Skip to content

Commit

Permalink
Import recent CVEs, add new tool for automated import
Browse files Browse the repository at this point in the history
  • Loading branch information
@sethmlarson
sethmlarson committed Apr 3, 2024
1 parent 7547bf8 commit 7a4284c
Show file tree
Hide file tree
Showing 3 changed files with 275 additions and 0 deletions.
84 changes: 84 additions & 0 deletions advisories/python/PSF-0000-CVE-2023-6597.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
{
"schema_version": "1.5.0",
"id": "PSF-0000-CVE-2023-6597",
"aliases": [
"CVE-2023-6597"
],
"published": "2024-03-19T15:44:28.989ZZ",
"modified": "2024-04-03T15:06:30.430ZZ",
"details": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n",
"database_specific": {
"cwe_ids": []
},
"affected": [
{
"ranges": [
{
"type": "GIT",
"repo": "https://github.com/python/cpython",
"events": [
{
"introduced": "0"
},
{
"fixed": "81c16cd94ec38d61aa478b9a452436dc3b1b524d"
},
{
"fixed": "6ceb8aeda504b079fef7a57b8d81472f15cdd9a5"
},
{
"fixed": "5585334d772b253a01a6730e8202ffb1607c3d25"
},
{
"fixed": "8eaeefe49d179ca4908d052745e3bb8b6f238f82"
},
{
"fixed": "d54e22a669ae6e987199bb5d2c69bb5a46b0083b"
},
{
"fixed": "02a9259c717738dfe6b463c44d7e17f2b6d2cb3a"
}
]
}
]
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/issues/91133"
},
{
"type": "ADVISORY",
"url": "https://mail.python.org/archives/list/[email protected]/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html"
}
]
}
92 changes: 92 additions & 0 deletions advisories/python/PSF-0000-CVE-2024-0450.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
{
"schema_version": "1.5.0",
"id": "PSF-0000-CVE-2024-0450",
"aliases": [
"CVE-2024-0450"
],
"published": "2024-03-19T15:12:07.789ZZ",
"modified": "2024-04-03T14:56:18.250ZZ",
"details": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to \u201cquoted-overlap\u201d zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n",
"database_specific": {
"cwe_ids": []
},
"affected": [
{
"ranges": [
{
"type": "GIT",
"repo": "https://github.com/python/cpython",
"events": [
{
"introduced": "0"
},
{
"fixed": "66363b9a7b9fe7c99eba3a185b74c5fdbf842eba"
},
{
"fixed": "fa181fcf2156f703347b03a3b1966ce47be8ab3b"
},
{
"fixed": "a956e510f6336d5ae111ba429a61c3ade30a7549"
},
{
"fixed": "30fe5d853b56138dbec62432d370a1f99409fc85"
},
{
"fixed": "a2c59992e9e8d35baba9695eb186ad6c6ff85c51"
},
{
"fixed": "d05bac0b74153beb541b88b4fca33bf053990183"
}
]
}
]
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51"
},
{
"type": "FIX",
"url": "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183"
},
{
"type": "REPORT",
"url": "https://github.com/python/cpython/issues/109858"
},
{
"type": "WEB",
"url": "https://www.bamsoftware.com/hacks/zipbomb/"
},
{
"type": "ADVISORY",
"url": "https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html"
}
]
}
99 changes: 99 additions & 0 deletions tools/import-from-cve.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
"""Tool which imports OSV data from PSF CVE Numbering Authority CVEs"""

import json
import re
import sys
from pathlib import Path

import osv_utils
import urllib3

http = urllib3.PoolManager()
ADVISORIES_DIR = Path(__file__).parent.parent / "advisories"


def main():
fetch_osv_from_cve(sys.argv[1])


def fetch_osv_from_cve(cve_id):
# Fetch the CVE JSON from the GitHub mirror.
CVE, year, id = cve_id.split("-")
assert CVE == "CVE", cve_id
id_prefix = id[:-3] + "xxx"
resp = http.request(
"GET",
f"https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/{year}/{id_prefix}/{cve_id}.json",
)
if resp.status == 404:
return
assert resp.status == 200, resp.status
cve_json = resp.json()
cve_cna = cve_json["containers"]["cna"]
cve_meta = cve_json["cveMetadata"]

details = None
if "descriptions" in cve_cna:
assert cve_cna["descriptions"][0]["lang"] == "en"
details = cve_cna["descriptions"][0]["value"]

cwe_ids = []
for problem_type in cve_cna.get("problemTypes", []):
cwe_ids.extend(problem_type.get("cwdId", []))

osv_id = osv_utils.get_osv_id(
"python", lambda osv: cve_id in osv.get("aliases", ())
)
if not osv_id:
osv_id = f"PSF-0000-{cve_id}"
osv_json = {
"schema_version": "1.5.0",
"id": osv_id,
"aliases": [cve_id],
"published": f"{cve_meta['datePublished']}Z",
"modified": f"{cve_meta['dateUpdated']}Z",
"details": details,
"database_specific": {"cwe_ids": cwe_ids},
}

fixed_events = []
references = []
for ref in cve_cna["references"]:
ref_tags = ref.get("tags", ())
ref_type = "WEB"
if "patch" in ref_tags:
ref_type = "FIX"
fixed_events.append(
{
"fixed": re.search(
r"https://github.com/python/cpython/commit/([a-f0-9]{20,})",
ref["url"],
).group(1)
}
)
elif "vendor-advisory" in ref_tags:
ref_type = "ADVISORY"
elif "issue-tracking" in ref_tags:
ref_type = "REPORT"
references.append({"type": ref_type, "url": ref["url"]})

osv_json["affected"] = [
{
"ranges": [
{
"type": "GIT",
"repo": "https://github.com/python/cpython",
"events": [{"introduced": "0"}, *fixed_events],
}
]
}
]
osv_json["references"] = references

with (ADVISORIES_DIR / f"python/{osv_id}.json").open("w") as f:
f.truncate()
f.write(json.dumps(osv_json, indent=2))


if __name__ == "__main__":
main()

0 comments on commit 7a4284c

Please sign in to comment.