Bug#749368: wheezy-pu: package suds/0.4.1-5+deb7u1 Bugs #749073 + #714340

[Mathias Behrle <mathiasb@m9s.biz>]

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: maintainers@debian.tryton.org

Dear release managers,

somehow the original fix for CVE-2013-2217 never got into wheezy. This patch
fixes the CVE.

I would like to upload suds_0.4.1-5+deb7u1 with this patch backported from

 https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use
 https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb
 https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460

Debdiff attached.

Regards,
Mathias

-- 

    Mathias Behrle
    PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6

diff -Nru suds-0.4.1/debian/changelog suds-0.4.1/debian/changelog
--- suds-0.4.1/debian/changelog	2012-06-30 17:22:50.000000000 +0200
+++ suds-0.4.1/debian/changelog	2014-05-26 16:56:49.000000000 +0200
@@ -1,3 +1,12 @@
+suds (0.4.1-5+deb7u1) stable; urgency=medium
+
+  * Adding 02-fix-unsecure-cache-path.patch for CVE-2013-2217.
+    This patch fixes the unsecure creation of cache paths and
+    removes the cache directory on exit of the calling program.
+    Relates to #714340 and #749073.
+
+ -- Mathias Behrle <mathiasb@m9s.biz>  Mon, 26 May 2014 16:52:21 +0200
+
 suds (0.4.1-5) unstable; urgency=low
 
   [ Mathias Behrle ]
diff -Nru suds-0.4.1/debian/patches/02-fix-unsecure-cache-path.patch suds-0.4.1/debian/patches/02-fix-unsecure-cache-path.patch
--- suds-0.4.1/debian/patches/02-fix-unsecure-cache-path.patch	1970-01-01 01:00:00.000000000 +0100
+++ suds-0.4.1/debian/patches/02-fix-unsecure-cache-path.patch	2014-05-26 14:28:52.000000000 +0200
@@ -0,0 +1,91 @@
+Author: Jurko GospodnetiÄ?
+Description: Fix for CVE-2013-2217:
+ Use secure temporary directory creation when initializing
+ file-based URL cache.
+
+ This patch is taken from the suds-jurko fork of suds at
+ https://bitbucket.org/jurko/suds. It removes the cache
+ files on exit of the calling program.
+
+ References:
+ https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use
+ https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb
+ https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=978696
+Bug-Debian: http://bugs.debian.org/714340
+Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=978696#c14
+--- suds.orig/suds/cache.py	2014-05-26 14:28:47.950557418 +0200
++++ suds/suds/cache.py	2014-05-26 14:28:47.946557554 +0200
+@@ -19,6 +19,8 @@
+ """
+ 
+ import os
++import tempfile
++import shutil
+ import suds
+ from tempfile import gettempdir as tmp
+ from suds.transport import *
+@@ -127,7 +129,9 @@
+     """
+     fnprefix = 'suds'
+     units = ('months', 'weeks', 'days', 'hours', 'minutes', 'seconds')
+-    
++
++    __default_location = None
++
+     def __init__(self, location=None, **duration):
+         """
+         @param location: The directory for the cached files.
+@@ -138,12 +142,12 @@
+         @type duration: {unit:value}
+         """
+         if location is None:
+-            location = os.path.join(tmp(), 'suds')
++            location = self.__get_default_location()
+         self.location = location
+         self.duration = (None, 0)
+         self.setduration(**duration)
+         self.checkversion()
+-        
++
+     def fnsuffix(self):
+         """
+         Get the file name suffix
+@@ -175,7 +179,20 @@
+         @type location: str
+         """
+         self.location = location
+-            
++
++    @staticmethod
++    def __get_default_location():
++        """
++        Returns the current process's default cache location folder.
++        The folder is determined lazily on first call.
++        """
++        if not FileCache.__default_location:
++            tmp = tempfile.mkdtemp("suds-default-cache")
++            FileCache.__default_location = tmp
++            import atexit
++            atexit.register(FileCache.__remove_default_location)
++        return FileCache.__default_location
++
+     def mktmp(self):
+         """
+         Make the I{location} directory if it doesn't already exits.
+@@ -186,7 +203,14 @@
+         except:
+             log.debug(self.location, exc_info=1)
+         return self
+-    
++
++    @staticmethod
++    def __remove_default_location():
++        """
++        Removes the default cache location folder.
++        """
++        shutil.rmtree(FileCache.__default_location, ignore_errors=True)
++
+     def put(self, id, bfr):
+         try:
+             fn = self.__fn(id)
diff -Nru suds-0.4.1/debian/patches/series suds-0.4.1/debian/patches/series
--- suds-0.4.1/debian/patches/series	2012-06-30 16:44:34.000000000 +0200
+++ suds-0.4.1/debian/patches/series	2014-05-26 14:08:25.000000000 +0200
@@ -1 +1,2 @@
 01-remove-makefile
+02-fix-unsecure-cache-path.patch

Attachment: signature.asc
Description: PGP signature