Closed Bug 1698616 Opened 3 years ago Closed 3 years ago

Bump four vendored python dependencies with security advisories

Categories

(Firefox Build System :: General, task)

Product:
Firefox Build System
Component:
General
Type:
task

Tracking

(firefox-esr78 wontfix, firefox87 wontfix, firefox88 wontfix, firefox89 wontfix, firefox90 fixed)

Status:
RESOLVED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox87 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- fixed

People

(Reporter: mhentges, Assigned: mhentges)

References

Details

(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main90-])

Attachments

(1 file)

Bug 1698616: Bump python dependencies
48 bytes, text/x-phabricator-request
Details | Review 
+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 43 packages, using free DB (updated once a month)                    |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| jinja2                     | 2.11.2    | >=0.0.0,<2.11.3          | 39525    |
+==============================================================================+
| This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS      |
| vulnerability of the regex is mainly due to the sub-pattern                  |
| [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to   |
| format user content instead of the urlize filter, or by implementing request |
| timeouts and limiting process memory. See CVE-2020-28493.                    |
+==============================================================================+
| py                         | 1.5.4     | <=1.9.0                  | 39253    |
+==============================================================================+
| A denial of service via regular expression in the py.path.svnwc component of |
| py (aka python-py) through 1.9.0 could be used by attackers to cause a       |
| compute-time denial of service attack by supplying malicious input to the    |
| blame functionality. See CVE-2020-29651.                                     |
+==============================================================================+
| pyyaml                     | 5.3.1     | <5.4                     | 39611    |
+==============================================================================+
| A vulnerability was discovered in the PyYAML library in versions before 5.4, |
| where it is susceptible to arbitrary code execution when it processes        |
| untrusted YAML files through the full_load method or with the FullLoader     |
| loader. Applications that use the library to process untrusted input may be  |
| vulnerable to this flaw. This flaw allows an attacker to execute arbitrary   |
| code on the system by abusing the python/object/new constructor. This flaw   |
| is due to an incomplete fix for CVE-2020-1747. See CVE-2020-14343.           |
+==============================================================================+
| requests                   | 2.9.1     | <=2.19.1                 | 36546    |
+==============================================================================+
| The Requests package through 2.19.1 sends an HTTP Authorization header to an |
| http URI upon receiving a same-hostname https-to-http redirect, which makes  |
| it easier for remote attackers to discover credentials by sniffing the       |
| network.                                                                     |
+==============================================================================+
Assignee: nobody → mhentges
Status: NEW → ASSIGNED

Did you know that our version of requests was from 2015? Phwoar!
This bumps jinja2, py, pyyaml, requests and urllib3.
There's significant risk for regressions due to breaking changes,
though due to the dynamic nature of Python, they're tricky to track
down.

The potential breaking changes I'm expecting to potentially affect
us are:

  • requests@2.11.0: No longer accepts non-strings as header values.
  • requests@2.16.0: requests.packages namespace was removed due to
    packages no longer being vendored. The namespace has been incrementally
    restored over future releases, but it's unclear to what degree.
  • requests@2.24.0: Redirect resolution now only happens when
    allow_redirects is True.
  • urllib3 was bumped from 1.13.1 to 1.26, unsure what
    repercussions that will have.

this is more a risk for "people building FIrefox" than for Firefox users, right? Not sure how to rate that to represent the right set of risks.

Keywords: sec-other

That's correct, yes, the vulnerabilities reported here would not affect Firefox users.

Attachment #9209297 - Attachment description: Bug 1698616: Bump python dependencies → WIP: Bug 1698616: Bump python dependencies
Attachment #9209297 - Attachment description: WIP: Bug 1698616: Bump python dependencies → Bug 1698616: Bump python dependencies

Backed out for gecko decision task bustage:

https://hg.mozilla.org/integration/autoland/rev/6607000204c56c89613f1637f7df93b53689907c

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&selectedTaskRun=Gtdq8lj5R8moqwGzb09iPA.0&searchStr=gecko%2Cdecision%2Ctask%2Copt%2Cgecko%2Cdecision%2Ctask%2Cd&revision=0de04343f5c5f260ff969d92ceb1049d012f2e6e
Failure log: https://treeherder.mozilla.org/logviewer?job_id=336512638&repo=autoland

