Bug 1221661 (CVE-2023-41334)

Summary: VUL-0: CVE-2023-41334: python-astropy: command injection in TranformGraph().to_dot_graph()
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Benjamin Greiner <code>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, mcepl
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/398165/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-19 07:59:46 UTC 
Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`.  Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41334
https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5
https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf
https://www.cve.org/CVERecord?id=CVE-2023-41334
https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
https://bugzilla.redhat.com/show_bug.cgi?id=2270185
Comment 1 Benjamin Greiner 2024-03-19 10:58:24 UTC 
The version on Tumbleweed and the development project is 6.0.0 which is not vulnerable.

There are several possible ways to fix this:
1. Update astropy in 15.6 to 6.0.0, but it will need an updated wcslib as well.
2. Update astropy in 15.6 to 5.3.4. But that must be done by a SUSE maintainer. I am only serving as Astropy maintainer in Tumbleweed. Also, I doubt anybody in the astronomy community uses an old Astropy on an old Python 3.6 SLE15/Leap15 machine.
3. Remove the outdated vulnerable astropy version python 3.6
Comment 2 Benjamin Greiner 2024-03-19 11:04:42 UTC 
Correction: I cannot find astropy in 15.5 or 15.6 at all. It has been removed after 15.4. So this is a non-issue.