Bug 544228 (CVE-2015-2674)

Summary:	dev-python/restkit: does not properly validate TLS (CVE-2015-2674)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	dev-zero, maintainer-needed, mgorny, python, treecleaner
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2015/03/12/9
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---
Deadline:	2020-06-17

Description Agostino Sarubbo gentoo-dev

2015-03-23 14:09:47 UTC

From ${URL} :

Pythons Restskit[1][2][3][4] does not properly validate TLS
(see https://github.com/benoitc/restkit/issues/140). It appears to simply use
ssl.wrap_socket from the standard library, which does not do any validation
by default. This can be verified by doing:

    >>> from restkit import request
    >>> r = request("https://tv.eurosport.com/")
    >>> r.body_string()
    '<HTML><HEAD>...'

Can a CVE be assigned for this?


[1] https://github.com/benoitc/restkit
[2] https://pypi.python.org/pypi/restkit
[3] http://restkit.readthedocs.org/en/latest/
[4] https://benoitc.github.io/restkit/index.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-06 18:19:14 UTC

From:

https://security-tracker.debian.org/tracker/CVE-2015-2674

bug still open and no sign from upstream

Comment 2 Tiziano Müller (RETIRED) gentoo-dev

2018-11-27 13:09:29 UTC

there are only 2 packages left which require restkit for testing on Python 2:

  dev-python/wsgiproxy2
  dev-python/pyquery

of which both projects actually dropped restkit usage some releases ago and the deps seem to be only a leftover now.

My plan would be to:

1. version bump wsgiproxy2 to 0.4.5 without the restkit dep and stabilize in 30 days, drop old versions
2. rev-bump of pyquery and stabilize in 30 days, drop old versions
3. last-rite restkit

since deps on restkit in wsgiproxy2 and pyquery are actually leftovers and unused, we could also drop them without rev-bump.
CC'ing Python team for decision

Comment 3 Larry the Git Cow gentoo-dev

2019-08-17 17:23:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4fce0fe207f668359330bc6471b4edcc9bf65e3

commit d4fce0fe207f668359330bc6471b4edcc9bf65e3
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-08-17 17:23:16 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-08-17 17:23:44 +0000

    profiles/package.mask: mask dev-python/restkit
    
    Bug: https://bugs.gentoo.org/544228
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2019-08-17 20:02:11 UTC

reverted due to being a test dep for a couple of packages.

Comment 5 Michał Górny archtester

2019-11-29 09:13:34 UTC

This package is now maintainer-needed.

Comment 6 Sam James archtester

2020-04-26 03:47:06 UTC

Does this still have any revdeps? It seems not to me.

If that's the case, can we kill this?

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2020-05-02 02:35:09 UTC

(In reply to Sam James (sec padawan) from comment #6)
> Does this still have any revdeps? It seems not to me.
> 
> If that's the case, can we kill this?

Yes, unfortunately, it does have some packages which depend on it for tests.

 * These packages depend on dev-python/restkit:
dev-python/pyquery-1.4.1 (python_targets_python2_7 ? dev-python/restkit[python_targets_python2_7(-)?,-python_single_target_python2_7(-)])
dev-python/wsgiproxy2-0.4.6 (python_targets_python2_7 ? dev-python/restkit[python_targets_python2_7(-)?,-python_single_target_python2_7(-)])

Comment 8 Michał Górny archtester

2020-05-18 10:54:27 UTC

Ok, it turns out that all revdeps have dropped restkit support before the current Gentoo versions, and nobody updated the deps in ebuild.

Comment 9 Larry the Git Cow gentoo-dev

2020-05-18 10:57:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288b4f318d94fe1a7c553a575afa5ba4b47739b4

commit 288b4f318d94fe1a7c553a575afa5ba4b47739b4
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-18 10:55:12 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-18 10:57:05 +0000

    package.mask: Last rite dev-python/restkit
    
    Bug: https://bugs.gentoo.org/544228
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)

Comment 10 Larry the Git Cow gentoo-dev

2020-06-20 04:48:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=157b2f4a82f1caa549c77eb070a1f2eae0c69811

commit 157b2f4a82f1caa549c77eb070a1f2eae0c69811
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 04:48:01 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 04:48:01 +0000

    dev-python/restkit: drop last-rited pkg
    
    Bug: https://bugs.gentoo.org/544228
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-python/restkit/Manifest             |  1 -
 dev-python/restkit/files/setup.patch    | 23 --------------
 dev-python/restkit/metadata.xml         | 12 -------
 dev-python/restkit/restkit-4.2.2.ebuild | 55 ---------------------------------
 profiles/package.mask                   |  6 ----
 5 files changed, 97 deletions(-)