-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
<This issue is referenced from a **SPAM**/nonsense CVE with no explanation and no good reason. Ignore it as there is no actual vulnerability here> #6772
Comments
The code appears to be catching a So, maybe our parser should consider catching and rethrowing this exception. |
This is a link to the current issue, not an actual attachment. Do you have any proof that this is actually a problem?
Why do you think it's expected?
This only demonstrates a traceback coming from stdlib (urllib) and yarl. So what's an actual complaint in the aiohttp-land? |
Now everyone gets informed that there is a vulnerability "waiting for a PoC", but everyone just can't see any evidence indicating that aiohttp is vulnerable.
Without any PoC, if only raising an exception can be considered to be a DoS vulnerability instead of a bug or expected behavior, well, should CVE-ID be 64bit long?
I can't say anything but lol So, please show your "example of a context in which denial of service would occur". Don't make unnecessary misunderstandings happen (already happened if it does not be a vulnerability since a CVE-ID has been registered). |
I also wonder what the |
Exactly what I was thinking. Note that there's some discussions along the same lines @ #6801. |
For $ pip-audit --ignore-vuln GHSA-rwqr-c348-m5wr |
I'm the author of the fuzzers in the OSS-Fuzz repo (https://github.com/google/oss-fuzz/tree/master/projects/aiohttp). Sorry to see this mess -- the CVE filing or security filing does not come from OSS-Fuzz and am not sure who files them. This has previously happened, e.g. see this OSS-Fuzz issue which deals with unknown CVE filings google/oss-fuzz#7146. In this context, I would be happy to develop the fuzzing suite into aiohttp and submit it all upstream so you can review and ensure it matches your threat model, i.e. I would be happy to revive this PR #5320 Again, many apologies that this false security filing happened. |
This comment was marked as spam.
This comment was marked as spam.
Yeah, that could be useful but in order to proceed, it really has to be integrated into the pytest setup we've got first, as I mentioned earlier: #5320 (review). Running the fuzzers could be controlled by pytest markers, for example. |
Any idea or timeline when the above PR would be done ? |
Are you referring to the PR I discuss? If so, reviving that PR will have no impact on the code of Following along this issue, the maintainers of aiohttp do not consider this a vulnerability, i.e. the argument is the scanning tools are reporting something wrong. I cannot comment too much on whether the scanning tools have responsibility to verify in detail the info they present, but there seems to be a conflict of some sort at least. I have not gone into details with the threat model myself so I cannot comment on that. So, I will assume there is no security issue present here. Furthermore, the missing catching of exceptions of |
Furthermore, you'd expect any security vulnerability with a CVE to have already have had someone contact us privately and provide evidence of a vulnerability and give us time to deal with it. To this date, nobody has reported any security issue to us this year. Only users asking us what this CVE is about (who heard about it even before us).
If arbitrary unhandled exceptions are a security vulnerability, then aiohttp and every other framework has an infinite number of vulnerabilities. As I mentioned at the beginning, we could transform the exception (#6772 (comment)), to make error handling easier. But, there just doesn't appear to be any evidence that this creates a DoS attack, it's just a usability issue. |
Thanks for the help and replies. I'm aware of the fact that this isn't actually a security vulnerabilities however the CVE is still active for version 3.8.1 (https://nvd.nist.gov/vuln/detail/CVE-2022-33124) |
My understanding is that it was a process breakdown: someone directly reported a "crash" they found with OSS-fuzz and got it accepted by one of the CVE assigning authorities, rather than letting Google triage it or reporting it upstream (where the maintainers would have rejected it). NVD currently shows the CVE as disputed, which your scanning tool should be able to filter on. I believe people are still trying to contact NIST/NVD to get them to yank it entirely, since it's completely invalid. |
I am not a maintainer of |
There are two problems here:
On the note of making a new release, the current blocker is getting the CI green under Python 3.11 which is in progress. Once that is solved, we'll look into including some unmerged PRs if that'll make sense and make a release. Not sooner.
Not me, I gave up on that after having filled out the forms per their processes. They are ghosting me (and I assume others too?) + there's no alternative contact, so I don't see what else I can do regarding fighting this CVE-spam 🤷♂️. |
Interestingly, that "CVE" links to this issue with the "Exploit" and "Third Party Advisory" labels. I wonder if they'll (automatically) notice that it's invalid if I apply an |
I wonder if GitHub will come to help, at least it is a CNA (though the CVE-ID was not assigned by it). A jokeNo, the issue is not invalid, never. It is nvalid! |
I probably won't have any more luck, but I tried reaching out to MITRE themselves (rather than NIST/NVD) as well. |
I believe that's exactly what me and the others did too. |
Ah, dang. In that case I'm probably retracing your exact steps 😅; sorry for the confusion. |
Yeah, it got distributed across two issues... #6801 (comment) |
@webknjaz If CVE-2022-33124 has been confirmed as invalid or disputed then why this issue is still open ? |
This issue is probably a legit annoyance but we don't know why that "CVE" is pointing at it. There's no explanation of what that link means. |
Annoyingly, this "vulnerability" has just been incorporated into pyupio/safety-db, so it's now going to cause issues for anyone using the Just posting this message as an FYI for anyone using safety and stumbling upon this thread whilst researching the vulnerability. I've raised pyupio/safety-db#2363 on that repository to ask why it was added after it has obviously been withdrawn. Regards, Toby |
Thank you, Toby! I'm on the PyCon Sprints so if anybody's around and want to hack on this, trying to figure out what the TS wanted together, hit me up! |
Any updates on this? Very unfortunate. Hope this gets resolved soon! |
Feel free to submit a PR! |
I think this "vulnerability" has now just made its way into pypa/advisory-database, or at least I am now getting If so, in case it helps anyone finding this, my fix given the above is simply |
Hmm, maybe it wasn't given a PYSEC ID before? Looking into it now. |
Ah yep, I knew I remembered this: pypa/advisory-database#83 |
Oh, again? Urgh.. I suppose MITRE is ghosting all of us 🤷♂️ |
Yep 🙃 From a quick look, I think what happened here is that the GHSA advisory was correctly withdrawn, but (as we all know) the CVE never was. PYSEC didn't actually have an "active" advisory open for this until the CVE one got merged in somehow, causing it to ignore the fact that it's already been withdrawn. |
This is now withdrawn from both PYSEC and GHSA, as of pypa/advisory-database#169. There's been no update from MITRE, so I think we can safely assume that they're not going to perform any diligence here. @webknjaz Give the above, I think this is safe to close. WDYT? |
@woodruffw fair enough. Closing… Thanks everyone involved/annoyed :) P.S. The latest update on the CVE page, down in the history:
|
No description provided.
The text was updated successfully, but these errors were encountered: