Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 820350 (CVE-2021-42343)

Summary: dev-python/dask: unexpectedly listens on external interfaces (CVE-2021-42343)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: cluster, mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://docs.dask.org/en/latest/changelog.html
Whiteboard: B2 [ebuild?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-26 13:40:16 UTC 
CVE-2021-42343 (https://github.com/dask/dask/releases):

An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.


These references aren't very useful, I can't tell if this is actually
in the changelog.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-10-28 06:54:13 UTC 
For the record, I think we're not affected since we lastrited distributed long time ago.  However, I suppose some users may readd it locally.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-10-28 06:56:42 UTC 
I suspect the following commit in dask/distributed fixes it:

commit afce4be8e05fb180e50a9d9e38465f1a82295e1b
Author: Jim Crist-Harif <jcrist@users.noreply.github.com>
Date:   2021-10-14 23:21:56 +0200

    Pass `host` through `LocalCluster` to workers (#5427)
    
    Previously the `host` parameter to `LocalCluster` would only be
    forwarded to `Scheduler` instances and not `Worker`/`Nanny` instances,
    leading to workers listening on non-localhost in some configurations.
    This fixes that and adds a test.
    
    Co-authored-by: James Bourbeau <jrbourbeau@gmail.com>


This is included in distributed 2021.10.0 but as I said, we don't package that anymore.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-28 13:37:24 UTC 
Thanks, this can be invalid then. I asked MITRE about the useless references anyway, but haven't gotten a response.