github dependabot alert on py / pytest

Tom Rini trini at konsulko.com
Sat Sep 30 17:48:29 CEST 2023 

On Sat, Sep 30, 2023 at 05:31:46PM +0200, Frank Wunderlich wrote:
> 
> > Gesendet: Samstag, 30. September 2023 um 16:44 Uhr
> > Von: "Tom Rini" <trini at konsulko.com>
> > An: "Frank Wunderlich" <frank-w at public-files.de>
> > Cc: "u-bootlists.denx.de" <u-boot at lists.denx.de>
> > Betreff: Re: github dependabot alert on py / pytest
> >
> > On Sat, Sep 30, 2023 at 03:13:30PM +0200, Frank Wunderlich wrote:
> > > Hi,
> > >
> > > dependabot reports a high security issue
> > >
> > > https://github.com/frank-w/u-boot/security/dependabot/1
> > >
> > > it seems it is not yet fixed in master and next as there py is still in and pytest==6.2.5
> > >
> > > I have not yet seen any topics for this...are you aware of this? I know tests are run in
> > > isolated environment through gitlab-pipeline, but maybe this can have still a risk.
> >
> > The dependabot requests aren't public.  But I don't see one myself when
> > pushing to GitHub, can you please elaborate on what it's saying we
> > should have updated?
> 
> it says py-package is affected till 1.11.0 and pytest after 7.2.0 does not have requirement for it...
> so dropping py package and upgrade pytest to at least 7.2.0 should be the right fix
> 
> i guess you do not use subversion (so basicly no security issue), but maybe we can fix this by upgrading
> pytest to avoid the alerts in future
> 
> full report:
> 
> ReDoS in py library when used with subversion #1
> 
> 
> Package: py (pip)
> Affected versions: <= 1.11.0
> Patched version: None
> 
> The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
> 
> The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 (comment) for additional context.
> 
> Severity
> High
> 7.5 / 10
> CVSS base metrics
> Attack vector
> Network
> Attack complexity
> Low
> Privileges required
> None
> User interaction
> None
> Scope
> Unchanged
> Confidentiality
> None
> Integrity
> None
> Availability
> High
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> Tags
> Direct dependency
> Weaknesses
> Weakness CWE-1333
> CVE ID
> CVE-2022-42969

Yeah, that's not super important to us and I really wish I knew why it
shows up for you, but not for me on my fork at github.  It would be good
in general to unpin and update our python packages (and re-pin them to
new versions) but that often also requires updating tests a little or
similar, so it's not been a high priority.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20230930/53dc3b95/attachment.sig>

More information about the U-Boot mailing list