1206667 – (CVE-2022-40897) VUL-0: CVE-2022-40897: python27-setuptools,python36-setuptools,python310-setuptools,python-setuptools,python39-setuptools: ReDos in setuptools

Bug 1206667 (CVE-2022-40897) - VUL-0: CVE-2022-40897: python27-setuptools,python36-setuptools,python310-setuptools,python-setuptools,python39-setuptools: ReDos in setuptools

Summary: VUL-0: CVE-2022-40897: python27-setuptools,python36-setuptools,python310-setu...

Status:	RESOLVED FIXED

Alias:	CVE-2022-40897

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/351672/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-40897:4.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-12-23 10:38 UTC by Cathy Hu
Modified:	2024-06-13 15:50 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cathy Hu 2022-12-23 10:38:14 UTC

CVE-2022-40897

An issue discovered in Python Packaging Authority (PyPA) setuptools 65.3.0 and
earlier allows remote attackers to cause a denial of service via crafted HTML
package or custom PackageIndex page.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40897
https://www.cve.org/CVERecord?id=CVE-2022-40897
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200
http://www.cvedetails.com/cve/CVE-2022-40897/
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Comment 1 Cathy Hu 2022-12-23 10:38:28 UTC

Affected:
- SUSE:Carwos:1/python-setuptools                                      40.5.0
- SUSE:SLE-11-SP1:Update:Teradata/python27-setuptools                  18.0.1
- SUSE:SLE-11-SP3:Update:Teradata/python-setuptools                    0.6c11
- SUSE:SLE-12-SP1:Update/python-setuptools                             40.6.2
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-setuptools      36.5.0
- SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36-setuptools  44.1.1
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-setuptools      40.1.0
- SUSE:SLE-12-SP5:Update/python36-setuptools                           44.1.1
- SUSE:SLE-15-SP1:Update/python-setuptools                             40.5.0
- SUSE:SLE-15-SP3:Update/python39-setuptools                           44.1.1
- SUSE:SLE-15-SP4:Update/python-setuptools                             44.1.1
- SUSE:SLE-15-SP4:Update/python310-setuptools                          57.4.0
- SUSE:SLE-15:Update/python-setuptools                                 38.4.1

Not Affected:
- openSUSE:Factory/python-setuptools                                   65.6.3

Comment 2 Cathy Hu 2022-12-23 10:39:36 UTC

Fix: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be

Comment 5 Daniel Garcia 2023-01-12 09:47:40 UTC

Submit request with patch are accepted for each affected version.

Comment 6 Swamp Workflow Management 2023-01-16 14:19:31 UTC

SUSE-SU-2023:0091-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python310-setuptools-57.4.0-150400.4.3.1
SUSE Linux Enterprise Module for Python3 15-SP4 (src):    python310-setuptools-57.4.0-150400.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2023-01-17 14:19:12 UTC

SUSE-SU-2023:0093-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python-setuptools-40.6.2-4.21.1
SUSE Linux Enterprise Server 12-SP5 (src):    python-setuptools-40.6.2-4.21.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    python-setuptools-40.6.2-4.21.1
SUSE Linux Enterprise Module for Containers 12 (src):    python-setuptools-40.6.2-4.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2023-01-17 14:19:50 UTC

SUSE-SU-2023:0094-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-setuptools-44.1.1-8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2023-01-26 20:24:02 UTC

SUSE-SU-2023:0159-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
JIRA References: 
Sources used:
openSUSE Leap Micro 5.3 (src):    python-setuptools-44.1.1-150400.3.3.1
openSUSE Leap 15.4 (src):    python-setuptools-44.1.1-150400.3.3.1, python-setuptools-test-44.1.1-150400.3.3.1, python-setuptools-wheel-44.1.1-150400.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    python-setuptools-44.1.1-150400.3.3.1, python-setuptools-test-44.1.1-150400.3.3.1, python-setuptools-wheel-44.1.1-150400.3.3.1
SUSE Linux Enterprise Micro 5.3 (src):    python-setuptools-44.1.1-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2023-01-27 20:19:23 UTC

