Bug 31420 - python-wheel new security issue CVE-2022-40898
Summary: python-wheel new security issue CVE-2022-40898
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-01-17 22:56 CET by David Walser
Modified: 2023-07-07 07:56 CEST (History)
5 users (show)

See Also:
Source RPM: python-wheel-0.37.1-1.mga9.src.rpm
Status comment:


Description David Walser 2023-01-17 22:56:55 CET
openSUSE has issued an advisory on January 16:

Mageia 8 is also affected.
David Walser 2023-01-17 22:57:08 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from openSUSE

Comment 1 David Walser 2023-01-25 16:08:05 CET
Ubuntu has issued an advisory for this on January 24:

Severity: normal => major

Comment 2 David Walser 2023-03-02 23:25:18 CET
(In reply to David Walser from comment #1)
> Ubuntu has issued an advisory for this on January 24:
> https://ubuntu.com/security/notices/USN-5821-1

Regression fix:
Comment 3 David GEIGER 2023-07-01 06:19:00 CEST
patch added for both mga8 and cauldron!

Packages in 9/Core/Updates_testing:

Packages in 8/Core/Updates_testing:


Assignee: python => qa-bugs
Status comment: Patch available from openSUSE => (none)
CC: (none) => geiger.david68210

Comment 4 Len Lawrence 2023-07-01 17:50:32 CEST
Mageia8, x86_64

Introduction at https://realpython.com/python-wheels/#what-is-a-python-wheel

Before updating:
lcl@canopus:python $ pushd "$(mktemp -d)"
/tmp/tmp.lHY6KSHdJF ~/qa/python
lcl@canopus:tmp.lHY6KSHdJF $ sudo urpmi python-pip
lcl@canopus:tmp.lHY6KSHdJF $ python -m pip download --only-binary :all: --dest . --no-cache six
Collecting six
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Saved ./six-1.16.0-py2.py3-none-any.whl
Successfully downloaded six
lcl@canopus:tmp.lHY6KSHdJF $ ls

So far so good.
Updated the two packages.

lcl@canopus:tmp.lHY6KSHdJF $ unzip six-1.16.0-py2.py3-none-any.whl
Archive:  six-1.16.0-py2.py3-none-any.whl
  inflating: six.py                  
  inflating: six-1.16.0.dist-info/LICENSE  
  inflating: six-1.16.0.dist-info/METADATA  
  inflating: six-1.16.0.dist-info/WHEEL  
  inflating: six-1.16.0.dist-info/top_level.txt  
  inflating: six-1.16.0.dist-info/RECORD

Tried installing six:

$ python -m pip install --only-binary :all: --no-cache six
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: six in /usr/lib/python3.8/site-packages (1.15.0)

Installed yarl from scratch:

$ python -m pip install --only-binary :all: yarl
Defaulting to user installation because normal site-packages is not writeable
Collecting yarl
  Downloading yarl-1.9.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (266 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 266.9/266.9 KB 4.8 MB/s eta 0:00:00
Collecting multidict>=4.0
  Downloading multidict-6.0.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (121 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 121.3/121.3 KB 11.8 MB/s eta 0:00:00
Requirement already satisfied: idna>=2.0 in /usr/lib/python3.8/site-packages (from yarl) (2.10)
Installing collected packages: multidict, yarl
Successfully installed multidict-6.0.4 yarl-1.9.2

multidict dependency installed OK.
Since this is a user install the packages can be found in ~/.local/lib/python3.8/site-packages/
$ cd .local/lib/python3.8/site-packages/
lcl@canopus:site-packages $ ls
easygui/                   multidict/                  yarl/
easygui-0.98.2.dist-info/  multidict-6.0.4.dist-info/  yarl-1.9.2.dist-info/

Looks like this is working OK.
Note that the specification includes support for different platforms and architectures  and for various compilers where binaries need to be built.  I did not follow that up, nor was I able to chase the regression related to python-pip (CVE-2022-40898).  The CVE contains this notice:
"the python-pip package bundles wheel binaries when built.
After updating wheel, a no-change rebuild of python-pip is

CC: (none) => tarazed25
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 5 David GEIGER 2023-07-02 18:23:56 CEST
package moved to Core/Release for cauldron!

Whiteboard: MGA8TOO MGA8-64-OK => MGA8-64-OK
Version: Cauldron => 8

Comment 6 Thomas Andrews 2023-07-03 00:26:11 CEST

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-07-06 22:33:18 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2023-07-07 07:56:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.