possible code-execution attacks. This can happen when
the 'perform_doa' (dynamic object analysis) option is enabled, which it
previously had been by default.

This update changes the default configuration to disable this option. This
only mitigates the issue, as it will still be vulnerable if the option is

If 'perform_doa' is enabled, python-rope can be persuaded to open under some
circumstances a network port for short moment of time, which can be used to
push commands to the running process, so the process could run some commands
under the privileges of the user running python-rope. Anyone who enables this
option is advised to make sure the computer is protected by a firewall.


Updated packages in core/updates_testing:

from python-rope-0.9.4-4.1.mga4.src.rpm
Comment 4 Herman Viaene 2015-03-10 16:45:55 CET
Anyone has a (simple) idea how to test this.
$ urpmq --whatrequires python-rope                               
Neither anjuta nor spyder seem "simple".

CC: (none) => herman.viaene

Comment 5 claire robinson 2015-03-10 17:01:03 CET
Try the quick start examples.. 
Comment 6 claire robinson 2015-03-10 17:03:04 CET
Even the first two from here is really enough to show it imports ok and can be used.. http://rope.sourceforge.net/library.html#making-a-project

import rope.base.project
myproject = rope.base.project.Project('/path/to/myproject')
claire robinson 2015-03-12 12:55:56 CET

Whiteboard: (none) => has_procedure

Comment 7 olivier charles 2015-03-24 16:37:46 CET
Testing on Mageia4x64 real hardware,

using procedure given by Claire in comment 6

With current package :

Created a python script = rope_test.py

import rope.base.project
myproject = rope.base.project.Project('/home/zitounu/qa/mytestproject')

In console, ran python script in verbose mode :
$ python -v rope_test.py

# installing zipimport hook
import zipimport # builtin
# installed zipimport hook
# /usr/lib64/python2.7/site.pyc matches /usr/lib64/python2.7/site.py
import site # precompiled from /usr/lib64/python2.7/site.pyc
# cleanup __builtin__
# cleanup ints: 168 unfreed ints
# cleanup floats: 32 unfreed floats

Verified mytestproject had been created :

$ cd mytestproject/
$ ls -a
./  ../  .ropeproject/
$ cd .ropeproject/
$ ls -a
./  ../  config.py

Removed mytestproject :

$ cd ../..
$ rm -r -f mytestproject/

To updated testing package :

$ python -v rope_test.py 

# installing zipimport hook
import zipimport # builtin
# installed zipimport hook
# /usr/lib64/python2.7/site.pyc matches /usr/lib64/python2.7/site.py
import site # precompiled from /usr/lib64/python2.7/site.pyc
# cleanup sys
# cleanup __builtin__
# cleanup ints: 180 unfreed ints
# cleanup floats: 32 unfreed floats

Verified mytestproject/.ropeproject/config.py had been created.
Edited config.py ($ nano mytestproject/.ropeproject/config.py) :

# The default ``config.py``

def set_prefs(prefs):
    """This function is called before opening the project"""
def project_opened(project):
    """This function is called after opening the project"""
    # Do whatever you like here!

That seems OK.

CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 8 olivier charles 2015-03-31 19:52:12 CEST
Testing on Mageia4x32 real hardware, using same procedure as previous comment

From current package :

To updated testing package :

All OK.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 9 claire robinson 2015-04-01 11:18:09 CEST
Validating. Advisory uploaded.

Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2015-04-01 14:14:09 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.