A CVE has been requested for an issue fixed upstream in python-curl: http://openwall.com/lists/oss-security/2015/11/03/4 The commit to fix it is linked in the message above. Reproducible: Steps to Reproduce:
ok I will move Cauldron to 7.19.5.2 or 7.19.5.3 and will patch python-curl-7.19.5-4.mga5.src.rpm
Status: NEW => ASSIGNED
done in python-curl-7.19.5.3-1.mga6 python3-curl-7.19.5.3-1.mga6 and python-curl-7.19.5-4.1.mga5 python3-curl-7.19.5-4.1.mga5
Assignee: makowski.mageia => security
Thanks. MITRE had some questions about whether it's a real security issue or not, so holding off on assigning to QA until there's more clarity there.
CC: (none) => makowski.mageiaVersion: Cauldron => 5
Fedora has issued an advisory for this on November 5: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170967.html Let's go ahead with this. Advisory: ======================== Updated python-curl packages fix security vulnerability: A use-after-free vulnerability was found in Curl object's HTTPPOST setopt when a Unicode value is passed as a value with a FORM_BUFFERPTR. The str object created from the passed in unicode object would have its buffer used but the unicode object would be stored instead of the str object (rhbz#1277488). References: http://openwall.com/lists/oss-security/2015/11/03/4 https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170967.html
Assignee: security => qa-bugs
URL: (none) => http://lwn.net/Vulnerabilities/663522/
MGA5-32 on AcerD620 Xfce No installation issues. Found virtaal to be a dependent package. Run it with both the old version and then the updated after checking with strace that the python-curl package is used by it. No problems found.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
mga5 x86_64 Mate Upgraded the packages to python-curl-7.19.5-4.1.mga5 python3-curl-7.19.5-4.1.mga5 $ urpmq --whatrequires python-curl bzr fence-agents miro oz python-curl python-tornado python-urlgrabber shinken virtaal wfuzz Nothing familiar there except miro so I installed miro and attempted to run it. Nothing seemed to happen. At the command line it simply hung and needed to be killed from another terminal. From the menu nothing happened. Tried running it under strace and saw that it used gdb but could not see anything helpful in the out put but it exited normally. Specified a local video file at the command line. No result. $ miro --unittest This performed 709 tests and reported 4 errors. ?? Cannot tell from this if python-curl is OK or not but miro does not work anyway. $ urpmq --whatrequires python3-curl python3-curl system-config-printer-libs Will try this on another test system which needs to have a printer queue added, later.
CC: (none) => tarazed25
I had the same problem with miro with the previous stable version of python-curl as Lewis in Comment 6. Gave up on that.
Sorry, Len not Lewis.
you also have some samples here : http://pycurl.sourceforge.net/doc/quickstart.html
Created attachment 7193 [details] testpy2.py - test script for python 2 $ python testpy2.py <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> ...etc
Created attachment 7194 [details] testpy3.py - test script for python 3 $ python3 testpy3.py <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> ...etc
Testing complete mga5 64, as above.
Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK mga5-64-ok => MGA5-32-OK mga5-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0440.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED