Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in setuptools versions up to 69.1.1 #21184

Closed
gruzewski opened this issue Jul 19, 2024 · 10 comments · Fixed by #21314
Closed

Vulnerability in setuptools versions up to 69.1.1 #21184

gruzewski opened this issue Jul 19, 2024 · 10 comments · Fixed by #21314
Labels
backend: Python Python backend-related issues bug

Comments

@gruzewski
Copy link

gruzewski commented Jul 19, 2024

Describe the bug
Recently, there was a new vulnerability reported against setuptools that could allow RCE, see reports below:

The fix was deployed in version 70.0.0.

Pants version
2.21

OS
Linux

Additional info
From browsing the code, looks Pants is using 63.x.

class Setuptools(PythonToolRequirementsBase):
    options_scope = "setuptools"
    help_short = "Python setuptools, used to package `python_distribution` targets."

    default_requirements = ["setuptools>=63.1.0,<64.0", "wheel>=0.35.1,<0.38"]

    default_lockfile_resource = ("pants.backend.python.subsystems", "setuptools.lock")
@gruzewski gruzewski added the bug label Jul 19, 2024
@gruzewski
Copy link
Author

If the fix is to update that file and regenerating the lock file, I might be able to do that :)

@benjyw
Copy link
Contributor

benjyw commented Jul 19, 2024

If the fix is to update that file and regenerating the lock file, I might be able to do that :)

That is the fix, if you can that would be awesome! But note that this is not a normal lockfile in the pants repo, but a resource, that is generated by running pants run build-support/bin/generate_builtin_lockfiles.py setuptools

@benjyw
Copy link
Contributor

benjyw commented Jul 19, 2024

I guess the other part of the fix is communication. The code change you've kindly suggested will fix for the next Pants release, but we want to blast out to people how to fix in existing Pants versions, which is basically this:

https://www.pantsbuild.org/2.20/docs/python/overview/lockfiles#lockfiles-for-tools

@benjyw
Copy link
Contributor

benjyw commented Jul 19, 2024

I.e., we should strongly recommend that folks upgrade and spell out exactly how to do so. If you're comfortable writing that up @gruzewski?

@krishnan-chandra
Copy link
Contributor

Changing the default version of setuptools to >= 70 may require dropping support for Python 3.7, since later versions of setuptools have dropped support for it as well:

ERROR: Ignored the following versions that require a different python version: 68.1.0 Requires-Python >=3.8; 68.1.2 Requires-Python >=3.8; 68.2.0 Requires-Python >=3.8; 68.2.1 Requires-Python >=3.8; 68.2.2 Requires-Python >=3.8; 69.0.0 Requires-Python >=3.8; 69.0.1 Requires-Python >=3.8; 69.0.2 Requires-Python >=3.8; 69.0.3 Requires-Python >=3.8; 69.1.0 Requires-Python >=3.8; 69.1.1 Requires-Python >=3.8; 69.2.0 Requires-Python >=3.8; 69.3 Requires-Python >=3.8; 69.3.0 Requires-Python >=3.8; 69.3.1 Requires-Python >=3.8; 69.4 Requires-Python >=3.8; 69.4.0 Requires-Python >=3.8; 69.4.1 Requires-Python >=3.8; 69.4.2 Requires-Python >=3.8; 69.5.0 Requires-Python >=3.8; 69.5.1 Requires-Python >=3.8; 70.0.0 Requires-Python >=3.8; 70.1.0 Requires-Python >=3.8; 70.1.1 Requires-Python >=3.8; 70.2.0 Requires-Python >=3.8; 70.3.0 Requires-Python >=3.8; 71.0.0 Requires-Python >=3.8; 71.0.1 Requires-Python >=3.8; 71.0.2 Requires-Python >=3.8; 71.0.3 Requires-Python >=3.8; 71.0.4 Requires-Python >=3.8

Related issue: #21103

@gruzewski
Copy link
Author

gruzewski commented Jul 24, 2024

@krishnan-chandra is right. I got this error:

