Bug 961332
| Summary: | python-setuptools: Weak integrity checks when loading resources extracted from zipped eggs | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | a.badger, gmollett, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-10-20 10:38:14 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1039775 | ||||||
| Bug Blocks: | 961346 | ||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2013-05-09 12:28:16 UTC
Upstream bug report placeholder: https://bitbucket.org/tarek/distribute/issue/375 Proposed upstream patch: http://paste.jaraco.com/BBxKW This affects many other programs: http://searchcode.com/?q=PYTHON_EGG_CACHE+%2Ftmp&p=0 Created attachment 770558 [details]
Updated upstream patch
The command to recreate that diff from the setuptools repo is:
hg diff -r 48a15793cd73:e80b60445113
Expect this patch to be incorporated into Distribute 0.6.46 and Setuptools 0.7.5 and 0.8.
Jan, will you be creating bugs for RHEL/Fedora for this in near future? Any e.t.a when this will be un-embargoed? (In reply to Bohuslav "Slavek" Kabrda from comment #14) > Jan, will you be creating bugs for RHEL/Fedora for this in near future? Any > e.t.a when this will be un-embargoed? Regarding embargo date - Bohuslav, can you possibly see c#11 of this bug (speaking about embargo date of this one being this Wednesday, 10-th). If not, you should check with your manager to add you to the private_comment group. Regarding child bugs for Fedora - they will be created once this bug is public (during the Wednesday). Regarding child bugs for RHEL - it hasn't been decided if we want to correct this immediately or defer the fix. We will create bugs once that's clear. This has now been reported to oss-security: http://seclists.org/oss-sec/2013/q4/438 (although it incorrectly does not note that a CVE has already been assigned). Created python-setuptools tracking bugs for this issue: Affects: fedora-all [bug 1039775] Note for people backporting this fix: The fix in c13 allows setuptools to traceback in some circumstance. setuptools upstream made several more releases before getting all of the tracebacks worked out (see the end of the upstream bug report: https://bitbucket.org/tarek/distribute/issue/375 ) Also note -- setuptools is bundled in a few other packages. Someone will need to figure out what those packages are to make sure they are bundling a recent enough version. :-( [and note that they may be bundling both setuptools and distribute. Have to make sure that both of those are updated enough]. python-setuptools-0.6.49-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. python-setuptools-0.6.49-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |