Fedora has issued an advisory today (August 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NGM5T2F2STAUWF76LMEA7NCLE3STBAQI/ The actual bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1598913 I'm not sure which older versions are affected.
Assigning to the registered maintainer.
Assignee: bugsquad => jani.valimaaCC: (none) => marja11
Issue fixed upstream in 2.18, uploaded by Jani in Cauldron.
Version: Cauldron => 6
Advisory: ======================== Updated units package fixes security vulnerability: A flaw was found in units. units_cur doesn't sanitize downloaded data. This allows a maliciously intended server to execute arbitrary code remotely on the client (rhbz#1598913). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NGM5T2F2STAUWF76LMEA7NCLE3STBAQI/ ======================== Updated packages in core/updates_testing: ======================== units-2.18-1.mga6 from units-2.18-1.mga6.src.rpm
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
I got a bogus e-mail from the build system: The upload of the following packages failed: - units-2.18-1.mga6.i586.rpm - units-debuginfo-2.18-1.mga6.i586.rpm - units-2.18-1.mga6.x86_64.rpm - units-debuginfo-2.18-1.mga6.x86_64.rpm Upload log available in http://pkgsubmit.mageia.org/uploads/rejected//6/core/updates_testing/20190101213908.luigiwalser.duvel.2390.youri
CC: (none) => sysadmin-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues: At CLI: $ units Currency exchange rates from FloatRates (USD base) on 2018-10-20 3070 units, 109 prefixes, 109 nonlinear units You have: 1000€ You want: USD * 1146.8274 / 0.0008719708 You have: 1000€ You want: AUD * 1609.6068 / 0.00062126973 You have: 90deg You want: rad conformability error 1.5707963 radian 0.01 m^2 / s^2 Seems OK, but $ units_cur Traceback (most recent call last): File "/usr/bin/units_cur", line 57, in <module> import requests File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 60, in <module> from .packages.urllib3.exceptions import DependencyWarning File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 29, in <module> import urllib3 File "/usr/lib/python2.7/site-packages/urllib3/__init__.py", line 8, in <module> from .connectionpool import ( File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 29, in <module> from .connection import ( File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 39, in <module> from .util.ssl_ import ( File "/usr/lib/python2.7/site-packages/urllib3/util/__init__.py", line 4, in <module> from .request import make_headers File "/usr/lib/python2.7/site-packages/urllib3/util/request.py", line 5, in <module> from ..exceptions import UnrewindableBodyError ImportError: cannot import name UnrewindableBodyError Checked older version 2.14 on another PC. The units_cur command also fails there with another traceback, so the update can go for me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Testing M6/64 Just 'units_cur' because of Herman's finds, and the fact that the bug refers specifically to that. From the man page: "To update the exchange rates, run 'units_cur', which rewrites the file containing the currency rates, typically '/var/lib/units/currency.units' or '/usr/local/com/units/currency.units' on a Unix-like system". BEFORE update: units-2.14-1.mga6 $ units_cur Traceback (most recent call last): File "/usr/bin/units_cur", line 40, in <module> currencies = ET.parse(urllib.urlopen('http://rss.timegenie.com/forex.xml')).findall('data') File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1182, in parse tree.parse(source, parser) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 657, in parse self._root = parser.close() File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1671, in close self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1523, in _raiseerror raise err xml.etree.ElementTree.ParseError: no element found: line 1, column 0 AFTER update: units-2.18-1.mga6 # units_cur # Note the need to be root, or you get: Unable to write to output file: [Errno 13] Permission denied: '/var/lib/units/currency.units' This is definitely an improvement, so seconding Herman's OK. Validating & advisoried.
CC: (none) => lewyssmithKeywords: (none) => advisory, validated_updateWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0007.html
Status: NEW => RESOLVEDResolution: (none) => FIXED