Vulnerability CVE-2019-20907

[kaos]

We've got a number hits on reported vulnerabilities for pex. I'll put them up one issue per vulnerability, so they can be addressed one at a time.

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

https://nvd.nist.gov/vuln/detail/CVE-2019-20907

Excerpt from our report:

The application is vulnerable by using this component.

NOTE: The project has bundled the vulnerable file tools/Lib/site-packages/pip/_vendor/distlib/_backport/tarfile.py in fixed versions. If using fixed versions 3.8.5 and above (for 3.8.x branch), or 3.9.0-b5 and above (for 3.9.x branch), you are only vulnerable if using this vulnerable file in your application.

[jsirois]

Who is the "our" you're referring to? Pex is not signed up for any such reports that I'm aware of (though probably should be). Further, for vendored dists like Pip there is likely little to do. It will not be upgraded until Python 2.7 support is officially dropped by Pex which leaves only cherry-picking fixes, if they exist, from mainline Pip.

Can you give more background on why you've posted these CVEs against vendored Pip in Pex and what you'd like to see done wholistically? Do you intend to kick off a phase in Pex's development where we install a CRONed scanner and commit to acting on it, etc?

[kaos]

Apologies for being vague. This popped up from a security scan done by the installation of Nexus at my employer.

I felt like doing something, as the lifecycle management feature of Nexus put pex in quarantine (internally), due to these vulnerabilities.

I've not spent any time trying to understand how to mitigate or resolve these issues, just dumped them in your lap with a warm hand as a FYI in case there's any news in here. Feel free to close them as "won't do", or whatever feels appropriate. (I've released pex from our internal quarantine, so it's not a blocker for us)

[jsirois]

Aha, ok. Since you're a Pantsbuild maintainer I thought the "we" might be referring to Pex. Gotcha.

[jsirois]

Ok, finally got the Pip upgrade in a bit ago. I'll close all 3 of these CVE bugs you filed with some standard verbage since they all involve vendored Pip code. You do have to use that code 1 time to upgrade Pip on each machine you run Pex on similar to how you'd run pip install -U pip to upgrade a vulnerable venv. So the solution isn't pure, but I'll presume and let you re-open if this is not acceptable.

[jsirois]

With the release of Pex 2.1.104 there is now the option to use --pip-version 22.2.2 which will have the vendored Pip used 1 time to download the 22.2.2 version of Pip which will be used from then forward whenever --pip=version 22.2.2 is specified. This is much akin to pip install -U pip.

[kaos]

Thx, sounds good enough to me.

[jsirois]

I'll re-open and let #3057 re-close this with the release of Pex 2.77.0 with the caveat, as explained in #2785 (comment) of vendored pip only being elided if you are installing Pex for a Python>=3.12 venv.