Bug 19859 - python-tornado new security issues fixed upstream in 4.4.2
Summary: python-tornado new security issues fixed upstream in 4.4.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/707494/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
: 19865 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-11-28 20:50 CET by David Walser
Modified: 2016-12-11 23:45 CET (History)
5 users (show)

See Also:
Source RPM: python-tornado-4.3-1.mga6.src.rpm
CVE:
Status comment:

Attachments
2 python-tornado test scripts (2.20 KB, application/zip)
2016-12-11 21:42 CET, Lewis Smith 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-11-28 20:50:12 CET 
Fedora has issued an advisory on November 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PJEFGW4II3TYTO7TICVK47WENL2URP46/

I'm not sure if Mageia 5 is affected.
Comment 1 Nicolas Lécureuil 2016-11-29 15:24:45 CET 
fixed on cauldron svn.

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

Comment 2 David Walser 2016-11-29 16:37:33 CET 
Actually Mageia 5 apparently is affected and Philippe pushed an update for it.

The issue has to do with cookie parsing, but that's all I know.

python-tornado-3.2.2-4.1.mga5
python-tornado-doc-3.2.2-4.1.mga5
python3-tornado-3.2.2-4.1.mga5
python3-tornado-doc-3.2.2-4.1.mga5

from python-tornado-3.2.2-4.1.mga5.src.rpm

Status: RESOLVED => REOPENED
Version: Cauldron => 5
Resolution: FIXED => (none)

Comment 3 David Walser 2016-11-29 16:39:57 CET 
*** Bug 19865 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 4 Philippe Makowski 2016-11-29 19:44:29 CET 
python-tornado updated in mga5

this update is a security fixes :

A difference in cookie parsing between
Tornado and web browsers (especially when combined with Google Analytics) could
allow an attacker to set arbitrary cookies and bypass XSRF protection. The
cookie parser has been rewritten to fix this attack. 

python-tornado-3.2.2-4.2.mga5
python-tornado-doc-3.2.2-4.2.mga5
python3-tornado-3.2.2-4.2.mga5
python3-tornado-doc-3.2.2-4.2.mga5

from python-tornado-3.2.2-4.2.mga5.src.rpm

Note :
for testing a simple update and test like the "Hello word" in the Tornado doc, is enough (http://www.tornadoweb.org/en/stable/)

test during the build confirm that the patch is ok, it is expected that now this test fail :
(from the build log)

FAIL: test_cookie_special_char (tornado.test.web_test.CookieTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/iurt/rpmbuild/BUILD/python3-python-tornado-3.2.2-4.2.mga5/tornado/test/web_test.py", line 214, in test_cookie_special_char
    self.assertEqual(response.body, utf8(expected))
AssertionError: b'"a' != b'a;b'


A freeze push is asked for Cauldron

Assignee: makowski.mageia => qa-bugs

Comment 5 Herman Viaene 2016-11-30 14:17:18 CET 
MGA5-32 on AcerD620 Xfce
No installation issues
Refer to bug 6165 (via bug 16100) as simple testcase:
run python helloworld.py, point browser to localhost:8888, it works (checked that browser does not reach anything when helloworld is not running).

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 6 Lewis Smith 2016-12-05 21:50:22 CET 
Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 7 Lewis Smith 2016-12-11 21:22:24 CET 
Testing M5_64

Using just the simple 'helloworld.py' script from Comment 4 (thanks Philippe)
 http://www.tornadoweb.org/en/stable/
(same as what Herman refers to above). 

AFTER the update to:
 python-tornado-3.2.2-4.2.mga5
 python3-tornado-3.2.2-4.2.mga5

 $ python[3] helloworld.py      [I tried both]
leaves the console in suspension with the script running. Pointing a browser to:
 http://localhost:8888
correctly yields the 'Hello, world' page.
(I saw a console error sometimes about "404 GET /favicon.ico (127.0.0.1)", but I do not think it matters.)
Quitted the scripts with ^C. As per Herman, at least with a virgin browser, trying the 8888 port with no script running goes nowhere.

I tried another more complicated script called 'chatdemo.py' which yielded "500: Internal Server Error" when I pointed a browser to Tornado with it running. I shall attach both to this bug for future convenience.

OKing & validating this update. Advisory already there.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Lewis Smith 2016-12-11 21:42:39 CET 
Created attachment 8753 [details]
2 python-tornado test scripts

To save re-downloading & formatting these two scripts, the larger second of which transcribed very badly indeed. I tidied & checked it carefully.

helloworld.py    http://www.tornadoweb.org/en/stable/   
------------
 $ python[3] helloworld.py
leaves the console in limbo. Then point a browser to http://localhost:8888 to see a "Hello world" page. Quit with ^C.

chatdemo.py
----------
 https://github.com/tornadoweb/tornado/blob/stable/demos/chat/chatdemo.py
No idea what it does or how it works, other than that it uses "Tornadoâs asynchronous features". 
 $ python[3] chatdemo.py
then http://localhost:8888 gave me "500: Internal Server Error" page, and a lot of errors on the console. But it must be driveable. Being larger & more sophisticated, it could make a good Python test.
Comment 9 Mageia Robot 2016-12-11 23:45:10 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0418.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.