Comments (12)
The fix we implemented was basically a minimal change that stops the issue happening for the most part. The primary concern was accepting a JSON loaded value and passing it to the version. The change just switched from indexing the tuple to using the attributes, which means that no JSON object would be able to get past that code (as you'll now get an AttributeError).
We could take a PR to make it a bit tighter if desired, but the vulnerability was basically considered a longshot and with that change in place it now stretches credulity.
do not remediate the PoCs
If you find you can actually get an attacker modified output with a list, then we need to check it. But, you should be hitting that AttributeError instead.
from aiohttp.
The fix we implemented was basically a minimal change that stops the issue happening for the most part. The primary concern was accepting a JSON loaded value and passing it to the version. The change just switched from indexing the tuple to using the attributes, which means that no JSON object would be able to get past that code (as you'll now get an AttributeError).
Makes sense. I appreciate you taking the time to clarify.
We could take a PR to make it a bit tighter if desired, but the vulnerability was basically considered a longshot and with that change in place it now stretches credulity.
No need. I was confused given only the information in the PoC and advisory.
If you find you can actually get an attacker modified output with a list, then we need to check it. But, you should be hitting that AttributeError instead.
Sounds good. Thanks again!
Could you please link the PR(s) for the fix for future reference? I'm having trouble finding it. It might clear up future confusion in case anyone stumbles on this.
from aiohttp.
@kylebambrick I'd like to call out that it is important to report anything security-sensitive and related concerns through the private channels as specified by https://github.com/aio-libs/aiohttp/security/policy and keep it that way until it's determined if it's acceptable to be shared publicly. So that such things are processed and disclosed responsibly.
from aiohttp.
Sorry. Given the PoC and CVE were public (and not novel), I felt it more appropriate to provide all the information in a public bug. I will follow that process in the future. Thanks for letting me know.
from aiohttp.
Right. It's just that you claim that a CVE is not actually addressed and this information may mean there's something extra to consider. I think that the rule of thumb should be that whenever there's any hint or uncertainty that a post may point to some potential vulnerability, it's best to double-check and privately confirm whether it's okay to go public.
Of course, all parties here are volunteers, and I recognize that I do set the bar high. So I can't expect anybody to always be on top of everything. Just trying to be mindful of the responsibility to the community we're all a part of.
Is there anything that would make such messaging clearer? Maybe, an extra paragraph in the security policy or a warning in the issue forms?
from aiohttp.
No, I think it's fine how it is.
@webknjaz Do you know the PRs that fixed CVE-2023-49081 and CVE-2023-49082?
from aiohttp.
It looks like they didn't make it into the changelog: https://docs.aiohttp.org/en/latest/changes.html#id177.
@Dreamsorcerer do you have proper links to the patches? When making security releases I'd normally include change fragments. Although, I was doing it in a way that I had local commits and a tag. I was pushing the tag first, to trigger publishing. And only when it succeeded, I was pushing the branch with those commits. Do you think you could integrate something similar into your release routine?
from aiohttp.
@webknjaz Do you know the PRs that fixed CVE-2023-49081 and CVE-2023-49082?
https://github.com/aio-libs/aiohttp/pull/7835/files
https://github.com/aio-libs/aiohttp/pull/7806/files
When making security releases I'd normally include change fragments
If we're not disclosing the issue immediately, then it probably shouldn't be highlighted in the changelog, right? But, we could certainly update the CVE to include the PR.
from aiohttp.
When making security releases I'd normally include change fragments
If we're not disclosing the issue immediately, then it probably shouldn't be highlighted in the changelog, right? But, we could certainly update the CVE to include the PR.
Don't we disclose on release? Anyway, it's useful to update the changelog even if it's disclosed later.
from aiohttp.
These particular ones I think were snuck into a release candidate and disclosed around a week or so later. But, I think many others we've disclosed a day or 2 later (and there was the one you had in draft for years ;) ).
from aiohttp.
Also, just realised I don't know how they've produced those severity ratings on the CVEs. That one for the version is rated as high, while our own advisory is rated low (internally, I suggested this was a 1/10 severity): GHSA-q3qx-c6g2-7pw2
from aiohttp.
Anyway, I assume the questions are resolved, so closing this.
from aiohttp.
Related Issues (20)
- request tuto/method how to debug unclosed sessions on exit HOT 7
- 404 returned if only compressed file exists
- loop.run_forever terminated by exception HOT 4
- web_ws - Can't close tcp socket when receiving a close message from client. HOT 18
- Large payloads lead to BrokenPipe inside a request context manager HOT 1
- OSError : bind(): bad family HOT 1
- Error upon attempt to download https://dieunbestechlichen.com/feed HOT 3
- aiohttp 3.9.3 fails to install on Python 3.13.0a4 HOT 4
- aiohttp.web listens both TCP and Unix socket if `-U` has been supplied HOT 4
- TCPConnector / enable `limit_per_url` HOT 5
- Stability issues with gunicorn --max-requests HOT 11
- ClientSession cannot reuse connection pool HOT 4
- Using underscore to name a field in a named tuple HOT 2
- Request Pynacl Encryption Middleware HOT 13
- ASGI support HOT 4
- tests/test_pytest_plugin.py::test_aiohttp_plugin fails on Alpine Linux (python 3.11 and python 3.12) HOT 12
- ERROR: aiohttp has an invalid wheel, .dist-info directory 'yarl-1.9.4.dist-info' does not start with 'aiohttp' HOT 2
- Pass max_length parameter to ZLibDecompressor HOT 5
- "Unclosed client session" when initialization fails HOT 2
- Expired cookies not listed in the response cookies HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aiohttp.