[Python-apps-team] planet-venus needs love - Was: Re: Bug#684246: feedparser code embedded in planet-venus and possibly may be out of date and vulnerable

Olivier Berger olivier.berger at telecom-sudparis.eu
Mon Jan 20 17:11:49 UTC 2014


Hi.

AFAICT from [0] it seems that the package planet-venus might be maintained by the Python Applications Packaging Team (couldn't track back the messaged referenced in [0], btw), even though I have doubts.

Hence copying quite many people. Sorry about the spam in advance (and please CC: me, as I'm not subscribed to the lists).


It seems planet-venus suffers from security issues due to the embedded copy of an old python-feedparser (see #684246, which had already been notified in #555355, btw... now forcemerged). It looks like this hasn't been noticed, even though the security tag on #684246 (?). Proper credit should go to initial reporter of #684246, in any case.

AFAICT, the feedparser copy in planet-venus corresponds to upstream rev. 39ecbd934a40e427b903988110748207ac7a0183 [1]. This was 83 commits behind v.5.0.1 of feedparser that appeared in Debian to fix the 3 CVEs referenced below (see #617998).

The orig tarball of planet-venus itself corresponds to rev. 83447dcc23c4ffa2c9715c0bf56d873624d78add in upstream git repo [2] (it moved from bzr to git apparently). FYI, this is about 68 commits and one year and a half behind latest upstream...

I'm not sure what should be done to bring planet-venus in a better shape, but I believed it couldn't harm to try and update the package.


I'm not a user of planet myself, but I'm willing to help (besides it, I feel guilty for breaking it as per #735837... but not too much, considering how old and abandoned it seems to be ;-).

Maybe the accumulated problems (security + embedded copy) would deserve a more RC flagging.

Hope this helps and sorry for the spam if I've targetted to many people.

Thanks in advance for your help.


Best regards,

On Wed, Aug 08, 2012 at 12:08:23PM +1000, Silvio Cesare wrote:
> Package: planet-venus
> Severity: important
> Tags: security
> 
SNIP

> 
> ### Reports by package:
> ###
> # Package planet-venus may be vulnerable to the following issues:
> #
> 	CVE-2011-1156
> 	CVE-2011-1157
> 	CVE-2011-1158
> 
> 

[0] http://lists.alioth.debian.org/pipermail/python-apps-team/2012-July/006547.html
[1] https://code.google.com/p/feedparser/source/browse/?r=39ecbd934a40e427b903988110748207ac7a0183
[2] https://github.com/rubys/venus/tree/83447dcc23c4ffa2c9715c0bf56d873624d78add
-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)

Hi.

AFAICT from [0] it seems that the package planet-venus might be maintained by the Python Applications Packaging Team (couldn't track back the messaged referenced in [0], btw), even though I have doubts.

Hence copying quite many people. Sorry about the spam in advance (and please CC: me, as I'm not subscribed to the lists).


It seems planet-venus suffers from security issues due to the embedded copy of an old python-feedparser (see #684246, which had already been notified in #555355, btw... now forcemerged). It looks like this hasn't been noticed, even though the security tag on #684246 (?). Proper credit should go to initial reporter of #684246, in any case.

AFAICT, the feedparser copy in planet-venus corresponds to upstream rev. 39ecbd934a40e427b903988110748207ac7a0183 [1]. This was 83 commits behind v.5.0.1 of feedparser that appeared in Debian to fix the 3 CVEs referenced below (see #617998).

The orig tarball of planet-venus itself corresponds to rev. 83447dcc23c4ffa2c9715c0bf56d873624d78add in upstream git repo [2] (it moved from bzr to git apparently). FYI, this is about 68 commits and one year and a half behind latest upstream...

I'm not sure what should be done to bring planet-venus in a better shape, but I believed it couldn't harm to try and update the package.


I'm not a user of planet myself, but I'm willing to help (besides it, I feel guilty for breaking it as per #735837... but not too much, considering how old and abandoned it seems to be ;-).

Maybe the accumulated problems (security + embedded copy) would deserve a more RC flagging.

Hope this helps and sorry for the spam if I've targetted to many people.

Thanks in advance for your help.


Best regards,

On Wed, Aug 08, 2012 at 12:08:23PM +1000, Silvio Cesare wrote:
> Package: planet-venus
> Severity: important
> Tags: security
> 
SNIP

> 
> ### Reports by package:
> ###
> # Package planet-venus may be vulnerable to the following issues:
> #
> 	CVE-2011-1156
> 	CVE-2011-1157
> 	CVE-2011-1158
> 
> 

[0] http://lists.alioth.debian.org/pipermail/python-apps-team/2012-July/006547.html
[1] https://code.google.com/p/feedparser/source/browse/?r=39ecbd934a40e427b903988110748207ac7a0183
[2] https://github.com/rubys/venus/tree/83447dcc23c4ffa2c9715c0bf56d873624d78add
-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)





More information about the Python-apps-team mailing list