Skip to content

gh-112844: Fix xz CPE identifier #117656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 16, 2024
Merged

gh-112844: Fix xz CPE identifier #117656

merged 1 commit into from
Apr 16, 2024

Conversation

@sethmlarson
Copy link
Contributor

@sethmlarson sethmlarson commented Apr 8, 2024
edited by bedevere-app bot
Loading

Previous CPE identifier was for an xz Go package, not for the upstream package (isn't CPE fun?) Confirmed that this CPE works to detect the recent backdoor CVE by manually faking the metadata for 5.6.1 and running Grype. Will need a backport to 3.12 as well.

@sethmlarson sethmlarson added type-security A security issue skip news 3.12 only security fixes labels Apr 8, 2024
@sethmlarson sethmlarson requested a review from zooba April 8, 2024 22:01
@bedevere-app bedevere-app bot mentioned this pull request Apr 8, 2024
Closed
@zooba
Copy link
Member

zooba commented Apr 9, 2024

LGTM. How do we interpret that reference? Since tukaani isn't literally the name of the GitHub org, I'm not quite sure where I should look to find it.

@sethmlarson
Copy link
Contributor Author

sethmlarson commented Apr 9, 2024

@zooba You have to go the the CVE Dictionary and search it or download the entire dataset. They helpfully disallow queries under 3 characters so "xz" won't do, and this caused me to not find the right CPE. Searching for "xz tukaani" lets you find the right one and confirm the linkage to CVE-2024-3094 (xz-utils backdoor).

@zooba
Copy link
Member

zooba commented Apr 9, 2024

I just searched the whole string as shown in the file and it found the right one (not the one with the most recent CVE, of course). So that's good to know.

@zooba zooba merged commit d70ee13 into python:main Apr 16, 2024
@zooba zooba added the needs backport to 3.12 only security fixes label Apr 16, 2024
@miss-islington-app
Copy link

miss-islington-app bot commented Apr 16, 2024

Thanks @sethmlarson for the PR, and @zooba for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Apr 16, 2024
@sethmlarson @miss-islington
pythongh-112844: Fix xz CPE identifier (pythonGH-117656)
21c1366 
(cherry picked from commit d70ee13)

Co-authored-by: Seth Michael Larson <[email protected]>
@bedevere-app
Copy link

bedevere-app bot commented Apr 16, 2024

GH-117951 is a backport of this pull request to the 3.12 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.12 only security fixes label Apr 16, 2024
zooba pushed a commit that referenced this pull request Apr 16, 2024
@miss-islington @sethmlarson
gh-112844: Fix xz CPE identifier (GH-117656)
d9e2126 
(cherry picked from commit d70ee13)

Co-authored-by: Seth Michael Larson <[email protected]>
@sethmlarson
Copy link
Contributor Author

sethmlarson commented Apr 17, 2024

Thanks @zooba! 🙏

diegorusso pushed a commit to diegorusso/cpython that referenced this pull request Apr 17, 2024
@sethmlarson @diegorusso
pythongh-112844: Fix xz CPE identifier (pythonGH-117656)
f539091
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zooba zooba zooba approved these changes

Assignees

No one assigned

Labels

3.12 only security fixes skip news type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sethmlarson @zooba