Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 791565

Summary: <sys-process/glances-3.1.7: unsafe XML parsing
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gyakovlev
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/nicolargo/glances/issues/1025
Whiteboard: B2 [glsa+]
Package list:
sys-process/glances-3.2.1
 Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-23 02:50:45 UTC 
Issue includes Bandit output:


        Issue: [B411:blacklist] Using Fault to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.
        Severity: High Confidence: High
        Location: glances/compat.py:91
        90 from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
        91 from xmlrpclib import Fault, ProtocolError, ServerProxy, Transport
        92 from urllib2 import urlopen, URLError


Fix in 3.1.7, please bump.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 03:12:04 UTC 
Thank you!
Comment 3 NATTkA bot gentoo-dev 2021-07-10 07:44:27 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-10 12:24:37 UTC Comment hidden (obsolete)
Comment 5 Agostino Sarubbo gentoo-dev 2021-07-11 08:58:44 UTC 
amd64 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 20:51:58 UTC 
x86 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 21:56:08 UTC 
arm64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 04:01:51 UTC 
arm done
Comment 9 Georgy Yakovlev archtester gentoo-dev 2021-07-13 05:52:31 UTC 
ppc64 done, last arch
Comment 10 Larry the Git Cow gentoo-dev 2021-07-13 05:52:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9924df5a5674be8968875b806ad309d3662df0b5

commit 9924df5a5674be8968875b806ad309d3662df0b5
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-13 05:52:29 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-13 05:52:29 +0000

    sys-process/glances: drop 3.1.6.2
    
    Bug: https://bugs.gentoo.org/791565
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 sys-process/glances/Manifest               |  1 -
 sys-process/glances/glances-3.1.6.2.ebuild | 87 ------------------------------
 2 files changed, 88 deletions(-)
Comment 11 NATTkA bot gentoo-dev 2021-12-21 03:52:53 UTC 
Unable to check for sanity:

> no match for package: sys-process/glances-3.2.1
Comment 12 Georgy Yakovlev archtester gentoo-dev 2021-12-21 04:18:06 UTC 
cleanup done.
Comment 13 Larry the Git Cow gentoo-dev 2024-02-26 12:07:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b1cfcda7a8b39747e2e84f98c62aa12c3804f4e9

commit b1cfcda7a8b39747e2e84f98c62aa12c3804f4e9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-26 12:07:09 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-26 12:07:31 +0000

    [ GLSA 202402-30 ] Glances: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/791565
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-30.xml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)