Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in Python 3.10 (setuptools inside ensurepip folder) #901

Open
bhupendra-vaishnav opened this issue Jan 19, 2024 · 6 comments

Comments

@bhupendra-vaishnav
Copy link

We are working on Python 3.10 and found vulnerable version of setuptools package which is setuptools-65.5.0.

We did see Python 3.10 already has a fix for setuptools package and updated version of setuptools package which is setuptools-65.5.1. Though while doing analysis, we found the traces of vulnerable version inside ensurepip folder.

Please refer absolute file paths highlighted by blue in attached screenshot :

Screenshot 2024-01-19 at 3 49 22 PM

Vulnerability reference : GHSA-r9hx-vwmv-q579

CC: @samruddhikhandale, @eljog, @gauravsaini04

@samruddhikhandale
Copy link

samruddhikhandale commented Jan 19, 2024

./usr/local/lib/python3.10/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl

As ensurepip module is part of pip, does the Python image needs an update for the pip package as well?

We use the python image as base for the dev container images which are getting flagged with the setuptools vulnerability in our scanners.

We appreciate the quick fix for #783, hoping to get this resolved as well. Thank you!

// cc @tianon

@tianon
Copy link
Member

tianon commented Jan 19, 2024

The ensurepip module is part of Python's own stdlib (which is thus where this is coming from), not pip 😭

@samruddhikhandale
Copy link

Hmmm. @tianon Is there any way to patch this? 🤔

@tianon
Copy link
Member

tianon commented Jan 19, 2024

I'm sure there's a way -- the best one would be for Python upstream to do new releases with the updated setuptools bundled (because this really isn't a Docker-specific problem -- it just looks like one because we seem to be one of the few parties publishing builds of their sources fairly "vanilla"). I don't know what the likelihood of that happening is, though.

For your builds, it would probably be pretty reasonable to purge the ensurepip module completely from your derivative images, but I must admit I don't know how common ensurepip is for users to actually use.

@samruddhikhandale
Copy link

samruddhikhandale commented Jan 19, 2024

For your builds, it would probably be pretty reasonable to purge the ensurepip module completely from your derivative images, but I must admit I don't know how common ensurepip is for users to actually use.

Removing ensurepip could break the ability to bootstrap pip into new virtual environments created with venv (a tool for creating isolated Python environments), or other systems that rely on ensurepip to ensure pip is available. Hence, I don't think we should remove ensurepip from our images.

it just looks like one because we seem to be one of the few parties publishing builds of their sources fairly "vanilla"

@tianon Is the python image always build with latest builds of Python?

@bhupendra-vaishnav can you raise this issue in https://github.com/python/cpython and request them to update their ensurepip bundle?

@tianon
Copy link
Member

tianon commented Jan 19, 2024

Yep, we build from the latest published releases and try to keep any changes minimal.

See https://github.com/docker-library/python/blob/b273afc57978521d33fefe5887ad901d0d35de87/3.10/bookworm/Dockerfile for the current Dockerfile for python:3.10.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants