Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#74362 - [python-twisted] multiple CVEs since the packaged version

Attached to Project: Arch Linux
Opened by Chih-Hsuan Yen (yan12125) - Tuesday, 05 April 2022, 17:24 GMT
Last edited by David Thurstenson (thurstylark) - Monday, 25 April 2022, 22:21 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:

extra/python-twisted is 21.7.0, while newer versions fix several CVEs:

* CVE-2022-21712: fixed with 22.1 (https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx)
* CVE-2022-21716: fixed with 22.2.0 (https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx)
* CVE-2022-24801: fixed with 22.4.0rc1 (https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq)

A PKGBUILD diff for 22.4.0rc1 is attached below. 22.4.0 is going to be released (https://github.com/twisted/twisted/pull/1714) and PKGBUILD should be quite similar.

Note that I improved check() besides updating pkgver. If you want to package 22.2.0 and backport the fix for CVE-2022-24801 instead, a fix for the test suite (https://github.com/twisted/twisted/commit/f0cd452ee58e9cff73018bbf10e389826b769700) should be backported as well.

Additional info:
Other CVEs are fixed in the packaged version: https://github.com/twisted/twisted/security/advisories

Steps to reproduce:
This task depends upon

Comment by Chih-Hsuan Yen (yan12125) - Saturday, 16 April 2022, 12:06 GMT
Here's an updated diff for twisted 22.4.0. In the updated patch, the approach for skipping one of failed tests is improved.

Loading...