Bug 1215419 (CVE-2023-41626)

Summary: VUL-0: CVE-2023-41626: gradio: arbitrary file upload via /upload endpoint
Product: [openSUSE] openSUSE Distribution Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/378983/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-09-18 07:35:07 UTC 
CVE-2023-41626

Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability
via the /upload interface.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41626
https://www.cve.org/CVERecord?id=CVE-2023-41626
https://gist.github.com/impose1/590472eb0544ef1ec36c8a5a40122adb
Comment 2 Michael Vetter 2023-09-18 08:56:22 UTC 
Now I see that the upstream repo is archived and the readme at:
https://github.com/haecker-felix/gradio states "The successor of Gradio is Shortwave."

Upstream is at https://gitlab.gnome.org/World/Shortwave and someone packaged it:
https://build.opensuse.org/package/show/home:Dead_Mozay:GNOME:Apps/shortwave

Same upstream developer is active there.

So I thought to remove Gradio and replace it by Shortwave.

But then I realized that Gradio is actually not part of Factory anymore :)
So I disabled the build in the devel repo and I think everything should be fine?
Comment 3 Carlos López 2023-09-18 08:58:01 UTC 
(In reply to Michael Vetter from comment #2)
> But then I realized that Gradio is actually not part of Factory anymore :)
> So I disabled the build in the devel repo and I think everything should be
> fine?

It's part of openSUSE:Backports:SLE-15-SP{4,5,6} though, right?
Comment 4 Michael Vetter 2023-09-20 15:22:59 UTC 
(In reply to Carlos López from comment #3)
> (In reply to Michael Vetter from comment #2)
> > But then I realized that Gradio is actually not part of Factory anymore :)
> > So I disabled the build in the devel repo and I think everything should be
> > fine?
> 
> It's part of openSUSE:Backports:SLE-15-SP{4,5,6} though, right?

Well the gradio internet radio player is.

I checked the issue again. I was already confused about what upload functionality it should provide..
And now I realized the gist mentions https://www.gradio.app/ which is something machine learning and Python related.

So it's not the same as the gradio application at https://github.com/haecker-felix/gradio where I maintained the openSUSE package :-)

I would set this as invalid.
Comment 5 Carlos López 2023-09-29 11:11:31 UTC 
This issue affects a different application with the same name. Closing.