Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python312Packages.js2py: mark insecure #348943

Merged
merged 2 commits into from
Oct 17, 2024
Merged

python312Packages.js2py: mark insecure #348943

merged 2 commits into from
Oct 17, 2024

Conversation

ruby0b
Copy link
Contributor

@ruby0b ruby0b commented Oct 16, 2024

https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@ruby0b ruby0b mentioned this pull request Oct 16, 2024
Closed
13 tasks
@emilazy
Copy link
Member

emilazy commented Oct 16, 2024

Oh, that’s fun…

54 packages removed:
cassandra (†3.0.28) cassandra (†3.11.12) cassandra (†4.1.7) checkov (†3.2.266) python3.11-aiohomekit (†3.2.3) python3.11-amarna (†0.1.5) python3.11-ansible-compat (†24.9.1) python3.11-ansible-core (†2.17.4) python3.11-ansible-kernel (†1.0.0) python3.11-ansible-runner (†2.4.0) python3.11-ansible-vault-rw (†2.1.0) python3.11-awswrangler (†3.9.1) python3.11-bc-python-hcl2 (†0.4.2) python3.11-beancount-black (†1.0.5) python3.11-beancount-parser (†1.2.3) python3.11-beanhub-cli (†1.4.1) python3.11-beanhub-import (†1.0.3) python3.11-canmatrix (†1.0) python3.11-canopen (†2.3.0) python3.11-cassandra-driver (†3.29.1) python3.11-commentjson (†0.9.0) python3.11-dissect-cobaltstrike (†1.2.0) python3.11-django-js-reverse (†0.10.1-b1) python3.11-dragonfly (†0.35.0) python3.11-extract-msg (†0.50.1) python3.11-flake8-bugbear (†24.8.19) python3.11-gremlinpython (†3.7.1) python3.11-hypothesmith (†0.3.3) python3.11-ifcopenshell (†0.7.10) python3.11-js2py (†0.74) python3.11-jupysql (†0.10.13) python3.11-langchain (†0.3.1) python3.11-langchain-azure-dynamic-sessions (†0.2.0) python3.11-langchain-community (†0.3.1) python3.11-langchain-huggingface (†0.1.0) python3.11-langchain-mongodb (†0.2.0) python3.11-langchain-openai (†0.2.1) python3.11-lark (†1.1.9) python3.11-ldfparser (†0.25.0) python3.11-molecule (†24.9.0) python3.11-outlines (†0.0.46) python3.11-pycep-parser (†0.4.2) python3.11-pyocd (†0.36.0) python3.11-pyocd-pemicro (†1.1.5) python3.11-pytest-ansible (†24.9.0) python3.11-pytest-testinfra (†10.1.1) python3.11-python-hcl2 (†5.0.0) python3.11-python-ndn (†0.4.1) python3.11-pyzx (†0.8.0) python3.11-radish-bdd (†0.17.1) python3.11-resolvelib (†1.0.1) python3.11-rtfde (†0.1.2) python3.11-spsdk (†2.2.1) python3.11-tandoor-recipes (†1.5.19)

Looks like python3Packages.lark is predominantly to blame:

/nix/store/2wx36abf6im6flx2jrnb7npaglq4m6xm-cassandra-4.1.7.drv
└───/nix/store/wm8w1m4vg6bax8adigpjr64aywzxjyl5-python3.11-cassandra-driver-3.29.1.drv
    └───/nix/store/ba27rsmbz4qbiqbb3p9dnjgi24bil45a-python3.11-gremlinpython-3.7.1.drv
        └───/nix/store/70ibwl5iqz0lp4xh54rb60n5ig4l4v5k-python3.11-radish-bdd-0.17.1.drv
            └───/nix/store/vi31cjvmm6q7y38f1ha5a3nvhbb10bsl-python3.11-lark-1.1.9.drv
                └───/nix/store/100pmiak2sd3ilx1hwasf3gvzzhhm8bw-python3.11-js2py-0.74.drv

/nix/store/ss01bga6ivdbgwb5a5iyij3ik0glcs9h-python3.11-langchain-0.3.1.drv
└───/nix/store/vi31cjvmm6q7y38f1ha5a3nvhbb10bsl-python3.11-lark-1.1.9.drv
    └───/nix/store/100pmiak2sd3ilx1hwasf3gvzzhhm8bw-python3.11-js2py-0.74.drv

