Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
* Adam D. Barratt: Re: Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073 (Tue, 27 May 2014 22:06:03 +0100): Control: tags -1 + pending On Tue, 2014-05-27 at 12:19 +0200, Mathias Behrle wrote: * Adam D. Barratt: Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073 (Mon, 26 May 2014 19:57:33 +0100): [...] On Mon, 2014-05-26 at 18:08 +0200, Mathias Behrle wrote: the original fix for CVE-2013-2217 was missing a proper cleanup of the cache directories in tmp (#749073), which can lead to saturation of the subdirectory limit (~32000 on ext3). [...] Please go ahead; thanks. Uploaded by sponsor Raphael Hertzog. Flagged for acceptance. BTW: Do I need to confirm this? You don't have to, no; it can be helpful to people following the bug log though, so it's clear what stage the process is at. Ok, now much clearer to me. ftpmaster already sent 'suds_0.3.9-1+deb6u2_amd64.changes ACCEPTED into oldstable-proposed-updates-oldstable-new' To you, yes, not to us. :-) ftp-master don't notify us when new packages enter {,old}stable-new, although we do have our own tools that do so and send us a diff of the upload. As a side note, as I've seen it confuse people before, that particular accepted mail only means that the package has made it to oldstable-new; it still needs a member of the release team to process it before it reaches oldstable-proposed-updates (or gets rejected). Thanks a lot for your work, Mathias -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6 signature.asc Description: PGP signature
Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
* Adam D. Barratt: Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073 (Mon, 26 May 2014 19:57:33 +0100): Control: tags -1 + confirmed On Mon, 2014-05-26 at 18:08 +0200, Mathias Behrle wrote: the original fix for CVE-2013-2217 was missing a proper cleanup of the cache directories in tmp (#749073), which can lead to saturation of the subdirectory limit (~32000 on ext3). I would like to upload suds_0.3.9-1+deb6u2 with this patch backported from https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460 Please go ahead; thanks. Uploaded by sponsor Raphael Hertzog. BTW: Do I need to confirm this? ftpmaster already sent 'suds_0.3.9-1+deb6u2_amd64.changes ACCEPTED into oldstable-proposed-updates-oldstable-new' Cheers -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6 signature.asc Description: PGP signature
Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
Control: tags -1 + pending On Tue, 2014-05-27 at 12:19 +0200, Mathias Behrle wrote: * Adam D. Barratt: Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073 (Mon, 26 May 2014 19:57:33 +0100): [...] On Mon, 2014-05-26 at 18:08 +0200, Mathias Behrle wrote: the original fix for CVE-2013-2217 was missing a proper cleanup of the cache directories in tmp (#749073), which can lead to saturation of the subdirectory limit (~32000 on ext3). [...] Please go ahead; thanks. Uploaded by sponsor Raphael Hertzog. Flagged for acceptance. BTW: Do I need to confirm this? You don't have to, no; it can be helpful to people following the bug log though, so it's clear what stage the process is at. ftpmaster already sent 'suds_0.3.9-1+deb6u2_amd64.changes ACCEPTED into oldstable-proposed-updates-oldstable-new' To you, yes, not to us. :-) ftp-master don't notify us when new packages enter {,old}stable-new, although we do have our own tools that do so and send us a diff of the upload. As a side note, as I've seen it confuse people before, that particular accepted mail only means that the package has made it to oldstable-new; it still needs a member of the release team to process it before it reaches oldstable-proposed-updates (or gets rejected). Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
Package: release.debian.org Severity: normal Tags: squeeze User: release.debian@packages.debian.org Usertags: pu X-Debbugs-CC: maintain...@debian.tryton.org Dear release managers, the original fix for CVE-2013-2217 was missing a proper cleanup of the cache directories in tmp (#749073), which can lead to saturation of the subdirectory limit (~32000 on ext3). I would like to upload suds_0.3.9-1+deb6u2 with this patch backported from https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460 Debdiff attached. Thanks for considering, Mathias -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6 diff -Nru suds-0.3.9/debian/changelog suds-0.3.9/debian/changelog --- suds-0.3.9/debian/changelog 2014-05-26 17:35:52.0 +0200 +++ suds-0.3.9/debian/changelog 2014-05-26 17:28:48.0 +0200 @@ -1,3 +1,10 @@ +suds (0.3.9-1+deb6u2) oldstable; urgency=low + + * Improving fix for CVE-2013-2217 to also remove cache directories +from tmp after program execution (Closes: #749073). + + -- Mathias Behrle mathi...@m9s.biz Mon, 26 May 2014 17:25:21 +0200 + suds (0.3.9-1+deb6u1) oldstable; urgency=low * Fix CVE-2013-2217 (Closes: #714340) diff -Nru suds-0.3.9/suds/cache.py suds-0.3.9/suds/cache.py --- suds-0.3.9/suds/cache.py 2014-05-26 17:35:52.0 +0200 +++ suds-0.3.9/suds/cache.py 2014-05-26 16:33:26.0 +0200 @@ -20,6 +20,8 @@ import os from tempfile import gettempdir as tmp +import tempfile +import shutil from suds.transport import * from datetime import datetime as dt from datetime import timedelta @@ -130,6 +132,8 @@ fnsuffix = 'gcf' units = ('months', 'weeks', 'days', 'hours', 'minutes', 'seconds') +__default_location = None + def __init__(self, location=None, **duration): @param location: The directory for the cached files. @@ -140,7 +144,7 @@ @type duration: {unit:value} if location is None: -location = tempfile.mkdtemp() +location = self.__get_default_location() self.location = location self.duration = (None, 0) self.setduration(**duration) @@ -169,6 +173,19 @@ self.location = location +@staticmethod +def __get_default_location(): + +Returns the current process's default cache location folder. +The folder is determined lazily on first call. + +if not FileCache.__default_location: +tmp = tempfile.mkdtemp(suds-default-cache) +FileCache.__default_location = tmp +import atexit +atexit.register(FileCache.__remove_default_location) +return FileCache.__default_location + def mktmp(self): Make the I{location} directory if it doesn't already exits. @@ -180,6 +197,13 @@ log.debug(self.location, exc_info=1) return self +@staticmethod +def __remove_default_location(): + +Removes the default cache location folder. + +shutil.rmtree(FileCache.__default_location, ignore_errors=True) + def put(self, id, bfr): try: fn = self.__fn(id) signature.asc Description: PGP signature
Bug#749366: squeeze-pu: package suds/0.3.9-1+deb6u2 Bug#749073
Control: tags -1 + confirmed On Mon, 2014-05-26 at 18:08 +0200, Mathias Behrle wrote: the original fix for CVE-2013-2217 was missing a proper cleanup of the cache directories in tmp (#749073), which can lead to saturation of the subdirectory limit (~32000 on ext3). I would like to upload suds_0.3.9-1+deb6u2 with this patch backported from https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460 Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org