Package: release.debian.org Severity: normal Tags: wheezy User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-CC: maintainers@debian.tryton.org Dear release managers, somehow the original fix for CVE-2013-2217 never got into wheezy. This patch fixes the CVE. I would like to upload suds_0.4.1-5+deb7u1 with this patch backported from https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460 Debdiff attached. Regards, Mathias -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6
diff -Nru suds-0.4.1/debian/changelog suds-0.4.1/debian/changelog --- suds-0.4.1/debian/changelog 2012-06-30 17:22:50.000000000 +0200 +++ suds-0.4.1/debian/changelog 2014-05-26 16:56:49.000000000 +0200 @@ -1,3 +1,12 @@ +suds (0.4.1-5+deb7u1) stable; urgency=medium + + * Adding 02-fix-unsecure-cache-path.patch for CVE-2013-2217. + This patch fixes the unsecure creation of cache paths and + removes the cache directory on exit of the calling program. + Relates to #714340 and #749073. + + -- Mathias Behrle <mathiasb@m9s.biz> Mon, 26 May 2014 16:52:21 +0200 + suds (0.4.1-5) unstable; urgency=low [ Mathias Behrle ] diff -Nru suds-0.4.1/debian/patches/02-fix-unsecure-cache-path.patch suds-0.4.1/debian/patches/02-fix-unsecure-cache-path.patch --- suds-0.4.1/debian/patches/02-fix-unsecure-cache-path.patch 1970-01-01 01:00:00.000000000 +0100 +++ suds-0.4.1/debian/patches/02-fix-unsecure-cache-path.patch 2014-05-26 14:28:52.000000000 +0200 @@ -0,0 +1,91 @@ +Author: Jurko GospodnetiÄ? +Description: Fix for CVE-2013-2217: + Use secure temporary directory creation when initializing + file-based URL cache. + + This patch is taken from the suds-jurko fork of suds at + https://bitbucket.org/jurko/suds. It removes the cache + files on exit of the calling program. + + References: + https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use + https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb + https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460 +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=978696 +Bug-Debian: http://bugs.debian.org/714340 +Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=978696#c14 +--- suds.orig/suds/cache.py 2014-05-26 14:28:47.950557418 +0200 ++++ suds/suds/cache.py 2014-05-26 14:28:47.946557554 +0200 +@@ -19,6 +19,8 @@ + """ + + import os ++import tempfile ++import shutil + import suds + from tempfile import gettempdir as tmp + from suds.transport import * +@@ -127,7 +129,9 @@ + """ + fnprefix = 'suds' + units = ('months', 'weeks', 'days', 'hours', 'minutes', 'seconds') +- ++ ++ __default_location = None ++ + def __init__(self, location=None, **duration): + """ + @param location: The directory for the cached files. +@@ -138,12 +142,12 @@ + @type duration: {unit:value} + """ + if location is None: +- location = os.path.join(tmp(), 'suds') ++ location = self.__get_default_location() + self.location = location + self.duration = (None, 0) + self.setduration(**duration) + self.checkversion() +- ++ + def fnsuffix(self): + """ + Get the file name suffix +@@ -175,7 +179,20 @@ + @type location: str + """ + self.location = location +- ++ ++ @staticmethod ++ def __get_default_location(): ++ """ ++ Returns the current process's default cache location folder. ++ The folder is determined lazily on first call. ++ """ ++ if not FileCache.__default_location: ++ tmp = tempfile.mkdtemp("suds-default-cache") ++ FileCache.__default_location = tmp ++ import atexit ++ atexit.register(FileCache.__remove_default_location) ++ return FileCache.__default_location ++ + def mktmp(self): + """ + Make the I{location} directory if it doesn't already exits. +@@ -186,7 +203,14 @@ + except: + log.debug(self.location, exc_info=1) + return self +- ++ ++ @staticmethod ++ def __remove_default_location(): ++ """ ++ Removes the default cache location folder. ++ """ ++ shutil.rmtree(FileCache.__default_location, ignore_errors=True) ++ + def put(self, id, bfr): + try: + fn = self.__fn(id) diff -Nru suds-0.4.1/debian/patches/series suds-0.4.1/debian/patches/series --- suds-0.4.1/debian/patches/series 2012-06-30 16:44:34.000000000 +0200 +++ suds-0.4.1/debian/patches/series 2014-05-26 14:08:25.000000000 +0200 @@ -1 +1,2 @@ 01-remove-makefile +02-fix-unsecure-cache-path.patch
Attachment:
signature.asc
Description: PGP signature