/nix/store/ax3z7mkrf8rjv88p342lk39a2nb4a7xc-python3.11-beanhub-cli-1.4.1.drv
└───/nix/store/jcr1sral909pxwq5i7s0laf18hzl7z6p-python3.11-beancount-parser-1.2.3.drv
    └───/nix/store/vi31cjvmm6q7y38f1ha5a3nvhbb10bsl-python3.11-lark-1.1.9.drv
        └───/nix/store/100pmiak2sd3ilx1hwasf3gvzzhhm8bw-python3.11-js2py-0.74.drv

/nix/store/2calla3zwx8vbyk8a7pwx1w7vil0zdjz-python3.11-flake8-bugbear-24.8.19.drv
└───/nix/store/gi99qhzhqg34b8gdgix8rpb2gffd3zgh-python3.11-hypothesmith-0.3.3.drv
    └───/nix/store/vi31cjvmm6q7y38f1ha5a3nvhbb10bsl-python3.11-lark-1.1.9.drv
        └───/nix/store/100pmiak2sd3ilx1hwasf3gvzzhhm8bw-python3.11-js2py-0.74.drv

It’s only used for tests. Could you strip out the dependency and just do doCheck = false; there? The other users, python3Packages.{pyjsparser,django-js-reverse,jupysql}, also only use them for tests, but it doesn’t seem like they break nearly as many packages – if we handle python3Packages.lark then I think we could backport this to 24.05 and perhaps you could remove all the other references and the package itself in another PR to master if you felt like it.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Oct 16, 2024
@ruby0b
Copy link
Contributor Author

ruby0b commented Oct 17, 2024

done! btw, how did you get the output telling you which packages were removed by the PR?

@ofborg ofborg bot requested a review from drewrisinger October 17, 2024 03:27
@ofborg ofborg bot added 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100 and removed 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Oct 17, 2024
emilazy
emilazy approved these changes Oct 17, 2024
View reviewed changes
Copy link
Member

@emilazy emilazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The output is from nixpkgs-review. Looks a lot better now, thanks:

50 packages updated:
cassandra cassandra cassandra checkov python3.11-aiohomekit python3.11-amarna python3.11-ansible-compat python3.11-ansible-core python3.11-ansible-kernel python3.11-ansible-runner python3.11-ansible-vault-rw python3.11-awswrangler python3.11-bc-python-hcl2 python3.11-beancount-black python3.11-beancount-parser python3.11-beanhub-cli python3.11-beanhub-import python3.11-canmatrix python3.11-canopen python3.11-cassandra-driver python3.11-commentjson python3.11-dissect-cobaltstrike python3.11-dragonfly python3.11-extract-msg python3.11-flake8-bugbear python3.11-gremlinpython python3.11-hypothesmith python3.11-ifcopenshell python3.11-langchain python3.11-langchain-azure-dynamic-sessions python3.11-langchain-community python3.11-langchain-huggingface python3.11-langchain-mongodb python3.11-langchain-openai python3.11-lark python3.11-ldfparser python3.11-molecule python3.11-outlines python3.11-pycep-parser python3.11-pyocd python3.11-pyocd-pemicro python3.11-pytest-ansible python3.11-pytest-testinfra python3.11-python-hcl2 python3.11-python-ndn python3.11-pyzx python3.11-radish-bdd python3.11-resolvelib python3.11-rtfde python3.11-spsdk

4 packages removed:
python3.11-django-js-reverse (†0.10.1-b1) python3.11-js2py (†0.74) python3.11-jupysql (†0.10.13) python3.11-tandoor-recipes (†1.5.19)

