Ubuntu
python-pip package

CVE-2023-32681 - python-pip fix is improper

  1. Jammy (22.04)
  2. Bug #2031880
Bug #2031880 reported by Paavaanan
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-pip (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Lunar
Won't Fix
Undecided
Unassigned

Bug Description

-- I see from the below USN the fix for this CVE lies in 20.0.2-5ubuntu1.9 package
         -- https://ubuntu.com/security/CVE-2023-32681
         -- [focal Released (20.0.2-5ubuntu1.9) ]

-- When I extract the source package, *CVE-2023-32681* patch is missing

------------------------------------------------------------------------------------------------

❯ tar -xzvf python-pip_20.0.2-5ubuntu1.9.debian.tar.xz
x debian/
x debian/README.debian
x debian/changelog
x debian/control
x debian/copyright
x debian/dirtbike2
x debian/docs
x debian/genbuildusing.sh
x debian/patches/
x debian/patches/CVE-2022-40898.patch ----------------------[This might me wrong]------------
x debian/patches/add_appdirs_to_vendored.patch
x debian/patches/add_pkg-resources_to_freeze.patch
x debian/patches/commands_list_version_workaround.patch
x debian/patches/config-in-etc.patch
x debian/patches/debundle.patch
x debian/patches/disable-pip-version-check.patch
x debian/patches/git-split-ascii.patch
x debian/patches/handle-unbundled-requests.patch
x debian/patches/hands-off-system-packages.patch
x debian/patches/series
x debian/patches/set_user_default.patch
x debian/patches/toml.patch
x debian/pip-manpage.rst
x debian/pip.dependencies
x debian/python3-pip.links
x debian/python3-pip.manpages
x debian/rules
x debian/source/
x debian/source/format
x debian/source/lintian-overrides
x debian/tests/
x debian/tests/control
x debian/tests/pip3-editable.sh
x debian/tests/pip3-root.sh
x debian/tests/pip3-user.sh
x debian/watch
------------------------------------------------------------------------------------------------

--Due to this I suspect the fix is not applied to python-pip.
--Even if a no-change rebuid is triggered I don't think this will get fixed.

Thanks,
Paavaanan

CVE References

Eduardo Barretto (ebarretto)
affects: ubuntu → python-pip (Ubuntu)
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Paavaanan,

If you take a look at the top of that CVE page you will see the following note:
"the python-pip package bundles requests binaries when built.
After updating requests, a no-change rebuild of python-pip is
required."

To summarize, the issue is in requests source package, and whenever we patch it, we just need to make
a rebuild of python-pip so it uses the new patched requests. There is no patching needed directly in python-pip, and that's why you don't see a patch there.

Does that answer your doubt?

Changed in python-pip (Ubuntu):
status: New → Invalid
information type: Private Security → Public Security
Revision history for this message
Stefano Rivera (stefanor) wrote :

Although note that this only applies until 21.3.1+dfsg-1 (currently >= jammy), after that requests is bundled and needs to be patched in pip.

Revision history for this message
Paavaanan (paavaanan) wrote :

--Thanks ebarretto and stefanor for the quick response and detailed explanation.

--I have some naive doubts.Is there right now patched-[python-pip, python] as *.deb is available? I interpret it as yet to be done. Am I correct?

--"21.3.1+dfsg-1 (currently >= jammy), after that requests is bundled and needs to be patched"
     --- Do these (22.0.2+dfsg-1ubuntu0.3), (23.0.1+dfsg-1ubuntu0.1) are patched stefano?

Thanks,
Paavaanan

Revision history for this message
Stefano Rivera (stefanor) wrote :

> Do these (22.0.2+dfsg-1ubuntu0.3), (23.0.1+dfsg-1ubuntu0.1) are patched stefano?

Yeah, Marc, Just rebuilding those wasn't sufficient, they need to be patched.

Revision history for this message
Paavaanan (paavaanan) wrote :

Thanks Stefano..

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the info, I've now updated the security team tracker to properly handle jammy and later, and I've switched CVE-2023-32681 back to "needed" for jammy and lunar.

Revision history for this message
Paavaanan (paavaanan) wrote :

Marc it is needed for focal too..

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The focal python-pip package doesn't use the embedded requests code. During build, it bundles the system requests binaries.

In the build log, I see the following:

Installed-Build-Depends:
python3-requests (= 2.22.0-2ubuntu1.1),

That is the patched version of requests, so the python-pip (20.0.2-5ubuntu1.9) version in focal is fixed.

Revision history for this message
Paavaanan (paavaanan) wrote :

Thanks Marc. Got verified..

Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 23.04 (Lunar Lobster) has reached end of life, so this bug will not be fixed for that specific release.

Changed in python-pip (Ubuntu Lunar):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.