Summary: | <dev-python/imageio-2.22.0-r1: downloads .so libraries from GitHub without verification | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michał Górny <mgorny> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gentoo, gentoo, proxy-maint, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ?? [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Michał Górny
2022-10-04 07:40:25 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40b85d13e7fd770f834fde7b160219829fad5311 commit 40b85d13e7fd770f834fde7b160219829fad5311 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-10-04 08:18:48 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-10-04 08:29:55 +0000 dev-python/imageio: Block fetching remote shared libraries (!) Bug: https://bugs.gentoo.org/874849 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/imageio/Manifest | 2 ++ .../files/imageio-2.22.0-block-download.patch | 32 ++++++++++++++++++++++ ...geio-2.22.0.ebuild => imageio-2.22.0-r1.ebuild} | 29 ++++++++++++++++++++ 3 files changed, 63 insertions(+) Interesting catch! I'm not sure we care so much about the potential for someone malicious to interfere with those libraries given they're fetched over HTTPS, but it's definitely problematic that those shared libraries are probably still vulnerable to vulnerabilities disclosed in the past. Remember sourceforge and GIMP? I've requested CVEs for both issues: 1. Old freeimage is vulnerable 2. Fetching code from internet without verification The upstream issues are: https://github.com/imageio/imageio/issues/891 https://github.com/imageio/imageio/issues/892 Requested CVEs, MITRE apparently doesn't consider fetching code from the internet without verification a vulnerability. |