On Sat, Sep 30, 2023 at 05:31:46PM +0200, Frank Wunderlich wrote: > > > Gesendet: Samstag, 30. September 2023 um 16:44 Uhr > > Von: "Tom Rini" <tr...@konsulko.com> > > An: "Frank Wunderlich" <fran...@public-files.de> > > Cc: "u-bootlists.denx.de" <u-boot@lists.denx.de> > > Betreff: Re: github dependabot alert on py / pytest > > > > On Sat, Sep 30, 2023 at 03:13:30PM +0200, Frank Wunderlich wrote: > > > Hi, > > > > > > dependabot reports a high security issue > > > > > > https://github.com/frank-w/u-boot/security/dependabot/1 > > > > > > it seems it is not yet fixed in master and next as there py is still in > > > and pytest==6.2.5 > > > > > > I have not yet seen any topics for this...are you aware of this? I know > > > tests are run in > > > isolated environment through gitlab-pipeline, but maybe this can have > > > still a risk. > > > > The dependabot requests aren't public. But I don't see one myself when > > pushing to GitHub, can you please elaborate on what it's saying we > > should have updated? > > it says py-package is affected till 1.11.0 and pytest after 7.2.0 does not > have requirement for it... > so dropping py package and upgrade pytest to at least 7.2.0 should be the > right fix > > i guess you do not use subversion (so basicly no security issue), but maybe > we can fix this by upgrading > pytest to avoid the alerts in future > > full report: > > ReDoS in py library when used with subversion #1 > > > Package: py (pip) > Affected versions: <= 1.11.0 > Patched version: None > > The py library through 1.11.0 for Python allows remote attackers to conduct a > ReDoS (Regular expression Denial of Service) attack via a Subversion > repository with crafted info data, because the InfoSvnCommand argument is > mishandled. > > The particular codepath in question is the regular expression at > py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing > with subversion (svn) projects. Notably the codepath is not used in the > popular pytest project. The developers of the pytest package have released > version 7.2.0 which removes their dependency on py. Users of pytest seeing > alerts relating to this advisory may update to version 7.2.0 of pytest to > resolve this issue. See > https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 (comment) > for additional context. > > Severity > High > 7.5 / 10 > CVSS base metrics > Attack vector > Network > Attack complexity > Low > Privileges required > None > User interaction > None > Scope > Unchanged > Confidentiality > None > Integrity > None > Availability > High > CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > Tags > Direct dependency > Weaknesses > Weakness CWE-1333 > CVE ID > CVE-2022-42969
Yeah, that's not super important to us and I really wish I knew why it shows up for you, but not for me on my fork at github. It would be good in general to unpin and update our python packages (and re-pin them to new versions) but that often also requires updating tests a little or similar, so it's not been a high priority. -- Tom
signature.asc
Description: PGP signature
