[Python-modules-team] CVE 2014-3242 & 3243 - SOAPPy

Nick Phillips nick.phillips at otago.ac.nz
Thu Jun 19 03:49:51 UTC 2014


Hi...

While checking our procedures for tracking vulnerabilities in
non-Debian-provided packages, I noticed that python-soappy in wheezy has
a couple of outstanding vulns.

Apparently (according to pabs on IRC, can't remember where he checked)
the python-soappy maintainer(s) - Debian Python Modules Team
<python-modules-team at lists.alioth.debian.org> - haven't responded to
contacts about this.

I've prepared a fixed package for our own local use, and would be happy
to help with getting fixed packages into wheezy/sid.

There's one complication with the package for wheezy; while I have only
pulled in the upstream (new upstream since version in wheezy) changes
relevant to the fix, the fix used is the Python community's recommended
one of using defusedxml. Which isn't in wheezy.

It seems to me (and in a brief discussion on IRC, pabs) that getting the
python-defusedxml package into wheezy would be the best solution:
* per https://docs.python.org/2/library/xml.html#xml-vulnerabilities it
   is the recommended way to avoid XXE etc. in Python 2.x;
* there are various other packages using xml.sax in a potentially
   unsafe manner in wheezy, and if it turns out that any requires a
   security update, the best solution is likely to require the use of
   defusedxml;
* any 3rd-party or user-written code attempting to avoid XXE etc. in
   Python 2.x code should be using defusedxml, and there is no supported
   way to achieve this in wheezy at present;
* the only possible instability from adding a package that no existing
   package uses would be from people who currently have a different
   version of it installed locally, and a borked PYTHONPATH.

I had a brief chat to Adam Barratt (SRM) about this on IRC as well, and
while not keen, he did seem willing to give the possibility the time of
day at least. He suggested filing a p-u bug with the relevant
information, but I thought I'd mail you guys first to see whether you'd
be inclined to agree with the solution and that doing so wouldn't be
treading on any toes.

DPMT guys - there's no big deal with this for sid, as defusedxml is
already available. Happy to NMU latest SOAPPy from pypi if desired. Or,
since I already have fixed packages here, I can equally happily STFU and
leave you all alone.


Cheers,


Nick
-- 
Nick Phillips / nick.phillips at otago.ac.nz / nwp at debian.org / 03 479 4195
# These statements are mine, not those of the University of Otago


More information about the Python-modules-team mailing list