SUSE-SU-2023:0202-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    python39-setuptools-44.1.1-150300.7.6.1
SUSE Linux Enterprise Realtime Extension 15-SP3 (src):    python39-setuptools-44.1.1-150300.7.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2023-02-01 14:23:35 UTC

SUSE-SU-2023:0223-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    python-setuptools-40.5.0-150100.6.6.1
SUSE Linux Enterprise Realtime Extension 15-SP3 (src):    python-setuptools-40.5.0-150100.6.6.1, python-setuptools-test-40.5.0-150100.6.6.1, python-setuptools-wheel-40.5.0-150100.6.6.1
SUSE Linux Enterprise Micro 5.2 (src):    python-setuptools-40.5.0-150100.6.6.1
SUSE Linux Enterprise Micro 5.1 (src):    python-setuptools-40.5.0-150100.6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2023-02-14 14:18:46 UTC

SUSE-SU-2023:0403-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-setuptools-36.5.0-3.3.1
SUSE OpenStack Cloud 8 (src):    python-setuptools-36.5.0-3.3.1
HPE Helion Openstack 8 (src):    python-setuptools-36.5.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2023-02-14 14:19:23 UTC

SUSE-SU-2023:0402-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-setuptools-40.1.0-3.3.1
SUSE OpenStack Cloud 9 (src):    python-setuptools-40.1.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Marcus Meissner 2023-10-17 14:35:07 UTC

this patch is missing in the new SUSE:SLE-15-SP4:Update python3-setuptools

(was incorrectly dropped during the package rename)

Comment 23 Andreas Taschner 2023-11-10 09:46:17 UTC

(In reply to Marcus Meissner from comment #22)
> this patch is missing in the new SUSE:SLE-15-SP4:Update python3-setuptools
> 
> (was incorrectly dropped during the package rename)

Any update on this ?
https://www.suse.com/security/cve/CVE-2022-40897.html is still flagged as resolved ..

Comment 24 Marcus Meissner 2023-11-14 08:12:40 UTC

ping?

Comment 25 Matej Cepl 2023-11-14 17:12:06 UTC

(In reply to Marcus Meissner from comment #24)
> ping?

sorry, https://build.suse.de/request/show/312665

Comment 26 Maintenance Automation 2023-11-21 20:30:19 UTC

SUSE-SU-2023:4517-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1206667
CVE References: CVE-2022-40897
Sources used:
openSUSE Leap 15.4 (src): python3-setuptools-test-44.1.1-150400.9.6.1, python3-setuptools-wheel-44.1.1-150400.9.6.1, python3-setuptools-44.1.1-150400.9.6.1
openSUSE Leap Micro 5.3 (src): python3-setuptools-44.1.1-150400.9.6.1
openSUSE Leap Micro 5.4 (src): python3-setuptools-44.1.1-150400.9.6.1
openSUSE Leap 15.5 (src): python3-setuptools-test-44.1.1-150400.9.6.1, python3-setuptools-wheel-44.1.1-150400.9.6.1, python3-setuptools-44.1.1-150400.9.6.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python3-setuptools-44.1.1-150400.9.6.1
SUSE Linux Enterprise Micro 5.3 (src): python3-setuptools-44.1.1-150400.9.6.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): python3-setuptools-44.1.1-150400.9.6.1
SUSE Linux Enterprise Micro 5.4 (src): python3-setuptools-44.1.1-150400.9.6.1
SUSE Linux Enterprise Micro 5.5 (src): python3-setuptools-44.1.1-150400.9.6.1
Basesystem Module 15-SP4 (src): python3-setuptools-test-44.1.1-150400.9.6.1, python3-setuptools-wheel-44.1.1-150400.9.6.1, python3-setuptools-44.1.1-150400.9.6.1
Basesystem Module 15-SP5 (src): python3-setuptools-test-44.1.1-150400.9.6.1, python3-setuptools-wheel-44.1.1-150400.9.6.1, python3-setuptools-44.1.1-150400.9.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Robert Frohl 2024-05-03 09:35:00 UTC

done, closing