Bug 13283

Summary:	[CVE 21] nuitka 0.6.8.3 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	critical
Priority:	High	CC:	a.proklov, e.malashin, m.novosyolov, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	2021.1 Fresh R12
Hardware:	All
OS:	Linux
URL:	CVE-2022-2054,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-05-03 18:01:07 MSK

Please patch CVEs for package nuitka version 0.6.8.3
  
INFO (CVEs are): nuitka 0.6.8.3
 cves found
CVE-2022-2054
Desc: Command Injection in GitHub repository nuitka/nuitka prior to 0.9.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-2054
Severity: HIGH

Comment 1 Mikhail Novosyolov 2023-05-15 15:05:56 MSK

Непонятно, кому нужен этот пакте, хотя я сам же его и добавил в main 3 года назад.
Вероятно, просто уедет в contrib или на выкидывание.
Но обновить его можно.

Comment 2 Svyatoslav Matveev 2023-05-17 13:46:12 MSK

********** QA ADVISORY **********

Cve закрыто обновлением.

Для прохождение тестов пришлось обновить:
python-ordered-set
и добавить новый проект python-zstandard.

*** python-ordered-set
**  upd: 4.0.2 -> 4.1.0 (merge rosa2023.1)

https://abf.io/build_lists/4440921
https://abf.io/build_lists/4440922
https://abf.io/build_lists/4440920
https://abf.io/build_lists/4440923
https://abf.io/build_lists/4440924

*** new project ***
*** python-zstandard
**  version 0.19.0

https://abf.io/build_lists/4440886
https://abf.io/build_lists/4440888
https://abf.io/build_lists/4440884
https://abf.io/build_lists/4440889
https://abf.io/build_lists/4440891

*** nuitka
**  upd: 0.6.8.3 -> 1.5

https://abf.io/build_lists/4440925
https://abf.io/build_lists/4440926
https://abf.io/build_lists/4440927
https://abf.io/build_lists/4440928
https://abf.io/build_lists/4440929

Comment 3 e.malashin@rosalinux.ru 2023-05-18 16:43:46 MSK

(In reply to Svyatoslav Matveev from comment #2)
> ********** QA ADVISORY **********
> 
> Cve закрыто обновлением.
> 
> Для прохождение тестов пришлось обновить:
> python-ordered-set
> и добавить новый проект python-zstandard.
> 
> *** python-ordered-set
> **  upd: 4.0.2 -> 4.1.0 (merge rosa2023.1)
> 
> https://abf.io/build_lists/4440921
> https://abf.io/build_lists/4440922
> https://abf.io/build_lists/4440920
> https://abf.io/build_lists/4440923
> https://abf.io/build_lists/4440924
> 
> *** new project ***
> *** python-zstandard
> **  version 0.19.0
> 
> https://abf.io/build_lists/4440886
> https://abf.io/build_lists/4440888
> https://abf.io/build_lists/4440884
> https://abf.io/build_lists/4440889
> https://abf.io/build_lists/4440891
> 
> *** nuitka
> **  upd: 0.6.8.3 -> 1.5
> 
> https://abf.io/build_lists/4440925
> https://abf.io/build_lists/4440926
> https://abf.io/build_lists/4440927
> https://abf.io/build_lists/4440928
> https://abf.io/build_lists/4440929




(In reply to Svyatoslav Matveev from comment #2)
> ********** QA ADVISORY **********
> 
> Cve закрыто обновлением.
> 
> Для прохождение тестов пришлось обновить:
> python-ordered-set
> и добавить новый проект python-zstandard.
> 
> *** python-ordered-set
> **  upd: 4.0.2 -> 4.1.0 (merge rosa2023.1)
> 
> https://abf.io/build_lists/4440921
> https://abf.io/build_lists/4440922
> https://abf.io/build_lists/4440920
> https://abf.io/build_lists/4440923
> https://abf.io/build_lists/4440924
> 
> *** new project ***
> *** python-zstandard
> **  version 0.19.0
> 
> https://abf.io/build_lists/4440886
> https://abf.io/build_lists/4440888
> https://abf.io/build_lists/4440884
> https://abf.io/build_lists/4440889
> https://abf.io/build_lists/4440891
> 
> *** nuitka
> **  upd: 0.6.8.3 -> 1.5
> 
> https://abf.io/build_lists/4440925
> https://abf.io/build_lists/4440926
> https://abf.io/build_lists/4440927
> https://abf.io/build_lists/4440928
> https://abf.io/build_lists/4440929

