Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
* Adam D. Barratt: Re: Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2
Bug#749073 (Tue, 27 May 2014 22:06:03 +0100):
Control: tags -1 + pending
On Tue, 2014-05-27 at 12:19 +0200, Mathias Behrle wrote:
* Adam D. Barratt: Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2
Bug#749073 (Mon, 26 May 2014 19:57:33 +0100):
[...]
On Mon, 2014-05-26 at 18:08 +0200, Mathias Behrle wrote:
the original fix for CVE-2013-2217 was missing a proper cleanup of the
cache directories in tmp (#749073), which can lead to saturation of
the subdirectory limit (~32000 on ext3).
[...]
Please go ahead; thanks.
Uploaded by sponsor Raphael Hertzog.
Flagged for acceptance.
BTW: Do I need to confirm this?
You don't have to, no; it can be helpful to people following the bug log
though, so it's clear what stage the process is at.
Ok, now much clearer to me.
ftpmaster already sent
'suds_0.3.9-1+deb6u2_amd64.changes ACCEPTED into
oldstable-proposed-updates-oldstable-new'
To you, yes, not to us. :-) ftp-master don't notify us when new packages
enter {,old}stable-new, although we do have our own tools that do so and
send us a diff of the upload.
As a side note, as I've seen it confuse people before, that particular
accepted mail only means that the package has made it to
oldstable-new; it still needs a member of the release team to process it
before it reaches oldstable-proposed-updates (or gets rejected).
Thanks a lot for your work,
Mathias
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6
signature.asc
Description: PGP signature
Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
* Adam D. Barratt: Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073 (Mon, 26 May 2014 19:57:33 +0100): Control: tags -1 + confirmed On Mon, 2014-05-26 at 18:08 +0200, Mathias Behrle wrote: the original fix for CVE-2013-2217 was missing a proper cleanup of the cache directories in tmp (#749073), which can lead to saturation of the subdirectory limit (~32000 on ext3). I would like to upload suds_0.3.9-1+deb6u2 with this patch backported from https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460 Please go ahead; thanks. Uploaded by sponsor Raphael Hertzog. BTW: Do I need to confirm this? ftpmaster already sent 'suds_0.3.9-1+deb6u2_amd64.changes ACCEPTED into oldstable-proposed-updates-oldstable-new' Cheers -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6 signature.asc Description: PGP signature
Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
Control: tags -1 + pending
On Tue, 2014-05-27 at 12:19 +0200, Mathias Behrle wrote:
* Adam D. Barratt: Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2
Bug#749073 (Mon, 26 May 2014 19:57:33 +0100):
[...]
On Mon, 2014-05-26 at 18:08 +0200, Mathias Behrle wrote:
the original fix for CVE-2013-2217 was missing a proper cleanup of the
cache directories in tmp (#749073), which can lead to saturation of
the subdirectory limit (~32000 on ext3).
[...]
Please go ahead; thanks.
Uploaded by sponsor Raphael Hertzog.
Flagged for acceptance.
BTW: Do I need to confirm this?
You don't have to, no; it can be helpful to people following the bug log
though, so it's clear what stage the process is at.
ftpmaster already sent
'suds_0.3.9-1+deb6u2_amd64.changes ACCEPTED into
oldstable-proposed-updates-oldstable-new'
To you, yes, not to us. :-) ftp-master don't notify us when new packages
enter {,old}stable-new, although we do have our own tools that do so and
send us a diff of the upload.
As a side note, as I've seen it confuse people before, that particular
accepted mail only means that the package has made it to
oldstable-new; it still needs a member of the release team to process it
before it reaches oldstable-proposed-updates (or gets rejected).
Regards,
Adam
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
Package: release.debian.org
Severity: normal
Tags: squeeze
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: maintain...@debian.tryton.org
Dear release managers,
the original fix for CVE-2013-2217 was missing a proper cleanup of the
cache directories in tmp (#749073), which can lead to saturation of
the subdirectory limit (~32000 on ext3).
I would like to upload suds_0.3.9-1+deb6u2 with this patch backported from
https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use
https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb
https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460
Debdiff attached.
Thanks for considering,
Mathias
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6
diff -Nru suds-0.3.9/debian/changelog suds-0.3.9/debian/changelog
--- suds-0.3.9/debian/changelog 2014-05-26 17:35:52.0 +0200
+++ suds-0.3.9/debian/changelog 2014-05-26 17:28:48.0 +0200
@@ -1,3 +1,10 @@
+suds (0.3.9-1+deb6u2) oldstable; urgency=low
+
+ * Improving fix for CVE-2013-2217 to also remove cache directories
+from tmp after program execution (Closes: #749073).
+
+ -- Mathias Behrle mathi...@m9s.biz Mon, 26 May 2014 17:25:21 +0200
+
suds (0.3.9-1+deb6u1) oldstable; urgency=low
* Fix CVE-2013-2217 (Closes: #714340)
diff -Nru suds-0.3.9/suds/cache.py suds-0.3.9/suds/cache.py
--- suds-0.3.9/suds/cache.py 2014-05-26 17:35:52.0 +0200
+++ suds-0.3.9/suds/cache.py 2014-05-26 16:33:26.0 +0200
@@ -20,6 +20,8 @@
import os
from tempfile import gettempdir as tmp
+import tempfile
+import shutil
from suds.transport import *
from datetime import datetime as dt
from datetime import timedelta
@@ -130,6 +132,8 @@
fnsuffix = 'gcf'
units = ('months', 'weeks', 'days', 'hours', 'minutes', 'seconds')
+__default_location = None
+
def __init__(self, location=None, **duration):
@param location: The directory for the cached files.
@@ -140,7 +144,7 @@
@type duration: {unit:value}
if location is None:
-location = tempfile.mkdtemp()
+location = self.__get_default_location()
self.location = location
self.duration = (None, 0)
self.setduration(**duration)
@@ -169,6 +173,19 @@
self.location = location
+@staticmethod
+def __get_default_location():
+
+Returns the current process's default cache location folder.
+The folder is determined lazily on first call.
+
+if not FileCache.__default_location:
+tmp = tempfile.mkdtemp(suds-default-cache)
+FileCache.__default_location = tmp
+import atexit
+atexit.register(FileCache.__remove_default_location)
+return FileCache.__default_location
+
def mktmp(self):
Make the I{location} directory if it doesn't already exits.
@@ -180,6 +197,13 @@
log.debug(self.location, exc_info=1)
return self
+@staticmethod
+def __remove_default_location():
+
+Removes the default cache location folder.
+
+shutil.rmtree(FileCache.__default_location, ignore_errors=True)
+
def put(self, id, bfr):
try:
fn = self.__fn(id)
signature.asc
Description: PGP signature
Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
Control: tags -1 + confirmed On Mon, 2014-05-26 at 18:08 +0200, Mathias Behrle wrote: the original fix for CVE-2013-2217 was missing a proper cleanup of the cache directories in tmp (#749073), which can lead to saturation of the subdirectory limit (~32000 on ext3). I would like to upload suds_0.3.9-1+deb6u2 with this patch backported from https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460 Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
