1220313 – (CVE-2022-25882) VUL-0: CVE-2022-25882: python-onnx: directory traversal

Bug 1220313 (CVE-2022-25882) - VUL-0: CVE-2022-25882: python-onnx: directory traversal

Summary: VUL-0: CVE-2022-25882: python-onnx: directory traversal

Status:	IN_PROGRESS

Alias:	CVE-2022-25882

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major (vote)
Target Milestone:	---
Assignee:	Guillaume GARDET
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/355339/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-26 08:29 UTC by SMASH SMASH
Modified:	2024-03-06 11:01 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-26 08:29:50 UTC

Versions of the package onnx before 1.13.0 are vulnerable to Directory Traversal
as the external_data field of the tensor proto can have a path to the file which
is outside the model current directory or user-provided directory, for example
"../../../etc/passwd"

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25882
https://security.snyk.io/vuln/SNYK-PYTHON-ONNX-2395479
https://github.com/onnx/onnx/blob/96516aecd4c110b0ac57eba08ac236ebf7205728/onnx/checker.cc%23L129
https://github.com/onnx/onnx/commit/f369b0e859024095d721f1d1612da5a8fa38988d
https://github.com/onnx/onnx/pull/4400
https://www.cve.org/CVERecord?id=CVE-2022-25882
https://gist.github.com/jnovikov/02a9aff9bf2188033e77bd91ff062856
https://github.com/onnx/onnx/issues/3991
https://bugzilla.redhat.com/show_bug.cgi?id=2265737

Comment 1 Thomas Leroy 2024-02-26 08:34:10 UTC

openSUSE:Factory already fixed. Backports affected

Comment 2 Guillaume GARDET 2024-02-26 10:22:11 UTC

onnx currently fails to build in SLE15-SP6 Backports project [0].
To update ONNX, we need to add protobuf21, python-fb-re2 and python-nbval packages to Backport project.

[0]: https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP6/python-onnx

Comment 3 Guillaume GARDET 2024-02-26 10:36:48 UTC

Update seems impossible, because python-nbval requires python-nbformat which requires python3-base >= 3.8 which is not available in Leap:15.6

Comment 4 Guillaume GARDET 2024-02-28 09:39:41 UTC

We will likely drop the package from Leap 15.6

Comment 5 Guillaume GARDET 2024-03-06 09:47:10 UTC

(In reply to Guillaume GARDET from comment #4)
> We will likely drop the package from Leap 15.6

Delete request sent to Leap 15.6 / SLE15-SP6: https://build.opensuse.org/request/show/1155495

Comment 6 Max Lin 2024-03-06 11:01:32 UTC

(In reply to Guillaume GARDET from comment #3)
> Update seems impossible, because python-nbval requires python-nbformat which
> requires python3-base >= 3.8 which is not available in Leap:15.6

Not exactly, after PSP update in SLE15, building package with python 3.11 is possible, you need to adding %{?sle15_python_module_pythons} or %{?sle15allpythons} to your specfile though, as well as to use  %{python_module MODULE_NAME} for BuildRequires. _python 3.11_ version of python-nbval, python-nbformat and its dependencies sounds not a small amount indeed though.

I'm fine to drop python-onnx from Backports:SLE-15-SP6 if there is no customer, the only customer looks like was python-onnxconverter-common.