Ubuntu has issued an advisory on May 22: http://www.ubuntu.com/usn/usn-1449-1/ Fedora has also issued an advisory on May 24: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081655.html More info is available here: http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2921.html The issue is fixed upstream in 5.1.2.
CC: (none) => shikamaruWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => makowski.mageia
CC: (none) => johnny
5.1.2 is in 1 and 2 updates/testing
Thanks Philippe. Advisory: ======================== Updated python-feedparser package fixes security vulnerability: Universal Feed Parser (aka feedparser or python-feedparser) before 5.1.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document (CVE-2012-2921). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2921 http://www.ubuntu.com/usn/usn-1449-1/ ======================== Updated packages in core/updates_testing: ======================== python-feedparser-5.1.2-1.mga1 python-feedparser-5.1.2-1.mga2 from SRPMS: python-feedparser-5.1.2-1.mga1.src.rpm python-feedparser-5.1.2-1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Testing on MGA2, i 586.
CC: (none) => wassi
Testing complete on MGA2, i586. I parsed several RSS (0.91, 1.0, 2.0) and Atom Feeds and encountered no problem whatsoever.
Whiteboard: MGA1TOO => MGA1TOO, MGA2-32-OK
Testing complete x86_64 Mageia 2 Used canto cli feed reader with the attached conf.py
Hardware: i586 => AllWhiteboard: MGA1TOO, MGA2-32-OK => MGA1TOO, MGA2-32-OK mga2-64-OK
Created attachment 2489 [details] ~/.canto/conf.py These are some random feeds in Atom 1.0, RSS 0.91, RSS 0.92, RSS 1.0 & RSS 2.0
Testing complete x86_64 Mageia 1 Used python command line $ python Python 2.7.1 (r271:86832, Sep 5 2011, 14:50:51) [GCC 4.5.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import feedparser >>> d = feedparser.parse('http://danja.typepad.com/fecho/atom.xml') >>> d = feedparser.parse('http://www.financeinfoline.com/financeinfoline.rss') >>> d = feedparser.parse('http://www.tapsns.com/blog/index.php/feed/rss/') >>> d = feedparser.parse('http://www.blogit.com/Blogs/BlogRss.aspx/poetjpb6765') >>> d = feedparser.parse('http://www.list.co.uk/articles/a-band-called-quinn/articles.xml') These are the url's from the canto conf. Canto is not packages in Mageia 1 Testing each with d.feed.title, d.feed.link, d.feed.description to check they were read properly. >>> quit() to exit.
Whiteboard: MGA1TOO, MGA2-32-OK mga2-64-OK => MGA1TOO, MGA2-32-OK mga2-64-OK mga1-64-OK
Mageia 2 with update-testing enabled I have regression issue. The permission of the file top_level.txt is wrong. rw------- 1 root root 11 jun 21 18:46 /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/top_level.txt
CC: (none) => tolhildan_123
All files in that directory are the same, is that a bug? On Mageia 1 /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info is a file and not a directory. Mageia 2.. # ll /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/ total 156 -rw------- 1 root root 1 Jun 21 17:46 dependency_links.txt -rw------- 1 root root 1222 Jun 21 17:46 PKG-INFO -rw------- 1 root root 141396 Jun 21 17:46 SOURCES.txt -rw------- 1 root root 11 Jun 21 17:46 top_level.txt
Checked Mageia 1 again with update candidate and it seems it too is the same. In release versions this is not a directory, it is a file. Update candidates install the above directory structure in place of the file Mageia 1 # ll /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/ total 152 -rw------- 1 root root 1 Jun 21 17:49 dependency_links.txt -rw------- 1 root root 1222 Jun 21 17:49 PKG-INFO -rw------- 1 root root 141396 Jun 21 17:49 SOURCES.txt -rw------- 1 root root 11 Jun 21 17:49 top_level.txt Mageia 2 in comment 9
IIRC, replacing a directory with a file (or maybe the other way around) is dangerous and needs special handling in the SPEC or cpio will choke when upgrading the package. I guess we need to make sure upgrading from the old version works OK.
CC: johnny => (none)
I will take care of the permission problem. Seems that someone disabled the correction I made in the past :(
new version of 5.1.2 is in 1 and 2 updates/testing
Testing complete on Mageia 1 i586 with the 5.1.2.2 version. Removing the ok whiteboard comments as retesting is needed with the new version. For testing, I used rss2email. I'll test Mageia 2 i586 shortly.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO, MGA2-32-OK mga2-64-OK mga1-64-OK => MGA1TOO, mga1-32-OK
Testing complete on Mageia 2 i586, again using rss2email.
Whiteboard: MGA1TOO, mga1-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK
Testing complete on Mageia 1 x86_64 using procedure from comment #7
CC: (none) => stormiWhiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK
Testing complet on, Mageia 2 x86_64 using procedure from comment #7 i did notice that the last link didn't have a description. donno if that's normal. the rest was ok.
CC: (none) => alien
(In reply to comment #17) > i did notice that the last link didn't have a description. donno if that's > normal. at least it's not a regression, I get the same with the previous version, so I guess that comes from the feed. Thanks for testing. Update validated. See comment #2 for advisory and package list.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK, mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0157
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED