From ${URL} : Description Two security issues have been reported in the logilab-common module for Python, which can be exploited by malicious, local users to manipulate certain data. The security issues are caused due to the module creating certain files within the /tmp directory in an insecure manner. This can be exploited to e.g. overwrite contents of arbitrary user-accessible files via symlink attacks. The security issues are reported in version 0.60.1. Other versions may also be affected. Solution: No official solution is currently available. Provided and/or discovered by: Jakub Wilk with a Debian bug report. Original Advisory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream have responded to the Debian issue and we may grab those two patches as is.
Thank you for looking into it. Would you be able to link to the patches or relevant upstream bug? That would be great.
(In reply to yegle from comment #1) > Upstream have responded to the Debian issue and we may grab those two > patches as is. (In reply to Dirkjan Ochtman from comment #2) > Thank you for looking into it. Would you be able to link to the patches or > relevant upstream bug? That would be great. Is this them? http://www.logilab.org/revision/207574 http://www.logilab.org/revision/210454
Yeah, that looks right, thanks!
*logilab-common-0.60.1-r1 (27 Mar 2014) 27 Mar 2014; Ian Delaney <idella4@gentoo.org> +files/logilab-common-sec-CVE-2014-1838-9.patch, +logilab-common-0.60.1-r1.ebuild, -logilab-common-0.59.1.ebuild, -logilab-common-0.60.0.ebuild, -logilab-common-0.60.1.ebuild, logilab-common-0.61.0.ebuild: revbump; sec fix wrt sec Bug #499872, rm old unstable versions So; 1. Unstable old affected versions removed. 2. Only stable == logilab-common-0.58.1.ebuild 3. The logilab-common-0.61.0.ebuild has already had the changes applied. Either 0.60.1-r1 or 0.61.0 can be made stable. Selecting 0.61.0 will make these fresh additions un-needed. Either can do, however I'd favour 0.61.0 since it has py3 support.
Let's stabilize 0.61.0, please.
CVE-2014-1839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1839): The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file. CVE-2014-1838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1838): The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
07 Apr 2014; Ian Delaney <idella4@gentoo.org> -files/logilab-common-0.59.0-syntax.patch, -files/logilab-common-0.59.0-utf8-test.patch, -files/logilab-common-sec-CVE-2014-1838-9.patch, -logilab-common-0.58.1.ebuild, -logilab-common-0.60.1-r1.ebuild: rm old ebuilds & patches wrt sec bug #499872 done
GLSA vote: no.
GLSA vote: no Closing as noglsa