Добавьте в зависимость nuitka lib64python3-devel и gcc без них программа выдает ошибки:

Nuitka-Options:INFO: Used command line options: nuitka.py
Nuitka-Options:WARNING: You did not specify to follow or include anything but main program. Check options and make sure that is intended.
Nuitka:INFO: Starting Python compilation with Nuitka '1.5' on Python '3.8' commercial grade 'not installed'.                                                                          
Nuitka:INFO: Completed Python level compilation and optimization.
Nuitka:INFO: Generating source code for C backend compiler.
Nuitka:INFO: Running data composer tool for optimal constant value handling.
Nuitka:INFO: Running C compilation via Scons.
FATAL: Error, cannot locate suitable C compiler.
------------
Nuitka-Options:INFO: Used command line options: nuitka.py
Nuitka-Options:WARNING: You did not specify to follow or include anything but main program. Check options and make sure that is intended.
Nuitka:INFO: Starting Python compilation with Nuitka '1.5' on Python '3.8' commercial grade 'not installed'.
Nuitka:INFO: Completed Python level compilation and optimization.
Nuitka:INFO: Generating source code for C backend compiler.
Nuitka:INFO: Running data composer tool for optimal constant value handling.
Nuitka:INFO: Running C compilation via Scons.
Nuitka-Scons:INFO: Backend C compiler: gcc (gcc).
FATAL: Error, no 'Python.h' development headers can be found at '['/usr/include/python3.8', '/usr/develop/headers/python3.8']', dependency not satisfied!

Comment 4 Svyatoslav Matveev 2023-05-19 13:26:02 MSK

> Добавьте в зависимость nuitka lib64python3-devel и gcc без них программа
> выдает ошибки:
> 
> Nuitka-Options:INFO: Used command line options: nuitka.py
> Nuitka-Options:WARNING: You did not specify to follow or include anything
> but main program. Check options and make sure that is intended.
> Nuitka:INFO: Starting Python compilation with Nuitka '1.5' on Python '3.8'
> commercial grade 'not installed'.                                           
> 
> Nuitka:INFO: Completed Python level compilation and optimization.
> Nuitka:INFO: Generating source code for C backend compiler.
> Nuitka:INFO: Running data composer tool for optimal constant value handling.
> Nuitka:INFO: Running C compilation via Scons.
> FATAL: Error, cannot locate suitable C compiler.
> ------------
> Nuitka-Options:INFO: Used command line options: nuitka.py
> Nuitka-Options:WARNING: You did not specify to follow or include anything
> but main program. Check options and make sure that is intended.
> Nuitka:INFO: Starting Python compilation with Nuitka '1.5' on Python '3.8'
> commercial grade 'not installed'.
> Nuitka:INFO: Completed Python level compilation and optimization.
> Nuitka:INFO: Generating source code for C backend compiler.
> Nuitka:INFO: Running data composer tool for optimal constant value handling.
> Nuitka:INFO: Running C compilation via Scons.
> Nuitka-Scons:INFO: Backend C compiler: gcc (gcc).
> FATAL: Error, no 'Python.h' development headers can be found at
> '['/usr/include/python3.8', '/usr/develop/headers/python3.8']', dependency
> not satisfied!


