Bug 31248

Summary: python-certifi new security issue CVE-2022-23491
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-certifi-2020.6.20-1.mga8.src.rpm CVE:
Status comment:
Bug Depends on: 31232    
Bug Blocks:    

Description David Walser 2022-12-08 15:47:23 CET 
+++ This bug was initially created as a clone of Bug #31232 +++

Ubuntu has issued an advisory on December 5:
https://ubuntu.com/security/notices/USN-5761-1

The upstream change is this:
https://github.com/nss-dev/nss/commit/79ef8de788dfc8952d34155d3694ad1e159fcb3f

which Ubuntu deemed insufficient, and they completely removed the TrustCor CA cert(s) from their package, which I have not done.  A more detailed explanation of this issue is here:
https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem

CVE-2022-23491 has been issued for this in association with the python-certifi package:
https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8

If this package is bundling its own copy of the rootcerts, that should be changed so that it uses our system rootcerts.  It also should be updated.
David Walser 2022-12-08 15:47:35 CET

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-01-27 00:03:29 CET 
SUSE has issued an advisory for this on January 25:
https://lists.suse.com/pipermail/sle-security-updates/2023-January/013525.html
Comment 2 David Walser 2023-01-27 16:22:30 CET 
(In reply to David Walser from comment #1)
> SUSE has issued an advisory for this on January 25:
> https://lists.suse.com/pipermail/sle-security-updates/2023-January/013525.
> html

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y3LLORQTVTGQTFXP5FORJ4PISPVZLTEA/
Comment 3 papoteur 2023-02-15 10:24:23 CET 
urpmq --whatrequires python3-twisted
buildbot
buildbot-master
buildbot-worker
deluge
kajongg
...
syncevolution

CC: (none) => yves.brungard_mageia

Comment 4 David Walser 2023-03-30 23:36:03 CEST 
Fedora has issued an advisory for this today (March 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XVERIAPNA4QIBOA26OBVAYISGS3HRQDC/
Comment 5 David Walser 2023-03-30 23:45:04 CEST 
The issue is fixed upstream in 2022.12.07.

Severity: normal => major
Status comment: (none) => Fixed upstream in 2022.12.07

Comment 6 David GEIGER 2023-03-31 07:53:13 CEST 
On Cauldron we have already python3-certifi-2022.12.7-1.mga9

CC: (none) => geiger.david68210

Comment 7 David GEIGER 2023-03-31 08:01:31 CEST 
Done for mga8!
Comment 8 David Walser 2023-03-31 14:29:13 CEST 
python3-certifi-2022.12.7-1.mga8

from python-certifi-2022.12.7-1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Source RPM: python-certifi-2022.6.15-1.mga9.src.rpm => python-certifi-2020.6.20-1.mga8.src.rpm
Assignee: python => qa-bugs
Status comment: Fixed upstream in 2022.12.07 => (none)
Version: Cauldron => 8

Comment 9 Thomas Andrews 2023-04-13 16:25:08 CEST 
No installation issues.

No previous updates.  urpmq --whatrequires indicates that yt-dlp needs this package, and in turn Clipgrab requires yt-dlp.

So, tested by using Clipgrab to download three different Youtube videos. No issues noted.

Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Herman Viaene 2023-04-13 16:33:27 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No previous updates, so chasing around and found that yt-dlp is dependent.
So did
$ strace -o ~/Documents/certif.txt yt-dlp https://www.youtube.com/watch?v=_Qci7E8nQ_o&pp=ygUSb2xkIGlyaXNoIGJsZXNzaW5n
[1] 19983
[tester8@mach7 Music]$ [youtube] Extracting URL: https://www.youtube.com/watch?v=_Qci7E8nQ_o
[youtube] _Qci7E8nQ_o: Downloading webpage
[youtube] _Qci7E8nQ_o: Downloading android player API JSON
[info] _Qci7E8nQ_o: Downloading 1 format(s): 248+251
[download] Destination: Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].f248.webm
[download] 100% of   30.65MiB in 00:00:07 at 4.24MiB/s
[download] Destination: Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].f251.webm
[download] 100% of    2.15MiB in 00:00:00 at 4.54MiB/s
[Merger] Merging formats into "Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].webm"
Deleting original file Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].f248.webm (pass -k to keep)
Deleting original file Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].f251.webm (pass -k to keep)

[1]+  Done                    strace -o ~/Documents/certif.txt yt-dlp https://www.youtube.com/watch?v=_Qci7E8nQ_o
And found different refs to /usr/lib/python3.8/site-packages/certifi/
and resulting file plays in vlc, so OK for me.

CC: (none) => herman.viaene

Dave Hodgins 2023-04-15 18:21:41 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Mageia Robot 2023-04-15 21:05:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0140.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED