Advisories » MGASA-2015-0122

Updated python-rope packages fix security vulnerabilities

Publication date: 01 Apr 2015
Modification date: 01 Apr 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-3539

Description

The python-rope utility has been caught passing remotely supplied data to 
pickle.load(), enabling possible code-execution attacks. This can happen when
the 'perform_doa' (dynamic object analysis) option is enabled, which it
previously had been by default.

This update changes the default configuration to disable this option. This
only mitigates the issue, as it will still be vulnerable if the option is
enabled.

If 'perform_doa' is enabled, python-rope can be persuaded to open under some
circumstances a network port for short moment of time, which can be used to
push commands to the running process, so the process could run some commands
under the privileges of the user running python-rope. Anyone who enables this
option is advised to make sure the computer is protected by a firewall.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15427
• http://lists.opensuse.org/opensuse-updates/2015-03/msg00004.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3539

SRPMS

4/core

• python-rope-0.9.4-4.1.mga4