[Git][security-tracker-team/security-tracker][master] CVE-2022-21797 still affects joblib in buster

Helmut Grohne (@helmutg) helmutg at debian.org
Tue Dec 6 14:13:45 GMT 2022 


Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5d4c2566 by Helmut Grohne at 2022-12-06T15:13:31+01:00
CVE-2022-21797 still affects joblib in buster

The update to joblib included two fixes. The first attempt was
restricting variables for eval and the second one did away with eval.

While unstable has the second iteration, buster got the eval version and
that one is still vulnerable. Exploit:

eval("[x for x in 42 .__class__.__mro__[1].__subclasses__() if x.__name__ == 'BuiltinImporter'][0]().load_module('os').system('id')", {"__builtins__": {}}, {})

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -60433,12 +60433,13 @@ CVE-2022-21803 (This affects the package nconf before 0.11.4. When using the mem
 CVE-2022-21802 (The package grapesjs before 0.19.5 are vulnerable to Cross-site Script ...)
 	NOT-FOR-US: grapejs
 CVE-2022-21797 (The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary ...)
-	{DLA-3193-1}
 	- joblib 1.2.0-1 (bug #1020820)
 	[bullseye] - joblib <no-dsa> (Minor issue)
+	[buster] - joblib <no-dsa> (Minor issue, the fix from +deb10u1 is incomplete)
 	NOTE: https://github.com/joblib/joblib/issues/1128
 	NOTE: https://github.com/joblib/joblib/pull/1321
-	NOTE: https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059 (1.2.0)
+	NOTE: vulnerable patch https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059 (1.2.0)
+	NOTE: better fix https://github.com/joblib/joblib/pull/1327
 	NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
 CVE-2022-21235 (The package github.com/masterminds/vcs before 1.13.3 are vulnerable to ...)
 	NOT-FOR-US: github.com/masterminds/vcs


=====================================
data/DLA/list
=====================================
@@ -97,7 +97,6 @@
 	{CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651}
 	[buster] - asterisk 1:16.28.0~dfsg-0+deb10u1
 [17 Nov 2022] DLA-3193-1 joblib - security update
-	{CVE-2022-21797}
 	[buster] - joblib 0.13.0-2+deb10u1
 [17 Nov 2022] DLA-3192-1 lava - security update
 	{CVE-2022-42902}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4c2566e5ff7fbb12aa80730d49c7085ac77466

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4c2566e5ff7fbb12aa80730d49c7085ac77466
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221206/abea343c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list