python icon indicating copy to clipboard operation
python copied to clipboard

Published 20 hours ago verified publisher icon docker-library

Vulnerability in Python 3.10 (setuptools inside ensurepip folder)

Open bhupendra-vaishnav opened this issue 1 year ago • 6 comments

We are working on Python 3.10 and found vulnerable version of setuptools package which is setuptools-65.5.0.

We did see Python 3.10 already has a fix for setuptools package and updated version of setuptools package which is setuptools-65.5.1. Though while doing analysis, we found the traces of vulnerable version inside ensurepip folder.

Please refer absolute file paths highlighted by blue in attached screenshot :

Screenshot 2024-01-19 at 3 49 22 PM

Vulnerability reference : https://github.com/advisories/GHSA-r9hx-vwmv-q579

CC: @samruddhikhandale, @eljog, @gauravsaini04

bhupendra-vaishnav avatar Jan 19 '24 23:01 bhupendra-vaishnav

./usr/local/lib/python3.10/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl

As ensurepip module is part of pip, does the Python image needs an update for the pip package as well?

We use the python image as base for the dev container images which are getting flagged with the setuptools vulnerability in our scanners.

We appreciate the quick fix for https://github.com/docker-library/python/pull/783, hoping to get this resolved as well. Thank you!

// cc @tianon

samruddhikhandale avatar Jan 19 '24 23:01 samruddhikhandale

The ensurepip module is part of Python's own stdlib (which is thus where this is coming from), not pip :sob:

tianon avatar Jan 19 '24 23:01 tianon

Hmmm. @tianon Is there any way to patch this? 🤔

samruddhikhandale avatar Jan 19 '24 23:01 samruddhikhandale

I'm sure there's a way -- the best one would be for Python upstream to do new releases with the updated setuptools bundled (because this really isn't a Docker-specific problem -- it just looks like one because we seem to be one of the few parties publishing builds of their sources fairly "vanilla"). I don't know what the likelihood of that happening is, though.

For your builds, it would probably be pretty reasonable to purge the ensurepip module completely from your derivative images, but I must admit I don't know how common ensurepip is for users to actually use.

tianon avatar Jan 19 '24 23:01 tianon

For your builds, it would probably be pretty reasonable to purge the ensurepip module completely from your derivative images, but I must admit I don't know how common ensurepip is for users to actually use.

Removing ensurepip could break the ability to bootstrap pip into new virtual environments created with venv (a tool for creating isolated Python environments), or other systems that rely on ensurepip to ensure pip is available. Hence, I don't think we should remove ensurepip from our images.

it just looks like one because we seem to be one of the few parties publishing builds of their sources fairly "vanilla"

@tianon Is the python image always build with latest builds of Python?

@bhupendra-vaishnav can you raise this issue in https://github.com/python/cpython and request them to update their ensurepip bundle?

samruddhikhandale avatar Jan 19 '24 23:01 samruddhikhandale

Yep, we build from the latest published releases and try to keep any changes minimal.

See https://github.com/docker-library/python/blob/b273afc57978521d33fefe5887ad901d0d35de87/3.10/bookworm/Dockerfile for the current Dockerfile for python:3.10.

tianon avatar Jan 19 '24 23:01 tianon

I think this issue should be closed as wontfix, given that the fix should come from upstream (as the wheel in the ensurepip folder comes from upstream).

edmorley avatar Aug 24 '24 15:08 edmorley