Ubuntu
python-pip package

Multiple CVE's reported for stock Python

Bug #2048424 reported by mcandre
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-pip (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

The SAC safety tool reports many open vulnerabilities for the various Python packages that come preinstalled on Ubuntu.

https://pypi.org/project/safety/

To run the tool, execute `safety check`. A few dozen CVE notices will appear.

Some of the vulnerabilities appear to arise from upstream Debian, which like Ubuntu, tends to be slow about patching these vulnerabilities.

Notably, stock Fedora appears to have zero Python vulnerabilities found in the safety CVE database.

Please update or remove the vulnerable packages from the base OS install, so that users can enjoy a more secure system by default. Additionally, the noise from a vulnerable base OS makes it harder for Python developers to determine which CVE's arise from their projects vs what the operating system gives them to work with.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

The safety tool is relying on versions of python modules to determine if something is vulnerable or not. Ubuntu, like most linux distros, backports security updates to existing versions.

Please look up each CVE reported by the safety tool using our web interface here and report back any that are not a false positive: https://ubuntu.com/security/cves

Thanks!

Changed in python (Ubuntu):
status: New → Incomplete
Revision history for this message
mcandre (andrew-pennebaker) wrote : Re: [Bug 2048424] Re: Multiple CVE's reported for stock Python
Download full text (6.8 KiB)

Using the primary ubuntu [jammy] image on Docker as an example base.

Trace:

# apt-get update
# apt-get install -y python3-pip
# pip install safety
# safety check
+========================================================================+

                               /$$$$$$ /$$
                              /$$__ $$ | $$
           /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$
          /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$
         | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$
          \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$
          /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$
         |_______/ \_______/|__/ \_______/ \___/ \____ $$
                                                          /$$ | $$
                                                         | $$$$$$/
  by pyup.io \______/

+========================================================================+

 REPORT

  Safety is using PyUp's free open-source vulnerability
database. This data is 30 days old and limited.
  For real-time enhanced vulnerability data, fix recommendations,
severity reporting, cybersecurity support, team and project policy
management and more sign up at https://pyup.io or email <email address hidden>

  Safety v2.3.5 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /usr/lib/python3/dist-packages
  -> /usr/local/lib/python3.10/dist-packages

  Using non-commercial database
  Found and scanned 16 packages
  Timestamp 2024-01-06 19:47:32
  3 vulnerabilities found
  0 vulnerabilities ignored

+========================================================================+
 VULNERABILITIES FOUND
+========================================================================+

-> Vulnerability found in setuptools version 59.6.0
   Vulnerability ID: 52495
   Affected spec: <65.5.1
   ADVISORY: Setuptools 65.5.1 includes a fix for CVE-2022-40897:
   Python Packaging Authority (PyPA) setuptools before 65.5.1 allows...
   CVE-2022-40897
   For more information, please visit
   https://data.safetycli.com/v/52495/f17

-> Vulnerability found in pip version 22.0.2
   Vulnerability ID: 62044
   Affected spec: <23.3
   ADVISORY: Pip 23.3 includes a fix for CVE-2023-5752: When
   installing a package from a Mercurial VCS URL (ie "pip install...
   CVE-2023-5752
   For more information, please visit
   https://data.safetycli.com/v/62044/f17

-> Vulnerability found in wheel version 0.37.1
   Vulnerability ID: 51499
   Affected spec: <0.38.1
   ADVISORY: Wheel 0.38.1 includes a fix for CVE-2022-40898: An
   issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1...
   CVE-2022-40898
   For more information, please visit
   https://data.safetycli.com/v/51499/f17

 Scan was completed. 3 vulnerabilities were found.

+========================================================================+
   REMEDIATIONS

  3 vulnerabilities were found in 3 packages. For detailed remediation &
  fix recommendations, upgrade to a commercial license.

+================================================================...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

CVE-2022-40897 in setuptools for jammy was fixed here:

https://ubuntu.com/security/notices/USN-5817-1

CVE-2022-40898 in wheel for jammy was fixed here:

https://ubuntu.com/security/notices/USN-5821-1

CVE-2023-5752 in pip is currently unfixed as it is a low priority issue that only affects pip when using against a mercurial repository. There is no current ETA.

affects: python (Ubuntu) → python-pip (Ubuntu)
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for python-pip (Ubuntu) because there has been no activity for 60 days.]

Changed in python-pip (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.