Bug 26614 - python-virtualenv possible new security issues due to bundled urllib3 and requests
Summary: python-virtualenv possible new security issues due to bundled urllib3 and req...
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-12 20:32 CEST by David Walser
Modified: 2021-01-08 01:32 CET (History)
1 user (show)

See Also:
Source RPM: python-virtualenv-16.1.0-3.mga7.src.rpm
CVE:
Status comment: Possibly invalid as bundled wheels are removed during build


Attachments

Description David Walser 2020-05-12 20:32:38 CEST
RedHat has issued an advisory today (May 12):
https://access.redhat.com/errata/RHSA-2020:2081

Details are in the RedHat bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1778105#c2
https://bugzilla.redhat.com/show_bug.cgi?id=1778103#c2
Comment 1 Bruno Cornec 2021-01-05 00:12:38 CET
python-virtualenv-16.1.0-3.1.mga7 submitted to mga7 update_testing by applying Red Hat patch.

Status: NEW => ASSIGNED
Assignee: python => qa-bugs
CC: (none) => bruno

Comment 2 David Walser 2021-01-05 00:41:15 CET
Looks like CVE-2018-20060 and CVE-2019-11236 are in the patch Bruno added, but not CVE-2018-18074.  See here for the missing patch:
https://git.centos.org/rpms/python-virtualenv/c/978cfa779ba16e6eae9e61dcdbe004039db62731?branch=c7

Keywords: (none) => feedback

David Walser 2021-01-05 00:48:17 CET

Status comment: (none) => CVE-2018-18074 to be addressed

Comment 3 Bruno Cornec 2021-01-05 14:33:20 CET
That patch doesn't apply at all to our source code base as the 2 files it tries to patch do not exist in our tree, nor the class modified.
Is python-requests bundled in this version really ?
(THe function get_redirect_target e.g. is not in our source tree)
Comment 4 David Walser 2021-01-05 15:16:22 CET
OK, looking closer at this, the patch you added just creates two patch files, but it doesn't actually apply them to anything.  However, since the SPEC deletes the wheel files that the patches would be applied to, I think that just gets rid of all the bundled stuff, and this bug is INVALID.  Am I missing something?

Status comment: CVE-2018-18074 to be addressed => Possibly invalid as bundled wheels are removed during build
Assignee: qa-bugs => python
Keywords: feedback => (none)

Comment 5 Bruno Cornec 2021-01-07 00:50:25 CET
That's also my understanding, the last CVE mentionned 2018-18074 doesn't seem to be relevant to this version in mga7.

My recommendation would be to test the update made earlier to check if possible it fixes the other issues and even check this one is not an issue with it.
Comment 6 David Walser 2021-01-07 00:56:15 CET
I'll just close this.

Status: ASSIGNED => RESOLVED
Resolution: (none) => INVALID

Comment 7 Bruno Cornec 2021-01-07 01:43:36 CET
Shouldn't we move that BR to QA so they can validate the update fixing CVE-2018-20060 and CVE-2019-11236 ?

Status: RESOLVED => REOPENED
Resolution: INVALID => (none)

Comment 8 David Walser 2021-01-07 02:51:00 CET
No, like I said, you just added a patch that creates two patch files.  You didn't actually apply the patches to anything.  It looks like what you would apply them to gets removed.

Resolution: (none) => INVALID
Status: REOPENED => RESOLVED

Comment 9 Bruno Cornec 2021-01-07 09:23:19 CET
THere were 2 patches in discussion here. One coming from Red Hat I applied and which is fixing CVE-2018-20060 and CVE-2019-11236 (your commnet of the 5th of january upper) and the last one frmo centos which is useless for our version. 

So IMHO we still need to validate the python-virtualenv-16.1.0-3.1.mga7 package. Is there another BR which is tracing that allowing to close this one ?

Resolution: INVALID => (none)
Status: RESOLVED => REOPENED

Bruno Cornec 2021-01-07 09:23:39 CET

Assignee: python => qa-bugs

Comment 10 David Walser 2021-01-07 16:06:48 CET
Bruno, please take another look at what you did here:
http://svnweb.mageia.org/packages?view=revision&revision=1668929

As I said Comment 4 and Comment 8, you did not patch anything.  Your patch just creates two patch files, which are not applied to anything.  There is, in fact, nothing to apply them to.

Resolution: (none) => INVALID
Status: REOPENED => RESOLVED

Comment 11 Bruno Cornec 2021-01-08 01:00:08 CET
Ok, so I understand the issue. I had not pushed the second patch into SVN and I now realize that none of the 2 patches I wanted to add are working for this version. Apology for this.

However, now I need to revert the SVN state to where it was before in order to avoid future issues.

Thanks for your help.
Comment 12 David Walser 2021-01-08 01:32:17 CET
Yeah, no problem.  Thank you too for all the python fixes.

Note You need to log in before you can comment on or make changes to this bug.