Добавлены gcc и python3-devel

https://abf.io/build_lists/4441824
https://abf.io/build_lists/4441823
https://abf.io/build_lists/4441822
https://abf.io/build_lists/4441821
https://abf.io/build_lists/4441818

Comment 5 e.malashin@rosalinux.ru 2023-05-19 14:49:22 MSK

не тянет за собой gcc и python3-devel:
==============================================================================Установка:
 python3-nuitka      noarch 1.5-2    abf-downloads.rosalinux.ru_rosa2021.1_container_4441822_x86_64_main_release_ 3.2 M
Установка зависимостей:
 python3-ordered-set noarch 4.1.0-1  abf-downloads.rosalinux.ru_rosa2021.1_container_4440920_x86_64_main_release_  19 k
 python3-zstandard   x86_64 0.19.0-1 abf-downloads.rosalinux.ru_rosa2021.1_container_4440884_x86_64_main_release_ 409 k

Результат транзакции
========================================================================================================================Установка  3 Пакета

Объем загрузки: 3.6 M
Объем изменений: 26 M

Появилась новая ошибка если запустить nuitka без sudo:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/nuitka/__main__.py", line 151, in <module>
    main()
  File "/usr/lib/python3.8/site-packages/nuitka/__main__.py", line 137, in main
    MainControl.main()
  File "/usr/lib/python3.8/site-packages/nuitka/MainControl.py", line 1088, in main
    _main()
  File "/usr/lib/python3.8/site-packages/nuitka/MainControl.py", line 950, in _main
    main_module = _createMainModule()
  File "/usr/lib/python3.8/site-packages/nuitka/MainControl.py", line 170, in _createMainModule
    cleanSconsDirectory(source_dir)
  File "/usr/lib/python3.8/site-packages/nuitka/build/SconsInterface.py", line 354, in cleanSconsDirectory
    check(path)
  File "/usr/lib/python3.8/site-packages/nuitka/build/SconsInterface.py", line 350, in check
    deleteFile(path, must_exist=True)
  File "/usr/lib/python3.8/site-packages/nuitka/utils/FileOperations.py", line 536, in deleteFile
    os.unlink(path)
PermissionError: [Errno 13] Permission denied: '

Comment 6 Svyatoslav Matveev 2023-05-19 16:37:50 MSK

(In reply to e.malashin@rosalinux.ru from comment #5)
> не тянет за собой gcc и python3-devel:
> =============================================================================

Пересобрано.

https://abf.io/build_lists/4441851
https://abf.io/build_lists/4441849
https://abf.io/build_lists/4441850
https://abf.io/build_lists/4441848
https://abf.io/build_lists/4441847

#=================================
Появилась новая ошибка если запустить nuitka без sudo:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/nuitka/__main__.py", line 151, in <module>
    main()
  File "/usr/lib/python3.8/site-packages/nuitka/__main__.py", line 137, in main
    MainControl.main()
  File "/usr/lib/python3.8/site-packages/nuitka/MainControl.py", line 1088, in main
    _main()
  File "/usr/lib/python3.8/site-packages/nuitka/MainControl.py", line 950, in _main
    main_module = _createMainModule()
  File "/usr/lib/python3.8/site-packages/nuitka/MainControl.py", line 170, in _createMainModule
    cleanSconsDirectory(source_dir)
  File "/usr/lib/python3.8/site-packages/nuitka/build/SconsInterface.py", line 354, in cleanSconsDirectory
    check(path)
  File "/usr/lib/python3.8/site-packages/nuitka/build/SconsInterface.py", line 350, in check
    deleteFile(path, must_exist=True)
  File "/usr/lib/python3.8/site-packages/nuitka/utils/FileOperations.py", line 536, in deleteFile
    os.unlink(path)
PermissionError: [Errno 13] Permission denied: '


по этому вопросу у меня нет ошибок.

