[Git][security-tracker-team/security-tracker][master] CVE-2022-21797 still affects joblib in buster

Tue, 06 Dec 2022 06:13:52 -0800 


Helmut Grohne pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5d4c2566 by Helmut Grohne at 2022-12-06T15:13:31+01:00
CVE-2022-21797 still affects joblib in buster

The update to joblib included two fixes. The first attempt was
restricting variables for eval and the second one did away with eval.

While unstable has the second iteration, buster got the eval version and
that one is still vulnerable. Exploit:

eval("[x for x in 42 .__class__.__mro__[1].__subclasses__() if x.__name__ 
== 
'BuiltinImporter'][0]().load_module('os').system('id')",
 {"__builtins__": {}}, {})

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -60433,12 +60433,13 @@ CVE-2022-21803 (This affects the package nconf before 
0.11.4. When using the mem
 CVE-2022-21802 (The package grapesjs before 0.19.5 are vulnerable to 
Cross-site Script ...)
        NOT-FOR-US: grapejs
 CVE-2022-21797 (The package joblib from 0 and before 1.2.0 are vulnerable to 
Arbitrary ...)
-       {DLA-3193-1}
        - joblib 1.2.0-1 (bug #1020820)
        [bullseye] - joblib <no-dsa> (Minor issue)
+       [buster] - joblib <no-dsa> (Minor issue, the fix from +deb10u1 is 
incomplete)
        NOTE: https://github.com/joblib/joblib/issues/1128
        NOTE: https://github.com/joblib/joblib/pull/1321
-       NOTE: 
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
 (1.2.0)
+       NOTE: vulnerable patch 
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
 (1.2.0)
+       NOTE: better fix https://github.com/joblib/joblib/pull/1327
        NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033
 CVE-2022-21235 (The package github.com/masterminds/vcs before 1.13.3 are 
vulnerable to ...)
        NOT-FOR-US: github.com/masterminds/vcs


=====================================
data/DLA/list
=====================================
@@ -97,7 +97,6 @@
        {CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 
CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2021-46837 
CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24763 CVE-2022-24764 
CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 
CVE-2022-26651}
        [buster] - asterisk 1:16.28.0~dfsg-0+deb10u1
 [17 Nov 2022] DLA-3193-1 joblib - security update
-       {CVE-2022-21797}
        [buster] - joblib 0.13.0-2+deb10u1
 [17 Nov 2022] DLA-3192-1 lava - security update
        {CVE-2022-42902}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4c2566e5ff7fbb12aa80730d49c7085ac77466

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d4c2566e5ff7fbb12aa80730d49c7085ac77466
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to