Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 874849 - <dev-python/imageio-2.22.0-r1: downloads .so libraries from GitHub without verification
Summary: <dev-python/imageio-2.22.0-r1: downloads .so libraries from GitHub without ve...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ?? [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-04 07:40 UTC by Michał Górny
Modified: 2023-10-03 16:56 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-04 07:40:25 UTC
All upstream versions of dev-python/imageio default to downloading a compiled freeimage shared library from GitHub.  The code seems to be silently triggered when formats using freeimage are used.  It fetches straight from the master branch of a remote GitHub repository, and seems to have no protection against malicious actors.

Relevant code:

https://github.com/imageio/imageio/blob/master/imageio/plugins/_freeimage.py#L37
https://github.com/imageio/imageio/blob/eeafb8d5e6b4ec351afa13a9ca05297cd7c8728a/imageio/core/fetching.py#L33
Comment 1 Larry the Git Cow gentoo-dev 2022-10-04 08:30:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40b85d13e7fd770f834fde7b160219829fad5311

commit 40b85d13e7fd770f834fde7b160219829fad5311
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-10-04 08:18:48 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-10-04 08:29:55 +0000

    dev-python/imageio: Block fetching remote shared libraries (!)
    
    Bug: https://bugs.gentoo.org/874849
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/imageio/Manifest                        |  2 ++
 .../files/imageio-2.22.0-block-download.patch      | 32 ++++++++++++++++++++++
 ...geio-2.22.0.ebuild => imageio-2.22.0-r1.ebuild} | 29 ++++++++++++++++++++
 3 files changed, 63 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 19:21:05 UTC
Interesting catch! I'm not sure we care so much about the potential for someone malicious to interfere with those libraries given they're fetched over HTTPS, but it's definitely problematic that those shared libraries are probably still vulnerable to vulnerabilities disclosed in the past.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 19:25:23 UTC
Remember sourceforge and GIMP?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-19 13:33:40 UTC
I've requested CVEs for both issues:

1. Old freeimage is vulnerable
2. Fetching code from internet without verification
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-24 14:04:32 UTC
The upstream issues are:

https://github.com/imageio/imageio/issues/891
https://github.com/imageio/imageio/issues/892

Requested CVEs, MITRE apparently doesn't consider fetching code from the internet without verification a vulnerability.