CVE-2013-2217

Advisory

Suds 0.7.0 includes a fix for CVE-2013-2217, a 'FileCache' default cache location security issue found in the original suds project.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

------------------------

- Based on revision 712 (1e48fd79a1fc323006826439e469ba7b3d2b5a68)
from the original `suds` Python library development project\'s
Subversion repository.
- Last officially packaged & released `suds` Python library
version - 0.4.1.
- Supported Python versions.
- Intended to work with Python 2.4+, except for the following
versions:
- Python 3.0.x - not supported by setuptools, pip or pytest.
- Basic sources prepared for Python 2.x.
- For using Python 3 the sources first processed by the Python
`py2to3` tool during the setup procedure.
- Tested in the environments listed in the
[.travis.yml]{.title-ref}
- Improved support for `decimal` XSD types.
- Now modeled internally using Python\'s `decimal.Decimal` type
instead of `float` - see the new `suds.xsd.sxbuiltin.XDecimal`
class.
- Based on a patch included with [454](http://fedorahosted.org/suds/ticket/454) for the original
`suds` library implementation.
- In order to get a `decimal` value formatted correctly in
constructed SOAP request XML documents, pass it to `suds` as
`decimal.Decimal` or an `int`/`long`.
- In general, passing a value of a Python type other than
`decimal.Decimal` causes that type\'s native string
representation to be used which might not strictly match the
lexical representation rules defined in the XSD
specification for the `decimal` XSD type. For instance, a
`float` value may be represented using scientific notation,
or a `fractions.Fraction` may be represented using its
`numerator` & `denominator` values.
- Specific user applications can easily register their own
customized `XDecimal` implementation using
`suds.xsd.sxbuiltin.Factory.maptag()` if they want to use
more specialized `decimal` value handling.
- Updated how `suds` constructs its cached WSDL & XML identifiers to
allow cached data reuse between different processes with Python\'s
hash randomization feature enabled.
- Previously constructed using the built-in Python `hash()`
function, while now it gets constructed using `md5` hash.
- Python\'s hash randomization (implemented since Python 2.6.8,
enabled by default since Python 3.3) was causing different
processes to mangle their cached data names differently.
- Many thanks to Eugene Yakubovich for reporting the issue as well
as providing the initial fix.
- Fixed loading recursive WSDL imports.
- Fixed loading recursive XSD imports/includes.
- Fixed an infinite recursion bug encountered when looking for an XSD
type in an XSD schema that does not contain it but itself defines a
type referencing a recursively defined type from an imported XSD
schema.
- Kudos to Kevin Pors ([krpors]{.title-ref} on BitBucket) for
detecting, analysing & reporting the issue, plus preparing a
working quick-fix.
- Removed never actually used `suds.mx.appender.DictAppender` class.
- All code paths that could potentially lead to this class getting
used convert any encountered dictionaries to
`suds.sudsobject.Object` instances and report an error in case a
corresponding XSD type can not be found.
- Now marshalling passed empty object optional params as empty SOAP
request XML elements.
- Before, passing an empty suds object as an optional parameter
value was treated the same as not passing that parameter\'s
value or passing it `None` - the value would not get marshalled
into the constructed SOAP request at all.
- Now, user can still not have the value marshalled by passing
nothing or `None`, but passing an empty object will get
marshalled as an actual SOAP request XML element.
- Kudos to Nicholas Chen (nicholaschen at BitBucket) & Mark
Saniscalchi (msaniscalchi at BitBucket) for reporting the issue
and preparing the initial fix.
- Made `suds` no longer eat up, log & ignore exceptions raised from
registered user plugins (detected & reported by Ezequiel Ruiz &
Bouke Haarsma, patch & test case contributed by Bouke Haarsma).
- Fixed places in code where `suds` could eat up & silently ignore
internal Python exceptions like `KeyboardInterrupt` or `SystemExit`.
- Fixed the exception message used when attempting to construct a
`suds.sax.element.Element` with a non-`Element` parent.
- `suds.xsd.sxbase.SchemaObject.content()` now runs in linear instead
of quadratic time.
- `DepList` class replaced with a simple `dependency_sort()` function
taking a single dependency dictionary as input.
- The original implementation\'s interface was too heavy-weight
with no added value.
- Anything tried with the original interface outside the basic
use-case covered by `dependency_sort()` was actually or could be
easily broken.
- `suds.xsd.deplist` module renamed to `suds.xsd.depsort`.
- Global XSD elements (i.e. top-level + reference elements) are now
correctly always considered qualified and their `form` attribute
values are ignored.
- Many thanks to Andrew Yager from BitBucket for reporting the
issue.
- `suds.cache` module cleanup.
- Fixed `FileCache` default cache location related security issue.
- Each process now uses a separate temporary folder as its
default cache location.
- Different `FileCache` instances within the same process
still use the same default cache location and user may still
explicitly specify a non-default location for each
`FileCache` instance.