Comment 7 Vladimir Potapov 2023-05-20 12:55:35 MSK

sudo dnf install nuitka --repofrompath nu,http://abf-downloads.rosalinux.ru/rosa2021.1/container/4441850/x86_64/main/release/
Добавлен nu репозиторий из http://abf-downloads.rosalinux.ru/rosa2021.1/container/4441850/x86_64/main/release/
Последняя проверка окончания срока действия метаданных: 0:00:29 назад, Сб 20 мая 2023 17:54:04.
Ошибка: 
 Проблема: cannot install the best candidate for the job
  - nothing provides python3.8dist(zstandard) needed by python3-nuitka-1.5-3.noarch
  - nothing provides python3.8dist(ordered-set) >= 4.1 needed by python3-nuitka-1.5-3.noarch
  - nothing provides python3.8dist(zstandard) >= 0.15 needed by python3-nuitka-1.5-3.noarch
(попробуйте добавить «--skip-broken» для пропуска удаляемых пакетов или «--nobest», чтобы использовать не только наилучшие варианты пакетов)

Comment 8 Vladimir Potapov 2023-05-20 13:04:06 MSK

(In reply to Vladimir Potapov from comment #7)
> sudo dnf install nuitka --repofrompath
> nu,http://abf-downloads.rosalinux.ru/rosa2021.1/container/4441850/x86_64/
> main/release/
> Добавлен nu репозиторий из
> http://abf-downloads.rosalinux.ru/rosa2021.1/container/4441850/x86_64/main/
> release/
> Последняя проверка окончания срока действия метаданных: 0:00:29 назад, Сб 20
> мая 2023 17:54:04.
> Ошибка: 
>  Проблема: cannot install the best candidate for the job
>   - nothing provides python3.8dist(zstandard) needed by
> python3-nuitka-1.5-3.noarch
>   - nothing provides python3.8dist(ordered-set) >= 4.1 needed by
> python3-nuitka-1.5-3.noarch
>   - nothing provides python3.8dist(zstandard) >= 0.15 needed by
> python3-nuitka-1.5-3.noarch
> (попробуйте добавить «--skip-broken» для пропуска удаляемых пакетов или
> «--nobest», чтобы использовать не только наилучшие варианты пакетов)
Sorry, my mistake, extended containers not added

Comment 9 Vladimir Potapov 2023-05-20 13:04:46 MSK

(In reply to Svyatoslav Matveev from comment #6)
> по этому вопросу у меня нет ошибок.
Подтверждаю, у меня скомпилировало тестовый пример и он работает.

Comment 10 Vladimir Potapov 2023-05-20 13:09:05 MSK

nuitka-1.5-3
https://abf.io/build_lists/4441851
https://abf.io/build_lists/4441849
https://abf.io/build_lists/4441850
https://abf.io/build_lists/4441848
https://abf.io/build_lists/4441847

python-zstandard-0.19.0-1
https://abf.io/build_lists/4440886
https://abf.io/build_lists/4440888
https://abf.io/build_lists/4440884
https://abf.io/build_lists/4440889
https://abf.io/build_lists/4440891

python-ordered-set-4.1.0-1
https://abf.io/build_lists/4440925
https://abf.io/build_lists/4440926
https://abf.io/build_lists/4440927
https://abf.io/build_lists/4440928
https://abf.io/build_lists/4440929
*******************************************
The update sent to testings

Comment 11 Vladimir Potapov 2023-05-25 10:05:35 MSK

nuitka-1.5-3
https://abf.io/build_lists/4441851
https://abf.io/build_lists/4441849
https://abf.io/build_lists/4441850
https://abf.io/build_lists/4441848
https://abf.io/build_lists/4441847

python-zstandard-0.19.0-1
https://abf.io/build_lists/4440886
https://abf.io/build_lists/4440888
https://abf.io/build_lists/4440884
https://abf.io/build_lists/4440889
https://abf.io/build_lists/4440891

python-ordered-set-4.1.0-1
https://abf.io/build_lists/4440925
https://abf.io/build_lists/4440926
https://abf.io/build_lists/4440927
https://abf.io/build_lists/4440928
https://abf.io/build_lists/4440929
************************* Advisory *********************
CVEs fix
********************************************************
QA Verified

Comment 12 Yury 2023-07-25 13:52:58 MSK

Secteam Verified