[tryton-debian-vcs] suds branch debian-wheezy created. debian/0.4.1-5+deb7u1

Mathias Behrle tryton-debian-vcs at alioth.debian.org
Mon May 26 19:28:48 UTC 2014 

The following commit has been merged in the debian-wheezy branch:
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi/?p=tryton/suds.git;a=commitdiff;h=debian/0.4.1-5+deb7u1
commit bf86637d3a3cf21a8c870f88d96e0c35eb26de67
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Mon May 26 21:28:04 2014 +0200

    Releasing debian version 0.4.1-5+deb7u1.

diff --git a/debian/changelog b/debian/changelog
index 65ebee9..9bb3911 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+suds (0.4.1-5+deb7u1) stable; urgency=medium
+
+  * Adding 02-fix-unsecure-cache-path.patch for CVE-2013-2217.
+    This patch fixes the unsecure creation of cache paths and
+    removes the cache directory on exit of the calling program.
+    Relates to #714340 and #749073.
+
+ -- Mathias Behrle <mathiasb at m9s.biz>  Mon, 26 May 2014 16:52:21 +0200
+
 suds (0.4.1-5) unstable; urgency=low
 
   [ Mathias Behrle ]
commit db313b34057ab2a19495d4dff1bb88eb8fffaeab
Author: Mathias Behrle <mathiasb at m9s.biz>
Date:   Mon May 26 14:29:50 2014 +0200

    Adding 02-fix-unsecure-cache-path.patch for CVE-2013-2217.
    
    - Fixes #714340
    
    This patch is a backport of
    - https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use
    - https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb
    - https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460

diff --git a/debian/patches/02-fix-unsecure-cache-path.patch b/debian/patches/02-fix-unsecure-cache-path.patch
new file mode 100644
index 0000000..879df5d
--- /dev/null
+++ b/debian/patches/02-fix-unsecure-cache-path.patch
@@ -0,0 +1,91 @@
+Author: Jurko Gospodnetić
+Description: Fix for CVE-2013-2217:
+ Use secure temporary directory creation when initializing
+ file-based URL cache.
+
+ This patch is taken from the suds-jurko fork of suds at
+ https://bitbucket.org/jurko/suds. It removes the cache
+ files on exit of the calling program.
+
+ References:
+ https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use
+ https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb
+ https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=978696
+Bug-Debian: http://bugs.debian.org/714340
+Forwarded: https://bugzilla.redhat.com/show_bug.cgi?id=978696#c14
+--- suds.orig/suds/cache.py	2014-05-26 14:28:47.950557418 +0200
++++ suds/suds/cache.py	2014-05-26 14:28:47.946557554 +0200
+@@ -19,6 +19,8 @@
+ """
+ 
+ import os
++import tempfile
++import shutil
+ import suds
+ from tempfile import gettempdir as tmp
+ from suds.transport import *
+@@ -127,7 +129,9 @@
+     """
+     fnprefix = 'suds'
+     units = ('months', 'weeks', 'days', 'hours', 'minutes', 'seconds')
+-    
++
++    __default_location = None
++
+     def __init__(self, location=None, **duration):
+         """
+         @param location: The directory for the cached files.
+@@ -138,12 +142,12 @@
+         @type duration: {unit:value}
+         """
+         if location is None:
+-            location = os.path.join(tmp(), 'suds')
++            location = self.__get_default_location()
+         self.location = location
+         self.duration = (None, 0)
+         self.setduration(**duration)
+         self.checkversion()
+-        
++
+     def fnsuffix(self):
+         """
+         Get the file name suffix
+@@ -175,7 +179,20 @@
+         @type location: str
+         """
+         self.location = location
+-            
++
++    @staticmethod
++    def __get_default_location():
++        """
++        Returns the current process's default cache location folder.
++        The folder is determined lazily on first call.
++        """
++        if not FileCache.__default_location:
++            tmp = tempfile.mkdtemp("suds-default-cache")
++            FileCache.__default_location = tmp
++            import atexit
++            atexit.register(FileCache.__remove_default_location)
++        return FileCache.__default_location
++
+     def mktmp(self):
+         """
+         Make the I{location} directory if it doesn't already exits.
+@@ -186,7 +203,14 @@
+         except:
+             log.debug(self.location, exc_info=1)
+         return self
+-    
++
++    @staticmethod
++    def __remove_default_location():
++        """
++        Removes the default cache location folder.
++        """
++        shutil.rmtree(FileCache.__default_location, ignore_errors=True)
++
+     def put(self, id, bfr):
+         try:
+             fn = self.__fn(id)
diff --git a/debian/patches/series b/debian/patches/series
index 3b993e0..280967c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 01-remove-makefile
+02-fix-unsecure-cache-path.patch
-- 
suds

More information about the tryton-debian-vcs mailing list