Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

how critical is WHEEL_INFO_RE DoS threat? #481

Closed
GliderGeek opened this issue Nov 1, 2022 · 8 comments
Closed

how critical is WHEEL_INFO_RE DoS threat? #481

GliderGeek opened this issue Nov 1, 2022 · 8 comments

Comments

@GliderGeek
Copy link

In the release notes i read that the newest version 0.38.0 addresses a DoS vulnerability via the WHEEL_INFO_RE regular expression. can someone shine some light on the vulnerability: how can one be affected? what's the effect when affected? a short search didn't help me.

This later version is yanked due to circular dependency problems, so i would like to know what actions i can and should take.

thanks in advance!

@agronholm
Copy link
Contributor

If it works for you, you can use wheel==0.38.0 in your build requirements. I've had to yank a lot of releases lately because no matter what I do, it always seems to break after release.

As for the vulnerability: unless you're trying to use wheel as a library (which you shouldn't anyway), you shouldn't be affected.

@daniel-kun
Copy link

Hey there!

wheel <0.38.0 is listed as vulnerable on https://pyupio.github.io/safety-db/, essentially rendering every python environment insecure now, according to PyUp Safety (which is used by pipenv check, for example).

See:

docker run -it --entrypoint bash python:3.10-slim
> pip install pipenv
> pipenv check && echo 'your environment is secure' || echo 'your environment is insecure'

yields:

Checking PEP 508 requirements...
Passed!
Checking installed package safety...
51499: wheel <0.38.0 resolved (0.37.1 installed)!
Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE' regular expression.

your environment is insecure

So people are left with no option here.

My recommendation: Back-port the fix regarding WHEEL_INFO_RE to 0.37 and release a 0.37.2.

If I can be of any help here, please tell me what I can do!

@plumdog
Copy link

plumdog commented Nov 2, 2022

I just found this too, my fix was to replace:

pipenv check

with

pipenv check -i 51499

which still runs the check, but ignores this particular issue, as - at present, as I understand it - there is no actual fix.

@pfmoore
Copy link
Member

pfmoore commented Nov 2, 2022

So people are left with no option here.

See the comment above from the maintainer: unless you're trying to use wheel as a library (which you shouldn't anyway), you shouldn't be affected.

So the answer is to simply ignore the vulnerability as it doesn't apply to you (or if it does, you're using wheel in an unsupported way, so you have other issues to worry about...)

@daniel-kun
Copy link

@pfmoore @plumdog You're both absolutely right, of course ignoring that particular issue is a valid option. :-)
Sorry for being overdramatic, that was not my intention.

@agronholm even mentioned a second option that you have, e.g. pinning wheel to explicitly 0.38.0. When you do that, however, you will be forced to take action once this issue is resolved, because otherwise you will not get any updates.

@daniel-kun
Copy link

However, the back-port of the issue - and the update of the PyUp Safety DB - is the most reliable solution to this.

The fix seemed to be trivial, judging from the commit: Fixed potential DoS attack via WHEEL_INFO_RE.

I guess the release procedure is the bigger effort.

I wonder how the entry landed in PyUp Safety DB in the first place. Maybe they scrape commit messages for keywords like "DoS"?

@agronholm
Copy link
Contributor

Closing due to the fix being released in v0.38.1.

@kenahoo
Copy link

kenahoo commented Jan 9, 2023

Describing this as a fix for a potential DoS attack seems iffy at best. This is just speeding up a regex in normal ways (by avoiding backtracking), I don't see any evidence presented that this was a viable attack vector.

Somewhat annoyed by this, since I just spent a bunch of time patching environments due to what I (so far) feel like was a non-issue, but I had to for compliance reasons. If it's a real issue, can someone explain? I would like more understanding than "this probably doesn't affect you".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants