Is zlib CVE-2023-45853 exploitable in PyInstaller?

[mmirkows]

Hi,
there is a critical CVE in zlib https://nvd.nist.gov/vuln/detail/CVE-2023-45853 (no fixed version released yet).
Do you know if PyInstaller is exploitable or not affected?

Regards,
Michal Mirkowski

[rokm]

We don't use the MiniZip part of zlib anywhere, so no.

[raghupcr]

Hi Team,

we have also got critical vulnerability on Pyinstaller which internally uses zlib. current version is zlib 1.2.13 but there is vulnerability in this version and need to upgrade to zlib 1.3.1. Will it be upgraded by any chance or based on the above comments will that be ignored as it is not using minizip?

Please provide your input

Thanks,
Raghavendra

[rokm]

@rokm yes, the environment is different one is build env and the other one is test environment where I have installed the previous build which is through pyinstaller 5.x version.

I mean, was version built with PyInstaller 6.4 built in an identical environment to the one where PyInstaller 5.x was used?

what we could see difference is al the packages have -dist-info in the screenshot shared

Yes, more metadata was collected with 6.x. We don't automatically collect those - but if you aren't explicitly collecting them via copy_metadata at beginning of your spec, then maybe an updated version of hook (from pyinstaller-hooks-contrib is collecting those.

What is the output of pip freeze, and how does the beginning of your spec file (or rather, whole spec file) look like?

[raghupcr]

@rokm Yes spec file is same and the environment is same where pyinstaller 5.x was there and later 6.x got installed

complete spec file

import os


def fix_relative_root_path(path, *paths):
    return os.path.abspath(os.path.join(BASE_PATH, path, *paths))


# Needed for bundling obfuscated scripts
def patch_scripts(scripts, _src, _target):
    for i in range(len(scripts)):
        if scripts[i][1].startswith(_src):
            script_path = scripts[i][1].replace(_src, _target)
            if os.path.exists(script_path):
                scripts[i] = scripts[i][0], script_path, scripts[i][2]

def patch_modules(pure_modules, _src, _target):
    for i in range(len(pure_modules)):
        if pure_modules[i][1].startswith(_src):
            module_path = pure_modules[i][1].replace(_src, _target)
            if os.path.exists(module_path):
                if hasattr(pure_modules, '_code_cache'):
                    with open(module_path) as f:
                        pure_modules._code_cache[pure_modules[i][0]] = compile(f.read(), pure_modules[i][1], 'exec')
                pure_modules[i] = pure_modules[i][0], module_path, pure_modules[i][2]


block_cipher = None
# pyinstaller doesn't work well with relative paths, so make sure everything is an absolute path
# SPECPATH is the path to the spec file.  Could be absolute or relative to cwd.  If in cwd and relateive, it may be empty.
BASE_PATH = os.path.abspath(SPECPATH if SPECPATH else os.getcwd()) # empty spec path means current directory.
common_pathex = [
    fix_relative_root_path('testcatcher', 'lib', 'pytestCatcher'),
    fix_relative_root_path('dist', 'obf', 'testcatcher', 'lib', 'pytestCatcher')
]
common_datas = [
  (
     os.path.join(fix_relative_root_path('dist', 'obf', 'testcatcher', 'lib', 'pyarmor_runtime_005098'), '*'),
        'pyarmor_runtime_005098'
    ),
]

common_hidden_imports = ['cheroot.ssl', 'cheroot.ssl.builtin', 'pytransform']
common_hooks_path = [ fix_relative_root_path('dist', 'obf', 'testcatcher', 'lib', 'pytestCatcher') ]
main_name = 'ese'
src_script_path = fix_relative_root_path('testcatcher', 'libexec', 'ese', '__main__.py')
main_scripts = [ fix_relative_root_path('testcatcher', 'lib', 'pytestCatcher', '__main__.py') ]

if os.name == 'nt':
    # append some additional windows platform specific datas
    additional_data = {
        'utilities/' : os.path.join(fix_relative_root_path('utilities'), '*.dll'),
        'setup/' : os.path.join(fix_relative_root_path('installer'), 'setup.*'),
        'configuration/' : os.path.join(fix_relative_root_path('installer'), 'DefaultProperties.json')
    }
    for target, source in additional_data.items():
        common_datas.append((source, target))

    # specify additional windows platform specific hidden packages
    for package in ['jaraco', 'win32timezone']:
        common_hidden_imports.append(package)

# Check if main script exists or not, if not then copy src script at main script location
if not os.path.exists(main_scripts[0]):
    os.system(f"copy {src_script_path} {main_scripts[0]}")
    print ("Main script copied : ", os.path.exists(main_scripts[0]))

main_service = Analysis (
    main_scripts,
    pathex = common_pathex,
    binaries = [],
    datas = common_datas,
    hiddenimports = common_hidden_imports,
    hookspath = common_hooks_path,
    runtime_hooks = [],
    excludes = [
        'docutils',
        'chardet'
    ],
    win_no_prefer_redirects = False,
    win_private_assemblies = False,
    cipher = block_cipher,
    noarchive = False
)

# Patch by PyArmor
_src = fix_relative_root_path('testcatcher')
_target = fix_relative_root_path('dist', 'obf', 'testcatcher')
patch_scripts(main_service.scripts, _src, _target)
patch_modules(main_service.pure, _src, _target)
# Patch end.

main_pyz = PYZ (
    main_service.pure,
    main_service.zipped_data,
    cipher=block_cipher
)

main_exe = EXE (
    main_pyz,
    main_service.scripts,
    [],
    exclude_binaries = True,
    name = main_name,
    debug = False,
    bootloader_ignore_signals = False,
    strip = False,
    upx = True,
    console = True,
    contents_directory = '.'
)

collect_ese = COLLECT (
    main_exe,
    main_service.binaries,
    main_service.zipfiles,
    main_service.datas,
    strip = False,
    upx = True,
    name = main_name
)

[rokm]

@rokm Yes spec file is same and the environment is same where pyinstaller 5.x was there and later 6.x got installed

Do you still have the 5.x environment available? What is the output of pip freeze in environment with 6.4 and what is the output of pip freeze in environment with 5.x?

[rokm]

Ah, nevermind, I missed the part where you said you upgraded PyInstaller from 5.x to 6.x in the same environment.

In that case, can you build with --log-level DEBUG and attach the full build log (attach it as a text file here, or upload it somewhere so I can take a look at it). Perhaps that will be enough to tell us where the extra metadata came from...

[raghupcr]

@rokm sorry for the delayed response. Discussed with the team and came to know that .dist-info files were getting generated in the pyinstaller 5.x also. After that as part of the InstallShield we are removing the folders it seems. This i came to know today only. So this is expected behavior. Thanks once again @rokm for your valuable inputs and time :) we are in the process of testing the output (windows final o/p based out of Installshield)