Bug 1220313 (CVE-2022-25882)

Summary:	VUL-0: CVE-2022-25882: python-onnx: directory traversal
Product:	[openSUSE] openSUSE Distribution	Reporter:	SMASH SMASH <smash_bz>
Component:	Security	Assignee:	Guillaume GARDET <guillaume.gardet>
Status:	IN_PROGRESS ---	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	guillaume.gardet, lubos.kocman, mlin, thomas.leroy
Version:	Leap 15.6
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/355339/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-02-26 08:29:50 UTC

Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal
as the external_data field of the tensor proto can have a path to the file which
is outside the model current directory or user-provided directory, for example
"../../../etc/passwd"

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25882
https://security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479
https://github.com/onnx/onnx/blob/96516aecd4c110b0ac57eba08ac236ebf7205728/onnx/checker.cc%23L129
https://github.com/onnx/onnx/commit/f369b0e859024095d721f1d1612da5a8fa38988d
https://github.com/onnx/onnx/pull/4400
https://www.cve.org/CVERecord?id=CVE-2022-25882
https://gist.github.com/jnovikov/02a9aff9bf2188033e77bd91ff062856
https://github.com/onnx/onnx/issues/3991
https://bugzilla.redhat.com/show_bug.cgi?id=2265737

Comment 1 Thomas Leroy 2024-02-26 08:34:10 UTC

openSUSE:Factory already fixed. Backports affected

Comment 2 Guillaume GARDET 2024-02-26 10:22:11 UTC

onnx currently fails to build in SLE15-SP6 Backports project [0].
To update ONNX, we need to add protobuf21, python-fb-re2 and python-nbval packages to Backport project.

[0]: https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP6/python-onnx

Comment 3 Guillaume GARDET 2024-02-26 10:36:48 UTC

Update seems impossible, because python-nbval requires python-nbformat which requires python3-base >= 3.8 which is not available in Leap:15.6

Comment 4 Guillaume GARDET 2024-02-28 09:39:41 UTC

We will likely drop the package from Leap 15.6

Comment 5 Guillaume GARDET 2024-03-06 09:47:10 UTC

(In reply to Guillaume GARDET from comment #4)
> We will likely drop the package from Leap 15.6

Delete request sent to Leap 15.6 / SLE15-SP6: https://build.opensuse.org/request/show/1155495

Comment 6 Max Lin 2024-03-06 11:01:32 UTC

(In reply to Guillaume GARDET from comment #3)
> Update seems impossible, because python-nbval requires python-nbformat which
> requires python3-base >= 3.8 which is not available in Leap:15.6

Not exactly, after PSP update in SLE15, building package with python 3.11 is possible, you need to adding %{?sle15_python_module_pythons} or %{?sle15allpythons} to your specfile though, as well as to use  %{python_module MODULE_NAME} for BuildRequires. _python 3.11_ version of python-nbval, python-nbformat and its dependencies sounds not a small amount indeed though.

I'm fine to drop python-onnx from Backports:SLE-15-SP6 if there is no customer, the only customer looks like was python-onnxconverter-common.