Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Py library is insecure and needs patching #12685

Closed
lmbr-pip opened this issue Oct 19, 2022 · 6 comments · Fixed by #13707
Closed

Bug Report: Py library is insecure and needs patching #12685

lmbr-pip opened this issue Oct 19, 2022 · 6 comments · Fixed by #13707
Assignees
@Kadino
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/security Denotes an issue or PR related to disclosed security impact. priority/major Major priority. Work that should be handled after all blocking and critical work is done. sig/security Categorizes an issue or PR as relevant to SIG Security. sig/testing Categorizes an issue or PR as relevant to SIG Testing. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@lmbr-pip
Copy link
Contributor

Describe the bug
Py versions <= 1.11.0

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

CVSS score of 5.3 puts this as major.

Assets required
None

Steps to reproduce
Steps to reproduce the behavior:

  1. Go to 'requirements.txt': https://github.com/o3de/o3de/blob/development/python/requirements.txt#L222
  2. Look at the version of Py in use
  3. Look at CVE for PY: https://cwe.mitre.org/data/definitions/1333.html

Expected behavior
PY is patched once a new version is available

Actual behavior
Py is insecure. No patched version exists

Screenshots/Video
If applicable, add screenshots and/or a video to help explain your problem.

Found in Branch
Dev

Desktop/Device (please complete the following information):

  • Device: [e.g. PC, Mac, iPhone, Samsung]
  • OS: [e.g. Windows, macOS, iOS, Android]
  • Version [e.g. 10, Monterey, Oreo]
  • CPU [e.g. Intel I9-9900k , Ryzen 5900x, ]
  • GPU [AMD 6800 XT, NVidia RTX 3090]
  • Memory [e.g. 16GB]

Additional context
Add any other context about the problem here.
@lmbr-pip lmbr-pip added kind/security Denotes an issue or PR related to disclosed security impact. kind/bug Categorizes issue or PR as related to a bug. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. priority/major Major priority. Work that should be handled after all blocking and critical work is done. sig/security Categorizes an issue or PR as relevant to SIG Security. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 19, 2022
@lmbr-pip
Copy link
Contributor Author

Assigning to SIG/security to identify owners of Py and confirm issue details.

@dshmz dshmz mentioned this issue Nov 2, 2022
Closed
@dshmz
Copy link

dshmz commented Nov 2, 2022

SIG-Build checked this issue and Py module is not owned by SIG-Build, we need to figure out which SIG owns it. It should go to the overall triage to get the assignment to correct SIG.

@lmbr-pip
Copy link
Contributor Author

lmbr-pip commented Nov 4, 2022

SIG/testing touched this last (see #7155). Routing to SIG/testing for input.

@lmbr-pip lmbr-pip added the sig/testing Categorizes an issue or PR as relevant to SIG Testing. label Nov 4, 2022
@Kadino
Copy link
Contributor

Kadino commented Nov 8, 2022

I'll look into why this is required. Preferably the package can be removed, as no secure version exists

@Kadino
Copy link
Contributor

Kadino commented Nov 8, 2022
edited

The only direct dependency is pytest, which is a fairly critical dependency:

python -m pipdeptree -r -p py
py==1.11.0
  - pytest==6.2.5 [requires: py>=1.8.2]

Confirmed owned by @o3de/sig-testing

@Kadino Kadino added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Nov 8, 2022
@Kadino
Copy link
Contributor

Kadino commented Nov 8, 2022

This is not a requirement of the latest versions of pytest, as of 20 days ago: pytest-dev/pytest@19dda7c

Can be resolved via updating pytest, its dependencies, and dependents: #10588

@amzn-changml amzn-changml removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Nov 9, 2022
@Kadino Kadino self-assigned this Dec 14, 2022
@Kadino Kadino mentioned this issue Dec 14, 2022
Merged
@Kadino Kadino linked a pull request Dec 15, 2022 that will close this issue
Update PyTyest, custom plugin, and remove unused dependency #13707
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kadino Kadino

Labels
kind/bug Categorizes issue or PR as related to a bug. kind/security Denotes an issue or PR related to disclosed security impact. priority/major Major priority. Work that should be handled after all blocking and critical work is done. sig/security Categorizes an issue or PR as relevant to SIG Security. sig/testing Categorizes an issue or PR as relevant to SIG Testing. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update PyTyest, custom plugin, and remove unused dependency aws-lumberyard-dev/o3de
4 participants
@Kadino @lmbr-pip @amzn-changml @dshmz