Aw: Re: github dependabot alert on py / pytest

Frank Wunderlich frank-w at public-files.de
Sat Sep 30 17:31:46 CEST 2023 

> Gesendet: Samstag, 30. September 2023 um 16:44 Uhr
> Von: "Tom Rini" <trini at konsulko.com>
> An: "Frank Wunderlich" <frank-w at public-files.de>
> Cc: "u-bootlists.denx.de" <u-boot at lists.denx.de>
> Betreff: Re: github dependabot alert on py / pytest
>
> On Sat, Sep 30, 2023 at 03:13:30PM +0200, Frank Wunderlich wrote:
> > Hi,
> >
> > dependabot reports a high security issue
> >
> > https://github.com/frank-w/u-boot/security/dependabot/1
> >
> > it seems it is not yet fixed in master and next as there py is still in and pytest==6.2.5
> >
> > I have not yet seen any topics for this...are you aware of this? I know tests are run in
> > isolated environment through gitlab-pipeline, but maybe this can have still a risk.
>
> The dependabot requests aren't public.  But I don't see one myself when
> pushing to GitHub, can you please elaborate on what it's saying we
> should have updated?

it says py-package is affected till 1.11.0 and pytest after 7.2.0 does not have requirement for it...
so dropping py package and upgrade pytest to at least 7.2.0 should be the right fix

i guess you do not use subversion (so basicly no security issue), but maybe we can fix this by upgrading
pytest to avoid the alerts in future

full report:

ReDoS in py library when used with subversion #1


Package: py (pip)
Affected versions: <= 1.11.0
Patched version: None

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 (comment) for additional context.

Severity
High
7.5 / 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Tags
Direct dependency
Weaknesses
Weakness CWE-1333
CVE ID
CVE-2022-42969


regards Frank

More information about the U-Boot mailing list