Result of nixpkgs-review pr 348943 run on aarch64-linux 1

96 packages built:
  • cassandra
  • cassandra_3_0
  • cassandra_3_11
  • checkov
  • checkov.dist
  • python311Packages.aiohomekit
  • python311Packages.aiohomekit.dist
  • python311Packages.amarna
  • python311Packages.amarna.dist
  • python311Packages.ansible-compat
  • python311Packages.ansible-compat.dist
  • python311Packages.ansible-core
  • python311Packages.ansible-core.dist
  • python311Packages.ansible-kernel
  • python311Packages.ansible-kernel.dist
  • python311Packages.ansible-runner
  • python311Packages.ansible-runner.dist
  • python311Packages.ansible-vault-rw
  • python311Packages.ansible-vault-rw.dist
  • python311Packages.awswrangler
  • python311Packages.awswrangler.dist
  • python311Packages.bc-python-hcl2
  • python311Packages.bc-python-hcl2.dist
  • python311Packages.beancount-black
  • python311Packages.beancount-black.dist
  • python311Packages.beancount-parser
  • python311Packages.beancount-parser.dist
  • python311Packages.beanhub-cli
  • python311Packages.beanhub-cli.dist
  • python311Packages.beanhub-import
  • python311Packages.beanhub-import.dist
  • python311Packages.canmatrix
  • python311Packages.canmatrix.dist
  • python311Packages.canopen
  • python311Packages.canopen.dist
  • python311Packages.cassandra-driver
  • python311Packages.cassandra-driver.dist
  • python311Packages.commentjson
  • python311Packages.commentjson.dist
  • python311Packages.dissect-cobaltstrike
  • python311Packages.dissect-cobaltstrike.dist
  • python311Packages.dragonfly
  • python311Packages.dragonfly.dist
  • python311Packages.extract-msg
  • python311Packages.extract-msg.dist
  • python311Packages.flake8-bugbear
  • python311Packages.flake8-bugbear.dist
  • python311Packages.gremlinpython
  • python311Packages.gremlinpython.dist
  • python311Packages.hypothesmith
  • python311Packages.hypothesmith.dist
  • python311Packages.ifcopenshell
  • python311Packages.langchain
  • python311Packages.langchain-azure-dynamic-sessions
  • python311Packages.langchain-azure-dynamic-sessions.dist
  • python311Packages.langchain-community
  • python311Packages.langchain-community.dist
  • python311Packages.langchain-huggingface
  • python311Packages.langchain-huggingface.dist
  • python311Packages.langchain-mongodb
  • python311Packages.langchain-mongodb.dist
  • python311Packages.langchain-openai
  • python311Packages.langchain-openai.dist
  • python311Packages.langchain.dist
  • python311Packages.lark
  • python311Packages.lark.dist
  • python311Packages.ldfparser
  • python311Packages.ldfparser.dist
  • python311Packages.molecule
  • python311Packages.molecule.dist
  • python311Packages.outlines
  • python311Packages.outlines.dist
  • python311Packages.pycep-parser
  • python311Packages.pycep-parser.dist
  • python311Packages.pyocd
  • python311Packages.pyocd-pemicro
  • python311Packages.pyocd-pemicro.dist
  • python311Packages.pyocd.dist
  • python311Packages.pytest-ansible
  • python311Packages.pytest-ansible.dist
  • python311Packages.pytest-testinfra
  • python311Packages.pytest-testinfra.dist
  • python311Packages.python-hcl2
  • python311Packages.python-hcl2.dist
  • python311Packages.python-ndn
  • python311Packages.python-ndn.dist
  • python311Packages.pyzx
  • python311Packages.pyzx.dist
  • python311Packages.radish-bdd
  • python311Packages.radish-bdd.dist
  • python311Packages.resolvelib
  • python311Packages.resolvelib.dist
  • python311Packages.rtfde
  • python311Packages.rtfde.dist
  • python311Packages.spsdk
  • python311Packages.spsdk.dist

I’ll merge this and get it backported to 24.05. Would you be up for another PR that removes it from its other users and drops the package entirely? Probably best to not keep around a vulnerable package that doesn’t work with the default Python version we’re about to ship in 24.11. If not, no worries; it’s marked as vulnerable now so at least the risk is dealt with.

@emilazy emilazy added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-24.05 labels Oct 17, 2024
@emilazy emilazy merged commit 0228959 into NixOS:master Oct 17, 2024
28 checks passed
@github-actions GitHub Actions
Copy link
Contributor

Successfully created backport PR for release-24.05:

@github-actions github-actions bot mentioned this pull request Oct 17, 2024
Merged
1 task
@ruby0b ruby0b mentioned this pull request Oct 18, 2024
Merged
13 tasks
@ruby0b
Copy link
Contributor Author

ruby0b commented Oct 18, 2024

#349550

@dotlambda
Copy link
Member

4 packages removed:
python3.11-django-js-reverse (†0.10.1-b1) python3.11-js2py (†0.74) python3.11-jupysql (†0.10.13) python3.11-tandoor-recipes (†1.5.19)

Please backport the change unbreaking these packages: #351433

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emilazy emilazy emilazy approved these changes

@drewrisinger drewrisinger Awaiting requested review from drewrisinger

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: python 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ruby0b @emilazy @dotlambda