Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544228 (CVE-2015-2674) - dev-python/restkit: does not properly validate TLS
Summary: dev-python/restkit: does not properly validate TLS
Status: IN_PROGRESS
Alias: CVE-2015-2674
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-23 14:09 UTC by Agostino Sarubbo
Modified: 2019-08-17 20:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-23 14:09:47 UTC
From ${URL} :

Pythons Restskit[1][2][3][4] does not properly validate TLS
(see https://github.com/benoitc/restkit/issues/140). It appears to simply use
ssl.wrap_socket from the standard library, which does not do any validation
by default. This can be verified by doing:

    >>> from restkit import request
    >>> r = request("https://tv.eurosport.com/")
    >>> r.body_string()
    '<HTML><HEAD>...'

Can a CVE be assigned for this?


[1] https://github.com/benoitc/restkit
[2] https://pypi.python.org/pypi/restkit
[3] http://restkit.readthedocs.org/en/latest/
[4] https://benoitc.github.io/restkit/index.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christopher Díaz Riveros gentoo-dev Security 2017-07-06 18:19:14 UTC
From:

https://security-tracker.debian.org/tracker/CVE-2015-2674

bug still open and no sign from upstream
Comment 2 Tiziano Müller gentoo-dev 2018-11-27 13:09:29 UTC
there are only 2 packages left which require restkit for testing on Python 2:

  dev-python/wsgiproxy2
  dev-python/pyquery

of which both projects actually dropped restkit usage some releases ago and the deps seem to be only a leftover now.

My plan would be to:

1. version bump wsgiproxy2 to 0.4.5 without the restkit dep and stabilize in 30 days, drop old versions
2. rev-bump of pyquery and stabilize in 30 days, drop old versions
3. last-rite restkit

since deps on restkit in wsgiproxy2 and pyquery are actually leftovers and unused, we could also drop them without rev-bump.
CC'ing Python team for decision
Comment 3 Larry the Git Cow gentoo-dev 2019-08-17 17:23:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4fce0fe207f668359330bc6471b4edcc9bf65e3

commit d4fce0fe207f668359330bc6471b4edcc9bf65e3
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-08-17 17:23:16 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-08-17 17:23:44 +0000

    profiles/package.mask: mask dev-python/restkit
    
    Bug: https://bugs.gentoo.org/544228
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-17 20:02:11 UTC
reverted due to being a test dep for a couple of packages.