Package: release.debian.org Severity: normal Tags: squeeze User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-CC: maintain...@debian.tryton.org
Dear release managers, the original fix for CVE-2013-2217 was missing a proper cleanup of the cache directories in tmp (#749073), which can lead to saturation of the subdirectory limit (~32000 on ext3). I would like to upload suds_0.3.9-1+deb6u2 with this patch backported from https://bitbucket.org/jurko/suds/issue/15/insecure-temporary-directory-use https://bitbucket.org/jurko/suds/commits/3126ac3a406c37f9982f01ad0ca4ed42cf9a47cb https://bitbucket.org/jurko/suds/commits/aee4b2f0318f4b4545a1da826149edaa2c047460 Debdiff attached. Thanks for considering, Mathias -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0x8405BBF6
diff -Nru suds-0.3.9/debian/changelog suds-0.3.9/debian/changelog
--- suds-0.3.9/debian/changelog 2014-05-26 17:35:52.000000000 +0200
+++ suds-0.3.9/debian/changelog 2014-05-26 17:28:48.000000000 +0200
@@ -1,3 +1,10 @@
+suds (0.3.9-1+deb6u2) oldstable; urgency=low
+
+ * Improving fix for CVE-2013-2217 to also remove cache directories
+ from tmp after program execution (Closes: #749073).
+
+ -- Mathias Behrle <mathi...@m9s.biz> Mon, 26 May 2014 17:25:21 +0200
+
suds (0.3.9-1+deb6u1) oldstable; urgency=low
* Fix CVE-2013-2217 (Closes: #714340)
diff -Nru suds-0.3.9/suds/cache.py suds-0.3.9/suds/cache.py
--- suds-0.3.9/suds/cache.py 2014-05-26 17:35:52.000000000 +0200
+++ suds-0.3.9/suds/cache.py 2014-05-26 16:33:26.000000000 +0200
@@ -20,6 +20,8 @@
import os
from tempfile import gettempdir as tmp
+import tempfile
+import shutil
from suds.transport import *
from datetime import datetime as dt
from datetime import timedelta
@@ -130,6 +132,8 @@
fnsuffix = 'gcf'
units = ('months', 'weeks', 'days', 'hours', 'minutes', 'seconds')
+ __default_location = None
+
def __init__(self, location=None, **duration):
"""
@param location: The directory for the cached files.
@@ -140,7 +144,7 @@
@type duration: {unit:value}
"""
if location is None:
- location = tempfile.mkdtemp()
+ location = self.__get_default_location()
self.location = location
self.duration = (None, 0)
self.setduration(**duration)
@@ -169,6 +173,19 @@
"""
self.location = location
+ @staticmethod
+ def __get_default_location():
+ """
+ Returns the current process's default cache location folder.
+ The folder is determined lazily on first call.
+ """
+ if not FileCache.__default_location:
+ tmp = tempfile.mkdtemp("suds-default-cache")
+ FileCache.__default_location = tmp
+ import atexit
+ atexit.register(FileCache.__remove_default_location)
+ return FileCache.__default_location
+
def mktmp(self):
"""
Make the I{location} directory if it doesn't already exits.
@@ -180,6 +197,13 @@
log.debug(self.location, exc_info=1)
return self
+ @staticmethod
+ def __remove_default_location():
+ """
+ Removes the default cache location folder.
+ """
+ shutil.rmtree(FileCache.__default_location, ignore_errors=True)
+
def put(self, id, bfr):
try:
fn = self.__fn(id)
signature.asc
Description: PGP signature
