Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835625

Summary: dev-python/virtualenv: bundles vulnerable urllib3 via vulnerable pip
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [ebuild?]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 835609    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 15:08:02 UTC 
~ $ qlist dev-python/virtualenv | grep pip.*.whl
/usr/lib/python3.9/site-packages/virtualenv/seed/wheels/embed/pip-22.0.4-py3-none-any.whl
/usr/lib/python3.9/site-packages/virtualenv/seed/wheels/embed/pip-20.3.4-py2.py3-none-any.whl
/usr/lib/python3.9/site-packages/virtualenv/seed/wheels/embed/pip-21.3.1-py3-none-any.whl

https://github.com/pypa/pip/commit/9f3760ba1419753e0d6e270c1f30b9a3e49f2f93

So pip is fixed in 22.0 onward. Maintainers, anything we can do here?
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 15:27:53 UTC 
Perhaps you'd want to file a bug upstream and see what they say.  Technically, I think it should be possible to patch the bundled wheels but that's a big meh.