python3Packages.mistune_0_8: mark knownVulnerabilities for CVE-2022-34749

[risicle]

Description of changes

https://nvd.nist.gov/vuln/detail/CVE-2022-34749

If someone wants to backport the fix instead, be my guest. Ultimately we probably want to remove mistune_0_8, but we'll still need to apply this knownVulnerabilities to 22.05.

mistune_2_0 addressed in #184019 & #184050

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[dotlambda]

Can we also remove mistune_0_8 after merging this? Multiple versions of a single package aren't allowed within pythonPackages anyway.
cc @KAction

[dotlambda]

@risicle Please allow committers to edit your PR or pull my commit dotlambda@d3462c9.

[KAction]

Perfectly fine by me. I actually packaged version 2.0 as dependency of md2gemini, I left version 0.8 just in case anybody needed it.

[KAction]

BTW, I don't see how this vulnerability is "CRITICAL". For many use-cases it is completely harmless.

[dotlambda]

BTW, I don't see how this vulnerability is "CRITICAL".

Nobody claimed it is.

[KAction]

https://nvd.nist.gov/vuln/detail/CVE-2022-34749 says Base Score: 9.8 CRITICAL.

[risicle]

CVSS is rather... robotic and I think lends itself to over-exaggeration.

[github-actions]

Successfully created backport PR #186149 for release-22.05.

[risicle]

Oh I was going to include @dotlambda 's change. Ah well, separate PR @dotlambda ?

[dotlambda]

@SuperSandro2000 You just disabled more than 1000 packages. I won't have time for a while to file a PR but this is urgent.

[SuperSandro2000]

Sigh, yeah, converting your commit into a PR in an hour.

[dotlambda]

Can we also remove mistune_0_8 after merging this?

#186272

[vcunat]

This is an issue. Some of our channel-critical tests depend on mistune (transitively?), so we're stuck without evaluations: https://hydra.nixos.org/jobset/nixos/trunk-combined#tabs-errors

[vcunat]

Oh, the worst or maybe all of that was already resolved by PR #186198

[SuperSandro2000]

Sorry, didn't find the time yesterday but I see that others already started to work on this. Thanks!

[vcunat]

I confirm that evaluations do happen again. (also on 22.05)

[Mic92]

I looked at the fix they applied and the affected code does not even exists in 0.8. The knownVulnerabilities is not correct.
Also the CVE itself says that the issue only ever existed in 2.0.2 onwards.

[risicle]

In mistune through 2.0.2...

Does not mean"starting from version 2.0.2"

[risicle]

Shall I revert this? It's been 3 days and we still haven't sorted out the mess.

[dotlambda]

Shall I revert this? It's been 3 days and we still haven't sorted out the mess.

#186272 solves most issues

[risicle]

It appears to have become a bit derailed.

[dotlambda]

How so? I see no reason to keep waiting with the merge.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/jupyter-broken-in-22-05/21108/1