Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue with your package from pypi.org #630

Open
rakovskij-stanislav opened this issue Aug 5, 2022 · 5 comments
Open

Security Issue with your package from pypi.org #630

rakovskij-stanislav opened this issue Aug 5, 2022 · 5 comments

Comments

@rakovskij-stanislav
Copy link

Hello! Found a security issue in your package in pypi:
https://pypi.org/project/sqlalchemy-utils/

Affected versions of package:

  • 0.14.0 (Jul 2, 2013)
  • 0.14.1 (Jul 2, 2013)
  • 0.14.3 (Jul 3, 2013)
  • 0.14.4 (Jul 3, 2013)
  • 0.14.5 (Jul 22, 2013)
  • 0.14.6 (Jul 22, 2013)
  • 0.14.7 (Jul 23, 2013)
  • 0.15.0 (Jul 23, 2013)
  • 0.15.1 (Jul 23, 2013)
  • 0.16.0 (Jul 25, 2013)

There's an unmet dependency on module phonenumbers3k if you will try to install these versions of sqlalchemy-utils with extras phone:

Collecting sqlalchemy-utils[phone]==0.16.0
  Using cached SQLAlchemy-Utils-0.16.0.tar.gz (27 kB)
  Preparing metadata (setup.py) ... done
Requirement already satisfied: six in python\python310\lib\site-packages (from sqlalchemy-utils[phone]==0.16.0) (1.16.0)
Requirement already satisfied: SQLAlchemy>=0.8.0 in python\python310\lib\site-packages (from sqlalchemy-utils[phone]==0.16.0) (1.4.39)
ERROR: Could not find a version that satisfies the requirement phonenumbers3k==5.6b1 (from sqlalchemy-utils[phone]) (from versions: none)
ERROR: No matching distribution found for phonenumbers3k==5.6b1

It happens because there is missed requirement in setup.py file:

...
    extras_require={
        'test': [
            'pytest==2.2.3',
            'Pygments>=1.2',
            'Jinja2>=2.3',
            'docutils>=0.10',
            'flexmock>=0.9.7',
            'psycopg2>=2.4.6'
        ],
        'arrow': ['arrow>=0.3.4'],
        'phone': ['phonenumbers3k==5.6b1'],
        'password': ['passlib >= 1.6, < 2.0'],
        'color': ['colour>=0.0.4']
    },
...

It's dangerous because the intruder can create malicious package phonenumbers3k on pypi and:

  • Make online guides how to use your package and abuse this malicious supply chain attack to compromise users
  • Infect automated CI/CD pipelines that uses old version of your package
  • Infect other users by hardcoding those versions of package in opensource projects that use it

It's dangerous because usage of sqlalchemy-utils, even outdated, is not something strange. Everyone likes hardcoded versions of packages, even in the era of protestware.

The best solution is to delete exact versions of package from pypi. Better to break dependencies in some old pipelines than compromise them.

Rakovsky Stanislav (Positive Technologies)
@kurtmckee kurtmckee mentioned this issue Aug 5, 2022
Open
@kurtmckee
Copy link
Collaborator

@rakovskij-stanislav I'm interested to know how you found this issue? If it was an automated tool, what tool did you use?

Regarding the versions that depend on phonenumbers3k, it's a larger list than what you've reported. I checked the git history and found that the boundaries are:

  • First affected version: sqlalchemy-utils 0.14.0
  • Last affected version: 0.23.4

It appears that phonenumbers3k is not a missed dependency. Rather, the Python packaging infrastructure has changed in the last ten years. Back in 2013 it was possible to specify dependencies that were not available on PyPI by stashing them in a dependency_links list. The dependencies would be built locally and could then meet the listed requirements.

Commit 71da6ac introduced this syntax:

sqlalchemy-utils/setup.py

Lines 40 to 50 in 71da6ac

dependency_links=[
# 5.6 supports python 3.x / pending release
'git+git://github.com/daviddrysdale/python-phonenumbers.git@python3'
'#egg=phonenumbers3k-5.6b1',
],
install_requires=[
'six',
'SQLAlchemy>=0.8.0',
'phonenumbers3k==5.6b1',
'colour>=0.0.3'
],

Python's packaging ecosystem doesn't use the dependency_links key anymore, which is why the dependency is no longer met from within setup.py.