ERROR: Ignored the following versions that require a different python version: 68.1.0 Requires-Python >=3.8; 68.1.2 Requires-Python >=3.8; 68.2.0 Requires-Python >=3.8; 68.2.1 Requires-Python >=3.8; 68.2.2 Requires-Python >=3.8; 69.0.0 Requires-Python >=3.8; 69.0.1 Requires-Python >=3.8; 69.0.2 Requires-Python >=3.8; 69.0.3 Requires-Python >=3.8; 69.1.0 Requires-Python >=3.8; 69.1.1 Requires-Python >=3.8; 69.2.0 Requires-Python >=3.8; 69.3 Requires-Python >=3.8; 69.3.0 Requires-Python >=3.8; 69.3.1 Requires-Python >=3.8; 69.4 Requires-Python >=3.8; 69.4.0 Requires-Python >=3.8; 69.4.1 Requires-Python >=3.8; 69.4.2 Requires-Python >=3.8; 69.5.0 Requires-Python >=3.8; 69.5.1 Requires-Python >=3.8; 70.0.0 Requires-Python >=3.8; 70.1.0 Requires-Python >=3.8; 70.1.1 Requires-Python >=3.8; 70.2.0 Requires-Python >=3.8; 70.3.0 Requires-Python >=3.8; 71.0.0 Requires-Python >=3.8; 71.0.1 Requires-Python >=3.8; 71.0.2 Requires-Python >=3.8; 71.0.3 Requires-Python >=3.8; 71.0.4 Requires-Python >=3.8; 71.1.0 Requires-Python >=3.8

To get it working, I had to update default_interpreter_constraints in python_tool_base.py.

@benjyw I can look into dropping support for Python 3.7. WDYT?

Updated typo.

@huonw huonw added the backend: Python Python backend-related issues label Jul 24, 2024
@benjyw
Copy link
Contributor

benjyw commented Jul 24, 2024

Ooooof. No good deed goes unpunished, huh...

@benjyw
Copy link
Contributor

benjyw commented Jul 24, 2024

This would mean dropping support for 3.7 in the default settings. We would still want to support it, and must test for that support, if you're willing to downgrade to a vulnerable setuptools. That seems non-controversial given how old 3.7 is now.

So this would require a new test that uses a downgraded setuptools.

@gruzewski
Copy link
Author

gruzewski commented Jul 25, 2024

So to clarify, I would:

* For the test case, what kind of functionality I should cover? I am thinking of covering similar functionality as in test_plugin_resolver.py, so create a Pex and run a setup.py. Alternatively, checking DistBuildRequest.

@benjyw
Copy link
Contributor

benjyw commented Jul 27, 2024

Well, you can override default_interpreter_constraints in just setuptools.py, that's the only thing actually affected. Normally we'd want a deprecation cycle, where we warn you if you're relying on the 3.7 default, but still let you do so. But since this is in response to a CVE I think we can consider dispensing with that. Let's have a quick thread to discuss that on #development channel in Slack?

cburroughs added a commit to cburroughs/pantsbuild.org that referenced this issue Aug 21, 2024
cburroughs added a commit to pantsbuild/pantsbuild.org that referenced this issue Aug 23, 2024
cburroughs added a commit to cburroughs/pants that referenced this issue Sep 10, 2024
As a consequence, most tests no longer work with 3.7 since -- for
example -- the lockfile with pytest does not support 3.7.  This
downgrades 3.7 to "probably works but not well tested", which
is the same state as 3.6.  Since 3.7 has been EoL for over a year I
think this is reasonable.  This opens up the way for Python 3.13
support in lockfiles among other benefits.

As another consequence, lockfiles are regenerated which means we have
some new versions coming along for the ride.  The pretty lockfile diff
does not seem to work with the generation script though --> pantsbuild#21388

Uses of Pants can still use 3.7 by generating their own
lockfiles. Deprecation plan annouced at
https://www.pantsbuild.org/blog/2024/08/24/venerable-pythons

Based off work started in pantsbuild#21314

ref pantsbuild#21184, pantsbuild#21103, pantsbuild#20852
cburroughs added a commit that referenced this issue Sep 12, 2024
As a consequence, most tests no longer work with 3.7 since -- for
example -- the lockfile with pytest does not support 3.7. This
downgrades 3.7 to "probably works but not well tested", which is the
same state as 3.6. Since 3.7 has been EoL for over a year I think this
is reasonable. This opens up the way for Python 3.13 support in
lockfiles among other benefits.

As another consequence, lockfiles are regenerated which means we have
some new versions coming along for the ride. The pretty lockfile diff
does not seem to work with the generation script though --> #21388

Uses of Pants can still use 3.7 by generating their own lockfiles.
Deprecation plan announced at
https://www.pantsbuild.org/blog/2024/08/24/venerable-pythons

Based off work started in #21314

ref #21184, #21103, #20852
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backend: Python Python backend-related issues bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants