Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534546 (CVE-2014-3242, CVE-2014-3243) - <dev-python/soappy-0.12.20: XXE and billion laughs vulnerabilities (CVE-2014-{3242,3243})
Summary: <dev-python/soappy-0.12.20: XXE and billion laughs vulnerabilities (CVE-2014-...
Status: RESOLVED FIXED
Alias: CVE-2014-3242, CVE-2014-3243
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-03 23:58 UTC by GLSAMaker/CVETool Bot
Modified: 2017-01-18 10:16 UTC (History)
1 user (show)

See Also:
Package list:
=dev-python/soappy-0.12.22 =dev-python/defusedxml-0.4.1-r1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 23:58:26 UTC 
CVE-2014-3243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3243):
  SOAPpy 0.12.5 does not properly detect recursion during entity expansion,
  which allows remote attackers to cause a denial of service (memory and CPU
  consumption) via a crafted SOAP request containing a large number of nested
  entity references.

CVE-2014-3242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3242):
  SOAPpy 0.12.5 allows remote attackers to read arbitrary files via a SOAP
  request containing an external entity declaration in conjunction with an
  entity reference, related to an XML External Entity (XXE) issue.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-02-03 06:25:37 UTC 
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

please ping us when this changes
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-01 19:10:44 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1094619#c8:

> This was fixed upstream in 0.12.6, via the following commit:
> 
> https://github.com/kiorky/SOAPpy/commit/a386568
> 
> Note that the fix was changed by the subsequent commit to fix the billion
> laughs issue:
> 
> https://github.com/kiorky/SOAPpy/commit/64125a2

$ git tag --contains 64125a2 | sort
0.12.20



@ Arches,

please test and mark stable: =dev-python/soappy-0.12.22
Comment 3 Agostino Sarubbo gentoo-dev 2016-12-02 10:59:11 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-02 10:59:38 UTC 
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-02 14:21:51 UTC 
Stable on alpha.
Comment 6 Markus Meier gentoo-dev 2016-12-17 15:20:17 UTC 
arm stable
Comment 7 Stabilization helper bot gentoo-dev 2017-01-04 07:17:42 UTC 
An automated check of this bug failed - repoman reported dependency errors (67 lines truncated): 

> dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-11 10:37:31 UTC 
sparc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-12 09:34:30 UTC 
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:14 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-17 14:25:43 UTC 
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-18 10:03:43 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 David Seifert gentoo-dev 2017-01-18 10:15:20 UTC 
commit 60ffdd915ad1f1a68d5b3622d62ddb8b60627083
Author: David Seifert <soap@gentoo.org>
Date:   Wed Jan 18 11:15:07 2017 +0100

    dev-python/soappy: Remove old vulnerable versions
    
    Gentoo-bug: 534546
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-01-18 10:16:39 UTC 
GLSA Vote: No