@kvesteri I don't currently have a strong opinion whether to yank releases 0.14.0 through 0.23.4. pip removed all dependency_links support in version 19.0, which is why those old versions now reach to PyPI for a phonenumber3k package. It appears this may indeed be a vulnerability, though the affected packages are eight and nine years old.

@rakovskij-stanislav
Copy link
Author

@kurtmckee
Thanks for your answer.

I found it using my automated system for analyzing python packages vulnerabilities as a part of my research.

I rechecked your packages and can say - yes, several other versions are affected too.
I do not execute setup.py files (it's dangerous - a lot of malware put payload here) and my system was confused by this condition:

    'phone': [
        # The phonenumbers library has a split for 2.x and 3.x support.
        'phonenumbers3k==5.6b1' if PY3 else 'phonenumbers<5.6b1'
    ],

phonenumber3k mention was found in this setup.py version: 0.14.0 - 0.31.0, but in 0.23.5-0.31.0 it's just a mention of egg-file.

So yes, I can confirm that vulnerable versions are:

0.14.0 (created 2013-07-02)
0.14.1 (created 2013-07-02)
0.14.3 (created 2013-07-03)
0.14.4 (created 2013-07-03)
0.14.5 (created 2013-07-22)
0.14.6 (created 2013-07-22)
0.14.7 (created 2013-07-23)
0.15.0 (created 2013-07-23)
0.15.1 (created 2013-07-23)
0.16.0 (created 2013-07-25)
0.16.1 (created 2013-08-01)
0.16.2 (created 2013-08-01)
0.16.3 (created 2013-08-05)
0.16.4 (created 2013-08-08)
0.16.5 (created 2013-08-08)
0.16.6 (created 2013-08-16)
0.16.7 (created 2013-08-18)
0.16.8 (created 2013-08-21)
0.16.9 (created 2013-08-21)
0.16.10 (created 2013-09-16)
0.16.11 (created 2013-09-17)
0.16.12 (created 2013-09-17)
0.16.13 (created 2013-09-17)
0.16.14 (created 2013-09-17)
0.16.16 (created 2013-09-18)
0.16.17 (created 2013-09-19)
0.16.18 (created 2013-09-19)
0.16.19 (created 2013-09-21)
0.16.20 (created 2013-09-26)
0.16.21 (created 2013-09-29)
0.16.22 (created 2013-10-03)
0.16.23 (created 2013-10-04)
0.16.24 (created 2013-10-04)
0.16.25 (created 2013-10-18)
0.19.0 (created 2013-10-24)
0.20.0 (created 2013-10-31)
0.22.0 (created 2014-01-04)
0.22.1 (created 2014-01-06)
0.23.0 (created 2014-01-14)
0.23.1 (created 2014-01-14)
0.23.2 (created 2014-01-21)
0.23.3 (created 2014-01-23)

0.23.4, mentioned by you, does not exist on pypi.

@rakovskij-stanislav
Copy link
Author

Also it would be great to register a CVE for this. CVEs would help security teams on customer side to properly execute vulnerability management process.

@jenstroeger
Copy link

Also it would be great to register a CVE for this. CVEs would help security teams on customer side to properly execute vulnerability management process.

In which case pip-audit would pick up the CVE and warn users of the vulnerable packages…

@rakovskij-stanislav
Copy link
Author

rakovskij-stanislav commented Sep 16, 2022
edited
Loading

Hi, @jenstroeger!

The database for pip-audit is advisory-database repo. They say:

Much of the existing set of vulnerabilities are collected from the NVD CVE feed.

We use this tool, which performs a lot of heuristics to match CVEs with exact Python packages and versions (which is a difficult problem!) and a small amount of human triage to generate the .yaml entries here.

I will additionally add this vuln in PYSEC database if it will not be parsed by this tool correctly, hand-made reports improvement is in progress (pypa/advisory-database#74)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kurtmckee @jenstroeger @rakovskij-stanislav