[Python-apps-team] Bug#684246: feedparser code embedded in planet-venus and possibly may be out of date and vulnerable

[Olivier Berger]

Hi.

I've worked these last days on updating planet-venus to both update it
to latest upstream, and to get rid of the embedded copy of
python-feedparser (instead depending on the Debian package).

I've uploaded the resulting package to experimental [0].

This should address the security issue, but we'll need more tests before
we can upload it safely to unstable, which I'll be unable to do, having
no production planet at hand.

For reference, the result is in the PAPT SVN on an 'experimental'
branch, should anyone take the risk and upload it to unstable.

Best regards,

Olivier Berger <olivier.berger at telecom-sudparis.eu> writes:

> It seems planet-venus suffers from security issues due to the embedded
> copy of an old python-feedparser (see #684246, which had already been
> notified in #555355, btw... now forcemerged). It looks like this
> hasn't been noticed, even though the security tag on #684246
> (?). Proper credit should go to initial reporter of #684246, in any
> case.
>
> AFAICT, the feedparser copy in planet-venus corresponds to upstream
> rev. 39ecbd934a40e427b903988110748207ac7a0183 [1]. This was 83 commits
> behind v.5.0.1 of feedparser that appeared in Debian to fix the 3 CVEs
> referenced below (see #617998).
>
> The orig tarball of planet-venus itself corresponds to
> rev. 83447dcc23c4ffa2c9715c0bf56d873624d78add in upstream git repo [2]
> (it moved from bzr to git apparently). FYI, this is about 68 commits
> and one year and a half behind latest upstream...
>
> I'm not sure what should be done to bring planet-venus in a better
> shape, but I believed it couldn't harm to try and update the package.
>

[0] http://packages.qa.debian.org/p/planet-venus/news/20140127T163350Z.html
-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)