Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in Python 3.10 (setuptools inside ensurepip folder) #114446

Closed
bhupendra-vaishnav opened this issue Jan 22, 2024 · 2 comments
Closed

Vulnerability in Python 3.10 (setuptools inside ensurepip folder) #114446

bhupendra-vaishnav opened this issue Jan 22, 2024 · 2 comments
Labels
type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@bhupendra-vaishnav
Copy link

bhupendra-vaishnav commented Jan 22, 2024
edited by github-actions bot
Loading

Bug report

Bug description:

We are working on Python 3.10 and found vulnerable version of setuptools package which is setuptools-65.5.0.

We did see Python 3.10 already has a fix for setuptools package and updated version of setuptools package which is setuptools-65.5.1. Though while doing analysis, we found the traces of vulnerable version inside ensurepip folder. We appreciate the update for ensurepip bundle to resolve the issue related to leftover file in ensurepip bundle (highlighted in below image).

Please refer absolute file paths highlighted by blue in attached screenshot :

298218820-921dfd8f-71ac-453b-b58f-2cb474b90c28

Vulnerability reference : GHSA-r9hx-vwmv-q579

CC: @samruddhikhandale, @eljog, @gauravsaini04

CPython versions tested on:

3.10

Operating systems tested on:

Linux
@bhupendra-vaishnav bhupendra-vaishnav added the type-bug An unexpected behavior, bug, or error label Jan 22, 2024
@samruddhikhandale
Copy link

We opened a similar issue with docker-library/python#901, but turns out the vulnerability comes from Python's own stdlib.

We would appreciate a fix as this is a high severity vulnerability, thank you!

@AlexWaygood AlexWaygood added the type-security A security issue label Jan 22, 2024
@hugovk
Copy link
Member

hugovk commented Jan 22, 2024

Thanks for the report, this is a duplicate of #102202.

@hugovk hugovk closed this as not planned Won't fix, can't repro, duplicate, stale Jan 22, 2024
@samruddhikhandale samruddhikhandale mentioned this issue Jan 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hugovk @samruddhikhandale @AlexWaygood @bhupendra-vaishnav