- Default cache location now gets removed automatically on
process exit. User code may disable this removal by setting
the `FileCache.remove_default_location_on_exit` class
attribute to False.
- Additional external information on this issue:
- [Red Hat bug 978696](https://bugzilla.redhat.com/show_bug.cgi?id=978696)
- [CVE-2013-2217](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2217)
- [Ubuntu USN-2008-1: Suds vulnerability](http://www.ubuntu.com/usn/USN-2008-1)
- <http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html>
- <https://bugzilla.novell.com/show_bug.cgi?id=827568>
- <http://www.openwall.com/lists/oss-security/2013/06/27/8>
- Many thanks to Rolf Krahl for the initial report, providing
links to related external resources as well as helping
brainstorm the whole issue.
- Fixed a bug causing `DocumentCache` to never actually cache any
documents since one of the last commits made to the original
`suds` project.
- That commit refactored `suds.sax.document.Document` so it is
no longer derived from `suds.sax.element.Element` while the
`suds.cache.DocumentCache.put()` implementation simply did
nothing when passed something other than a
`suds.sax.element.Element` instance.
`suds.reader.DocumentReader` on the other hand always passes
`suds.sax.document.Document` instances to its cache\'s
`put()` method.
- Many thanks to bgr\_ at BitBucket for reporting the issue.
- Fixed a bug causing `DocumentCache` & `ObjectCache` to not
remove their cached files when failing to read data from them or
process the data read from them.
- `FileCache` version file operations now take care to close the
file in case of a failed read/write operation.
- Removed `FileCache.setlocation()` method as it was never used
inside `suds` and if used from user code would have caused the
cache to use a specific folder but without making sure that the
data already stored in it has been prepared for the correct
`suds` version, as done when passing a location parameter to the
`FileCache` constructor.
- Private and protected `FileCache` interface methods renamed to
use leading underscores.
- `FileCache.getf()` \--\> `FileCache._getf()`.
- `FileCache.__fn()` \--\> `FileCache.__filename()`.
- `FileCache.checkversion()` \--\>
`FileCache.__check_version()`.
- `FileCache.mktmp()` \--\> `FileCache.__mktmp()`.
- `FileCache.open()` \--\> `FileCache.__open()`.
- `FileCache.setduration()` \--\>
`FileCache.__set_duration()`.
- `FileCache.validate()` \--\>
`FileCache.__remove_if_expired()`.
- Updated `FileCache` duration implementation.
- `FileCache` construction now takes standard
`datetime.timedelta` duration related keyword arguments
instead of just `weeks`, `days`, `hours`, `minutes` &
`seconds`. More to the point, it now also supports
`milliseconds` & `microseconds` keyword arguments.
- Corrected `FileCache` docstring stating that it accepted a
`months` keyword argument. Using that argument would
actually have caused a failure when passing it to a
`datetime.timedelta` initializer internally.
- You may now specify multiple duration keyword arguments in
`FileCache` construction and they will all get summed up
when constructing the internal `datetime.timedelta` duration
representation. Before, you could specify such multiple
arguments, but that would only make the `FileCache` silently
use duration `0`, i.e. its cache entries would never expire.
- Fixed `suds.sax.document.Document` str conversion broken around the
end of 2011 by some accidental interaction between our Python 3
compatibility fixes and one of the final official `suds` project
commits making `suds.sax.document.Document` no longer be derived
from `suds.sax.element.Element`.
- Many thanks to Ezequiel Ruiz (emruiz81 at BitBucket) for
detecting & reporting the issue, as well as providing the
initial patch.
- Cleaned up `suds.transport` ASCII/unicode URL/data handling.
- `suds.transport.Request` now allows specifying its URL input as
either a byte or a unicode string with any Python version.
Internally that URL information is always converted to the used
Python interpreter\'s native `str` data type (byte string for
Python versions prior to 3.0, or unicode string for later ones).
- Given URLs must not contain any non-ASCII characters, and any
attempt to create a `suds.transport.Request` with such an
invalid URL is reported as a `UnicodeError` (either
`UnicodeDecodeError` or `UnicodeEncodeError` depending on the
exact Python version and the given URL data type used).
- `suds.transport.Reply` & `suds.transport.Request` string
representation cleaned up and no longer raises an error when
their message data contains non-ASCII characters.
- `suds.client` module cleanup.
- Removed unused `suds.client.Client.messages` attribute.
- Renamed private `SoapClient` & `SimClient` classes:
- `SoapClient` \--\> `_SoapClient`.
- `SimClient` \--\> `_SimClient`.
- Several private methods renamed:
- `_SoapClient.location()` \--\> `_SoapClient.__location()`.
- `_SoapClient.get_fault()` \--\> `_SoapClient.__get_fault()`.
- `_SoapClient.headers()` \--\> `_SoapClient.__headers()`.
- `RequestContext` no longer has `client` & `original_envelope`
attributes.
