Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 791565 - <sys-process/glances-3.1.7: unsafe XML parsing
Summary: <sys-process/glances-3.1.7: unsafe XML parsing
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/nicolargo/glances/...
Whiteboard: B2 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-23 02:50 UTC by John Helmert III
Modified: 2024-02-26 12:08 UTC (History)
1 user (show)

See Also:
Package list:
sys-process/glances-3.2.1
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-23 02:50:45 UTC 
Issue includes Bandit output:


        Issue: [B411:blacklist] Using Fault to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.
        Severity: High Confidence: High
        Location: glances/compat.py:91
        90 from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
        91 from xmlrpclib import Fault, ProtocolError, ServerProxy, Transport
        92 from urllib2 import urlopen, URLError


Fix in 3.1.7, please bump.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 03:12:04 UTC 
Thank you!
Comment 3 NATTkA bot gentoo-dev 2021-07-10 07:44:27 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-10 12:24:37 UTC Comment hidden (obsolete)
Comment 5 Agostino Sarubbo gentoo-dev 2021-07-11 08:58:44 UTC 
amd64 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 20:51:58 UTC 
x86 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 21:56:08 UTC 
arm64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 04:01:51 UTC 
arm done
Comment 9 Georgy Yakovlev archtester gentoo-dev 2021-07-13 05:52:31 UTC 
ppc64 done, last arch
Comment 10 Larry the Git Cow gentoo-dev 2021-07-13 05:52:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9924df5a5674be8968875b806ad309d3662df0b5

commit 9924df5a5674be8968875b806ad309d3662df0b5
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-13 05:52:29 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-13 05:52:29 +0000

    sys-process/glances: drop 3.1.6.2
    
    Bug: https://bugs.gentoo.org/791565
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 sys-process/glances/Manifest               |  1 -
 sys-process/glances/glances-3.1.6.2.ebuild | 87 ------------------------------
 2 files changed, 88 deletions(-)
Comment 11 NATTkA bot gentoo-dev 2021-12-21 03:52:53 UTC 
Unable to check for sanity:

> no match for package: sys-process/glances-3.2.1
Comment 12 Georgy Yakovlev archtester gentoo-dev 2021-12-21 04:18:06 UTC 
cleanup done.
Comment 13 Larry the Git Cow gentoo-dev 2024-02-26 12:07:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b1cfcda7a8b39747e2e84f98c62aa12c3804f4e9

commit b1cfcda7a8b39747e2e84f98c62aa12c3804f4e9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-26 12:07:09 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-26 12:07:31 +0000

    [ GLSA 202402-30 ] Glances: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/791565
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-30.xml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)