Gesendet: Samstag, 30. September 2023 um 16:44 Uhr Von: "Tom Rini" trini@konsulko.com An: "Frank Wunderlich" frank-w@public-files.de Cc: "u-bootlists.denx.de" u-boot@lists.denx.de Betreff: Re: github dependabot alert on py / pytest
On Sat, Sep 30, 2023 at 03:13:30PM +0200, Frank Wunderlich wrote:
Hi,
dependabot reports a high security issue
https://github.com/frank-w/u-boot/security/dependabot/1
it seems it is not yet fixed in master and next as there py is still in and pytest==6.2.5
I have not yet seen any topics for this...are you aware of this? I know tests are run in isolated environment through gitlab-pipeline, but maybe this can have still a risk.
The dependabot requests aren't public. But I don't see one myself when pushing to GitHub, can you please elaborate on what it's saying we should have updated?
it says py-package is affected till 1.11.0 and pytest after 7.2.0 does not have requirement for it... so dropping py package and upgrade pytest to at least 7.2.0 should be the right fix
i guess you do not use subversion (so basicly no security issue), but maybe we can fix this by upgrading pytest to avoid the alerts in future
full report:
ReDoS in py library when used with subversion #1
Package: py (pip) Affected versions: <= 1.11.0 Patched version: None
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 (comment) for additional context.
Severity High 7.5 / 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Tags Direct dependency Weaknesses Weakness CWE-1333 CVE ID CVE-2022-42969
regards Frank