Bugzilla – Bug 827568
VUL-0: CVE-2013-2217: python-suds: Insecure temporary directory use when initializing file-based URL cache
Last modified: 2018-10-10 08:35:06 UTC
Via OSS-sec: > Hello Kurt, Steve, vendors, > > based on the public Red Hat Bugzilla report: [1] > https://bugzilla.redhat.com/show_bug.cgi?id=978696 > > by Ralph Loader: > > A insecure temporary directory use flaw was found in the way > python-suds, a Python SOAP web services client library, performed > initialization of its internal file-based URL cache (predictable > location was used for directory to store the cached files). A local > attacker could use this flaw to conduct symbolic link attacks, > possibly leading to their ability for example the SOAP .wsdl > metadata to redirect queries to a different host, than originally > intended. > > The reasons for the current behaviour are detailed at: [2] > https://bugzilla.redhat.com/show_bug.cgi?id=978696#c4 > > Could you allocate a CVE id for this? > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team > > P.S.: There doesn't seem to be an upstream patch available yet > (afaik), but the fix is obvious - use more unpredictable routine > for file-based URL cache directory location generation than > Python's tempfile.gettempdir() (which is case tempfile.tempdir is > None, defaults to '/tmp'). > Please use CVE-2013-2217 for this issue.
bugbot adjusting priority
The SWAMPID for this issue is 53407. This issue was rated as moderate. Please submit fixed packages until 2013-07-17. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
The SWAMPID for this issue is 53408. This issue was rated as moderate. Please submit fixed packages until 2013-07-17. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
The SWAMPID for this issue is 53409. This issue was rated as moderate. Please submit fixed packages until 2013-07-17. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
assign to Vincent (SLE maintainer) first, afterwards we can assign it to Peter Nixon again
Sascha: would you be able to take care of this?
Factory: sr#182211 openSUSE: sr#182212
This is an autogenerated message for OBS integration: This bug (827568) was mentioned in https://build.opensuse.org/request/show/182211 Factory / python-suds
This is an autogenerated message for OBS integration: This bug (827568) was mentioned in https://build.opensuse.org/request/show/182501 Factory / python-suds
done for SLE
openSUSE-SU-2013:1208-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 827568 CVE References: CVE-2013-2217 Sources used: openSUSE 12.3 (src): python-suds-0.4-5.4.1 openSUSE 12.2 (src): python-suds-0.4-2.8.1
Update released for: python-suds Products: SUSE-CLOUD 1.0 (x86_64)
I think patch used to fix this is wrong - it causes python-suds to create stale files in /tmp and it effectively disables the file cache as it won't ever load saved file. It might be better to disable use of FileCache unless it is configured for specific directory.
reopen and back to sascha then?
(In reply to comment #17) > I think patch used to fix this is wrong - it causes python-suds to create stale > files in /tmp True, I think I could add a __del__() method to the FileCache object to remove the tmpdir if FileCache instances go out of scope. > and it effectively disables the file cache as it won't ever load > saved file. It depends how you use it. The tmpdir is used for as long as the FileCache object is alive. In the SUSE-Cloud context, it is only used as part of OpenStack Nova's VMWare driver in the compute daemon. Since that's a long-running process, that should actually be ok. It's less so for CLI tools that are started several times in short succession, I agree. But we don't have those ATM. > It might be better to disable use of FileCache unless it is > configured for specific directory. Not using an old cache and disabling it completely should end up with the same results. As you already imply, if the users provides a directory, it's his responsibility. But using mkdtemp sounds like a safe default. So if that's wanted, I could add some cleanup. Long term, the better option is to move to another solution since suds is unmaintained since years.
(In reply to comment #19) > (In reply to comment #17) > > and it effectively disables the file cache as it won't ever load > > saved file. > > It depends how you use it. The tmpdir is used for as long as the FileCache > object is alive. In the SUSE-Cloud context, it is only used as part of > OpenStack Nova's VMWare driver in the compute daemon. Since that's a > long-running process, that should actually be ok. Right - for long living instances it works as long as the object exists, in our case, it's used by command line utility executed from cron and it just leads to thousands of files in /tmp which are not deleted. That's how I actually found this problem :-). I've removed the security patch for us for now, and I was just wondering whether this can not be problem as well in released update.
Ok, sr#29625 addresses that.
The SWAMPID for this issue is 55364. This issue was rated as moderate. Please submit fixed packages until 2013-12-20. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
sr#29826, with CVE numbers...
.
Update released for: python-suds Products: SUSE-CLOUD 2.0 (x86_64)
SUSE-SU-2014:0061-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 827568 CVE References: CVE-2013-2217 Sources used: SUSE Cloud 2.0 (src): python-suds-0.4-0.18.1
This is an autogenerated message for OBS integration: This bug (827568) was mentioned in https://build.opensuse.org/request/show/433308 Factory / python-suds-jurko https://build.opensuse.org/request/show/433309 42.1 / python-suds-jurko https://build.opensuse.org/request/show/433310 42.2 / python-suds-jurko
openSUSE-SU-2016:2516-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 827568 CVE References: CVE-2013-2217 Sources used: openSUSE Leap 42.1 (src): python-suds-jurko-0.6-4.1
SUSE-SU-2016:2704-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 827568 CVE References: CVE-2013-2217 Sources used: SUSE OpenStack Cloud 6 (src): python-suds-jurko-0.6-4.1