Update bundled setuptools provided by ensurepip in current 3.8.x through 3.11.x to include fix for CVE-2022-40897?

[LianwMS]

Just found the image are impacted. Any fix plan?
GHSA-r9hx-vwmv-q579

Linked PRs

• gh-102202: Update bundled setuptools to 67.4.0 #102208

[hugovk]

CVE-2022-40897 is a ReDoS in setuptools, fixed in setuptools 65.5.1 (released Nov 4, 2022):

• https://setuptools.pypa.io/en/latest/history.html#v65-5-1

The 3.9 branch has setuptools-58.1.0-py3-none-any.whl (Sep 22, 2021):

• https://github.com/python/cpython/tree/3.9/Lib/ensurepip/_bundled

The main branch has setuptools-65.5.0-py3-none-any.whl (Oct 14, 2022):

• https://github.com/python/cpython/tree/main/Lib/ensurepip/_bundled

---

Before updating, Python 3.7-3.9 are security-fix only (https://devguide.python.org/versions/), let's first check with release managers @ambv and @ned-deily.

A quick check shows the CI passes for 3.9: https://github.com/hugovk/cpython/actions/runs/4260373632

[ned-deily]

Regarding backporting to 3.7, see my comment on the PR. In short, I don't want to backport this to 3.7 as the benefits are minimal and the risks are high.

[LianwMS]

@hugovk @ned-deily So, the security should be fixed in 3.10-3.12. Correct?

[ned-deily]

So, the security should be fixed in 3.10-3.12. Correct?

Ultimately, it's up to the release managers for those releases but I expect they will be updated soon.

However, your original question seems to be about an Alpine docker image with python3.9. If so, you should check with the maintainer of that image. It should be a trivial matter to update the image with the new version of setuptools. Or you can just update it yourself when running the image by using some variant of:

python3.9 -m pip install --upgrade pip
python3.9 -m pip install --upgrade setuptools

A CPython update to ensurepip by itself isn't going to make a difference to the Docker image.

[hugovk]

Also not needed for 3.12, setuptools was removed in #101039.

[ned-deily]

To follow up on this, the current status is that we are still shipping various older versions of setuptools with ensurepip in Python 3.11 and 3.10 (65.5.0), 3.9 (58.1.0), and 3.8 (56.0.0). (We no longer include setuptools with ensurepip as of 3.12.) It should be up to the affected release managers to decide what action, if any, should be taken and then update and close this issue. Are there other potentially relevant security fixes in setuptools?

cc: @pablogsal @ambv @sethmlarson

[sethmlarson]

@ned-deily Beyond CVE-2022-40897 there aren't any additional vulnerabilities in setuptools. I don't think it's particularly bundersome to ask users to upgrade pip when using ensurepip to bootstrap, pip itself will start issuing warnings about being out of date as well.

In fact, could we make ensurepip automatically attempt to upgrade the installed pip during bootstrapping (ie set --upgrade to True by default?)? cc @pradyunsg