Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bumpver of certifi vendored CA bundle to remediate CVE-2023-37920 #12

Closed
wants to merge 1 commit into from

Conversation

gs-kamnas
Copy link

This change increments the version of the certifi CA bundle located in the vendored dependency bundle in order to remediate CVE-2023-37920.

This vulnerability in particular involves the continued trust of the Internet CA e-Tugra which was found to have many serious and unremediated security deficiencies leading to the removal of their root certificate from the Mozilla root CA bundle (and therefore the certifi package) in certifi/python-certifi@8fb96ed

@jsirois
Copy link
Member

jsirois commented Jul 24, 2024

@gs-kamnas I just noticed this PR. I'll take a careful look over the next week to vet all this before merging (this isn't the branch Pex actually uses - it uses pex/patches/generation-2; so I'll have to fix at least that assuming this all checks out security-wise).

import sys
import atexit

def exit_cacert_ctx() -> None:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, just on a cursory pass at the patch itself (I haven't verified provenance, etc yet - the scary stuff from my POV / assuming the worst to put safety 1st) - this won't work with the Python3.5+ type annotations since Pex supports >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*<3.14 and this would fail under Python 2.7.

So, at present, the patch will need to be applied to a different branch and it will need to at least have an edit to remove all type annotations.

@jsirois
Copy link
Member

jsirois commented Jul 24, 2024

Yeah, I think the right thing to do would be to just update src/pip/_vendor/certifi/cacert.pem with the latest from certifi. In fact, setting up some machinery to do this more regularly may make sense - Pex will not be dropping its vendored Pip 20.3.4+patched any time soon; so keeping it free of known security vulnerabilities will be important.

@jsirois
Copy link
Member

jsirois commented Jul 25, 2024

Ok, and that file is obtained like so where the URL endpoint is maintained by the author of certifi as well:
https://github.com/certifi/python-certifi/blob/fc9b771c1e5bd5f0f97534464c16a6ab785d5592/Makefile#L2C6-L2C25

@jsirois
Copy link
Member

jsirois commented Jul 25, 2024

Ok, thanks @gs-kamnas for bringing this to my attention. I did not end up reviewing your cacert.pem diff; instead, for sanity sake, I've semi-automated updates in a way I can trust in #14.

@jsirois jsirois closed this Jul 25, 2024
jsirois added a commit that referenced this pull request Jul 25, 2024
Add `nox -e update-certifi-cacert-pem` and run it to refresh Pip's
vendored certifi with the latest CA certs that should be trusted.

CF #12 by @gs-kamnas that prompted this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants