CVE-2023-32681 - python-pip fix is improper
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-pip (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
New
|
Undecided
|
Unassigned | ||
Lunar |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
-- I see from the below USN the fix for this CVE lies in 20.0.2-5ubuntu1.9 package
-- https:/
-- [focal Released (20.0.2-5ubuntu1.9) ]
-- When I extract the source package, *CVE-2023-32681* patch is missing
-------
❯ tar -xzvf python-
x debian/
x debian/
x debian/changelog
x debian/control
x debian/copyright
x debian/dirtbike2
x debian/docs
x debian/
x debian/patches/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/
x debian/rules
x debian/source/
x debian/
x debian/
x debian/tests/
x debian/
x debian/
x debian/
x debian/
x debian/watch
-------
--Due to this I suspect the fix is not applied to python-pip.
--Even if a no-change rebuid is triggered I don't think this will get fixed.
Thanks,
Paavaanan
CVE References
affects: | ubuntu → python-pip (Ubuntu) |
Hi Paavaanan,
If you take a look at the top of that CVE page you will see the following note:
"the python-pip package bundles requests binaries when built.
After updating requests, a no-change rebuild of python-pip is
required."
To summarize, the issue is in requests source package, and whenever we patch it, we just need to make
a rebuild of python-pip so it uses the new patched requests. There is no patching needed directly in python-pip, and that's why you don't see a patch there.
Does that answer your doubt?