- `client` attribute seems unnecessary.
- `original_envelope` was an incorrectly documented bug trap -
it represented the XML request envelope as a `SAX` XML
document from after being processed by registered
`marshalled` plugins, but before being processed by
registered `sending` plugins. Users should use the
`envelope` attribute instead which can easily be converted
into a `SAX` XML document if needed by parsing it using
`suds.sax.parser.Parser.parse()`. That envelope has been
consistently processed by all relevant registered plugins
and matches the data to be sent over the registered
transport exactly.
- Cleaned up `_SoapClient` debug log messages a bit.
- `suds.reader` module cleanup.
- Several private methods renamed:
- `DocumentReader.cache()` \--\> `DocumentReader.__cache()`
- `DocumentReader.download()` \--\> `DocumentReader.__fetch()`
- `DefinitionsReader.cache()` \--\>
`DefinitionsReader.__cache()`
- Updated the `BuildError` exception message.
- Reformatted.
- Converted to a unicode string.
- Marked `suds.mx.core.Core.node()` as abstract since this base class
variant is never actually used (both `Encoded` & `Literal` derived
classes use a different implmentation).
- `suds.binding.Binding` converted to a new-style class.
- `suds.tostr()` utility function may no longer silently eat internal
Python exceptions like `KeyboardInterrupt` or `SystemExit`.
- Removed the unused `SoapHeadersNotPermitted` exception class.
- Extra input arguments now reported when invoking web service
operations taking no input parameters.
- Using injected requests/replies/error-information with a web service
operation taking at least one input parameter no longer causes
`suds` to report an invalid extra argument error.
- Internal project development improvements.
- The project will from now on be distributed as a wheel as well
as a source distribution.
- Added a script for automatically setting up required development
Python environments for this project, hopefully supporting the
full range of supported Python versions out of the box.
- Improved internal project `HACKING.rst` documentation.
- `setup.py` improvements.
- Python 3.0.x releases explicitly marked as not supported.
- Attempting to run `setup.py` in an unsupported Python
environment now reports a clean error message.
- Now uses `setuptools` 1.4.2 with Python 2.4 & 2.5, and
`setuptools` 5.1 with all more recent Python releases.
- Project may now be installed without even in environments when
you can not install `setuptools`.
- In such cases `setup.py` will attempt to use any
preinstalled `setuptools` version, and if none is available,
it will disable some of its features and fall back to using
a plain `distutils` based setup. See the `setup.py` script
comments for a more detailed listing of all `setup.py`
features affected by this.
- Several installation issues fixes when installing into Python
3.x environments prior to Python 3.2.3.
- When installing the project into a Python 3.x environment prior
to Python 3.2, `setuptools` is not installed automatically since
one of its test modules contains UTF-8 BOM characters, which
would cause such automated installation to fail.
- If needed, `setuptools` can still be installed into such
environments by manually running its `ez_setup.py`
installation script. Such an installation will encounter the
same errors but will ignore them, effectively just leaving
the installed `setuptools` package with one defective test
module, but fully operational at run-time.
- When installing the project into a Window Python 2.5
environment, you no longer need to manually install a compatible
`colorama` package versions in order to be able to run the
project tests.
- Package meta-data may now contain non-ASCII characters on
platforms where that is allowed, namely with all Python versions
except Python 3.x prior to 3.2.2.
- `setup.py test` command improvements.
- Now works in Python 2.4.x environments.
- Now reports cleanly if it can not be used for some reason,
both when run and in the command\'s `--help-commands`
listing.
- Better commented the related implementation.
- Test suite improvements.
- Test suite no longer installed together with the project, thus
no longer causing confusion by existing in the target Python
environment as a global `tests` package.
- The tests may now be run from the source archive, and will
always run on the `suds` version found installed in the used
Python environment.
- Refactored the quick & dirty batch script used to run all the
project tests in multiple Python environments to remove much
code duplication.
- Automated project testing in several additional Python
environment versions.
- Added more detailed XSD modeling tests.
- Added tests demonstrating how additional or replacement built-in
XSD types can be registered with `suds`.
- All project tests now using Python 2 & 3 compatible source code
and so no longer need to be built separately for Python 3.
- Added new and updated existing `suds.cache` module related
tests.
- Documented that all `pytest` test parametrizations should be
prepared so they get ordered the same on all test runs. See
`Project implementation note 1` in `HACKING.rst` for more
detailed information.
- Many thanks to Bruno Oliveira (nicoddemus at BitBucket) for
researching related `pytest` `xdist` usage problems,
discovering & explaining the underlying issue as well as
providing an initial project patch for it.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2217
• http://lists.opensuse.org/opensuse-updates/2013-07/msg00062.html
• http://www.openwall.com/lists/oss-security/2013/06/27/8
• https://bugzilla.redhat.com/show_bug.cgi?id=978696
• http://www.ubuntu.com/usn/USN-2008-1