[task 2021-04-14T15:46:49.303Z] + ./mach --log-no-times taskgraph decision --pushlog-id=141046 --pushdate=1618415068 --project=autoland --owner=mhentges@mozilla.com --level=3 --tasks-for=hg-push --base-repository=https://hg.mozilla.org/mozilla-unified --head-repository=https://hg.mozilla.org/integration/autoland --head-ref=0de04343f5c5f260ff969d92ceb1049d012f2e6e --head-rev=0de04343f5c5f260ff969d92ceb1049d012f2e6e
[task 2021-04-14T15:46:49.969Z] Error running mach:
[task 2021-04-14T15:46:49.969Z] 
[task 2021-04-14T15:46:49.969Z]     ['--log-no-times', 'taskgraph', 'decision', '--pushlog-id=141046', '--pushdate=1618415068', '--project=autoland', '--owner=mhentges@mozilla.com', '--level=3', '--tasks-for=hg-push', '--base-repository=https://hg.mozilla.org/mozilla-unified', '--head-repository=https://hg.mozilla.org/integration/autoland', '--head-ref=0de04343f5c5f260ff969d92ceb1049d012f2e6e', '--head-rev=0de04343f5c5f260ff969d92ceb1049d012f2e6e']
[task 2021-04-14T15:46:49.969Z] 
[task 2021-04-14T15:46:49.969Z] The error occurred in code that was called by the mach command. This is either
[task 2021-04-14T15:46:49.969Z] a bug in the called code itself or in the way that mach is calling it.
[task 2021-04-14T15:46:49.969Z] You can invoke |./mach busted| to check if this issue is already on file. If it
[task 2021-04-14T15:46:49.969Z] isn't, please use |./mach busted file taskgraph| to report it. If |./mach busted| is
[task 2021-04-14T15:46:49.969Z] misbehaving, you can also inspect the dependencies of bug 1543241.
[task 2021-04-14T15:46:49.969Z] 
[task 2021-04-14T15:46:49.969Z] If filing a bug, please include the full output of mach, including this error
[task 2021-04-14T15:46:49.969Z] message.
[task 2021-04-14T15:46:49.969Z] 
[task 2021-04-14T15:46:49.969Z] The details of the failure are as follows:
[task 2021-04-14T15:46:49.969Z] 
[task 2021-04-14T15:46:49.969Z] ModuleNotFoundError: No module named 'chardet'
[task 2021-04-14T15:46:49.969Z] 
[task 2021-04-14T15:46:49.969Z]   File "/builds/worker/checkouts/gecko/taskcluster/mach_commands.py", line 349, in taskgraph_decision
[task 2021-04-14T15:46:49.969Z]     import taskgraph.decision
[task 2021-04-14T15:46:49.969Z]   File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/decision.py", line 21, in <module>
[task 2021-04-14T15:46:49.969Z]     from .actions import render_actions_json
[task 2021-04-14T15:46:49.969Z]   File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/actions/__init__.py", line 9, in <module>
[task 2021-04-14T15:46:49.969Z]     from .registry import (
[task 2021-04-14T15:46:49.969Z]   File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/actions/registry.py", line 16, in <module>
[task 2021-04-14T15:46:49.969Z]     from taskgraph import create
[task 2021-04-14T15:46:49.969Z]   File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/create.py", line 15, in <module>
[task 2021-04-14T15:46:49.969Z]     from taskgraph.util.parameterization import resolve_timestamps
[task 2021-04-14T15:46:49.969Z]   File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/util/parameterization.py", line 12, in <module>
[task 2021-04-14T15:46:49.969Z]     from taskgraph.util.taskcluster import get_artifact_url
[task 2021-04-14T15:46:49.969Z]   File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/util/taskcluster.py", line 12, in <module>
[task 2021-04-14T15:46:49.969Z]     import requests
[task 2021-04-14T15:46:49.969Z]   File "/builds/worker/checkouts/gecko/third_party/python/requests/requests/__init__.py", line 44, in <module>
[task 2021-04-14T15:46:49.969Z]     import chardet
Flags: needinfo?(mhentges)
Flags: needinfo?(mhentges)
Regressions: 1706456

Bump python dependencies r=firefox-build-system-reviewers,glandium
https://hg.mozilla.org/integration/autoland/rev/b413fce77522a68cde868d5843890572ab4eb3cf
https://hg.mozilla.org/mozilla-central/rev/b413fce77522

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox90: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

Backed out because several people ran into bug 1706456.

https://hg.mozilla.org/mozilla-central/rev/6531d095b2a75de865a5ef57def7781187633b87

Status: RESOLVED → REOPENED
status-firefox90: fixedaffected
Flags: needinfo?(mhentges)
Resolution: FIXED → ---
Target Milestone: 90 Branch → ---

Backout issue resolved in bug 708547.

Flags: needinfo?(mhentges)

Bump python dependencies r=firefox-build-system-reviewers,glandium
https://hg.mozilla.org/integration/autoland/rev/85ea0bb3c7cdd6a9dc1cbecd0fe0068ad666c5c7
https://hg.mozilla.org/mozilla-central/rev/85ea0bb3c7cd

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
status-firefox90: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main90-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: