Bug 6510 - python-feedparser new security issue CVE-2012-2921
: python-feedparser new security issue CVE-2012-2921
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/498401/
: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-19 14:13 CEST by David Walser
Modified: 2012-07-10 14:06 CEST (History)
9 users (show)

See Also:
Source RPM: python-feedparser-5.0.1-2.mga2
CVE:
Status comment:


Attachments
~/.canto/conf.py (343 bytes, text/x-python)
2012-06-24 13:19 CEST, claire robinson
Details

Description David Walser 2012-06-19 14:13:19 CEST
Ubuntu has issued an advisory on May 22:
http://www.ubuntu.com/usn/usn-1449-1/

Fedora has also issued an advisory on May 24:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081655.html

More info is available here:
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2921.html

The issue is fixed upstream in 5.1.2.
Comment 1 Philippe Makowski 2012-06-21 18:50:09 CEST
5.1.2 is in 1 and 2 updates/testing
Comment 2 David Walser 2012-06-21 19:54:39 CEST
Thanks Philippe.

Advisory:
========================

Updated python-feedparser package fixes security vulnerability:

Universal Feed Parser (aka feedparser or python-feedparser) before
5.1.2 allows remote attackers to cause a denial of service (memory
consumption) via a crafted XML ENTITY declaration in a non-ASCII
encoded document (CVE-2012-2921).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2921
http://www.ubuntu.com/usn/usn-1449-1/
========================

Updated packages in core/updates_testing:
========================
python-feedparser-5.1.2-1.mga1
python-feedparser-5.1.2-1.mga2

from SRPMS:
python-feedparser-5.1.2-1.mga1.src.rpm
python-feedparser-5.1.2-1.mga2.src.rpm
Comment 3 user7 2012-06-23 17:05:58 CEST
Testing on MGA2, i 586.
Comment 4 user7 2012-06-23 17:24:37 CEST
Testing complete on MGA2, i586. I parsed several RSS (0.91, 1.0, 2.0) and Atom Feeds and encountered no problem whatsoever.
Comment 5 claire robinson 2012-06-24 13:16:38 CEST
Testing complete x86_64 Mageia 2

Used canto cli feed reader with the attached conf.py
Comment 6 claire robinson 2012-06-24 13:19:14 CEST
Created attachment 2489 [details]
~/.canto/conf.py

These are some random feeds in Atom 1.0, RSS 0.91, RSS 0.92, RSS 1.0 & RSS 2.0
Comment 7 claire robinson 2012-06-24 13:57:15 CEST
Testing complete x86_64 Mageia 1

Used python command line

$ python
Python 2.7.1 (r271:86832, Sep  5 2011, 14:50:51) 
[GCC 4.5.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import feedparser
>>> d = feedparser.parse('http://danja.typepad.com/fecho/atom.xml')
>>> d = feedparser.parse('http://www.financeinfoline.com/financeinfoline.rss')
>>> d = feedparser.parse('http://www.tapsns.com/blog/index.php/feed/rss/')
>>> d = feedparser.parse('http://www.blogit.com/Blogs/BlogRss.aspx/poetjpb6765')
>>> d = feedparser.parse('http://www.list.co.uk/articles/a-band-called-quinn/articles.xml')

These are the url's from the canto conf. Canto is not packages in Mageia 1

Testing each with d.feed.title, d.feed.link, d.feed.description to check they were read properly.

>>> quit()

to exit.
Comment 8 Tolhildan Karker 2012-06-25 18:43:15 CEST
Mageia 2 with update-testing enabled I have regression issue. The permission of the file top_level.txt is wrong. 

rw------- 1 root root 11 jun 21 18:46 /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/top_level.txt
Comment 9 claire robinson 2012-06-26 12:36:22 CEST
All files in that directory are the same, is that a bug?

On Mageia 1 /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info is a file and not a directory.

Mageia 2..

# ll /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/
total 156
-rw------- 1 root root      1 Jun 21 17:46 dependency_links.txt
-rw------- 1 root root   1222 Jun 21 17:46 PKG-INFO
-rw------- 1 root root 141396 Jun 21 17:46 SOURCES.txt
-rw------- 1 root root     11 Jun 21 17:46 top_level.txt
Comment 10 claire robinson 2012-06-26 12:43:52 CEST
Checked Mageia 1 again with update candidate and it seems it too is the same.

In release versions this is not a directory, it is a file. Update candidates install the above directory structure in place of the file

Mageia 1

# ll /usr/lib/python2.7/site-packages/feedparser-5.1.2-py2.7.egg-info/
total 152
-rw------- 1 root root      1 Jun 21 17:49 dependency_links.txt
-rw------- 1 root root   1222 Jun 21 17:49 PKG-INFO
-rw------- 1 root root 141396 Jun 21 17:49 SOURCES.txt
-rw------- 1 root root     11 Jun 21 17:49 top_level.txt

Mageia 2 in comment 9
Comment 11 David Walser 2012-06-26 13:49:18 CEST
IIRC, replacing a directory with a file (or maybe the other way around) is dangerous and needs special handling in the SPEC or cpio will choke when upgrading the package.  I guess we need to make sure upgrading from the old version works OK.
Comment 12 Philippe Makowski 2012-06-27 18:42:50 CEST
I will take care of the permission problem.
Seems that someone disabled the correction I made in the past :(
Comment 13 Philippe Makowski 2012-06-27 19:03:32 CEST
new version of 5.1.2 is in 1 and 2 updates/testing
Comment 14 Dave Hodgins 2012-07-04 03:06:29 CEST
Testing complete on Mageia 1 i586 with the 5.1.2.2 version.

Removing the ok whiteboard comments as retesting is needed with the
new version.

For testing, I used rss2email.

I'll test Mageia 2 i586 shortly.
Comment 15 Dave Hodgins 2012-07-04 03:20:23 CEST
Testing complete on Mageia 2 i586, again using rss2email.
Comment 16 Samuel Verschelde 2012-07-08 15:26:36 CEST
Testing complete on Mageia 1 x86_64 using procedure from comment #7
Comment 17 AL13N 2012-07-09 22:25:42 CEST
Testing complet on, Mageia 2 x86_64 using procedure from comment #7

i did notice that the last link didn't have a description. donno if that's normal.

the rest was ok.
Comment 18 Samuel Verschelde 2012-07-09 22:54:22 CEST
(In reply to comment #17)
> i did notice that the last link didn't have a description. donno if that's
> normal.

at least it's not a regression, I get the same with the previous version, so I guess that comes from the feed. Thanks for testing.

Update validated.

See comment #2 for advisory and package list.
Comment 19 Thomas Backlund 2012-07-10 14:06:01 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0157

Note You need to log in before you can comment on or make changes to this bug.