From 0a7037641cda017e8bf1eccb8f6f549437789ba1 Mon Sep 17 00:00:00 2001 From: xumia <59720581+xumia@users.noreply.github.com> Date: Wed, 22 Mar 2023 15:42:29 +0800 Subject: [PATCH] [Security] Fix some of vulnerability issue relative python packages (#14269) (#14352) Why I did it Fix some of vulnerability issue relative python packages #14269 Pillow: [CVE-2021-27921] Wheel: [CVE-2022-40898] lxml: [CVE-2022-2309] How I did it How to verify it --- .../dockers/sonic-slave-bullseye/versions-py3 | 4 ++-- .../dockers/sonic-slave-buster/versions-py2 | 2 +- .../dockers/sonic-slave-buster/versions-py3 | 4 ++-- sonic-slave-bullseye/Dockerfile.j2 | 17 +++++++++++++-- sonic-slave-buster/Dockerfile.j2 | 21 +++++++++++++++---- sonic-slave-stretch/Dockerfile.j2 | 4 ++-- 6 files changed, 39 insertions(+), 13 deletions(-) diff --git a/files/build/versions/dockers/sonic-slave-bullseye/versions-py3 b/files/build/versions/dockers/sonic-slave-bullseye/versions-py3 index 7dec593dc7..e82c8436f5 100644 --- a/files/build/versions/dockers/sonic-slave-bullseye/versions-py3 +++ b/files/build/versions/dockers/sonic-slave-bullseye/versions-py3 @@ -39,7 +39,7 @@ j2cli==0.3.10 jinja2==2.11.3 lazy-object-proxy==0.0.0 logilab-common==1.8.1 -lxml==4.6.2 +lxml==4.9.1 m2crypto==0.36.0 mako==1.1.3 markdown==3.3.4 @@ -107,4 +107,4 @@ webencodings==0.5.1 wrapt==1.12.1 xdg==5 zipp==1.0.0 -zope.interface==5.2.0 \ No newline at end of file +zope.interface==5.2.0 diff --git a/files/build/versions/dockers/sonic-slave-buster/versions-py2 b/files/build/versions/dockers/sonic-slave-buster/versions-py2 index d0fec6b118..fc08fb4cf1 100644 --- a/files/build/versions/dockers/sonic-slave-buster/versions-py2 +++ b/files/build/versions/dockers/sonic-slave-buster/versions-py2 @@ -38,7 +38,7 @@ keyring==17.1.1 keyrings.alt==3.1.1 lazy-object-proxy==1.3.1 logilab-common==1.4.2 -lxml==4.6.5 +lxml==4.9.1 m2crypto==0.36.0 markupsafe==1.1.0 mccabe==0.6.1 diff --git a/files/build/versions/dockers/sonic-slave-buster/versions-py3 b/files/build/versions/dockers/sonic-slave-buster/versions-py3 index f6b14323f9..85d369ae4c 100644 --- a/files/build/versions/dockers/sonic-slave-buster/versions-py3 +++ b/files/build/versions/dockers/sonic-slave-buster/versions-py3 @@ -24,7 +24,7 @@ importlib-metadata==6.1.0 jinja2==3.0.3 keyring==17.1.1 keyrings.alt==3.1.1 -lxml==4.6.5 +lxml==4.9.1 m2crypto==0.38.0 mako==1.0.7 markdown==3.0.1 @@ -75,4 +75,4 @@ typing_extensions==4.5.0 unattended-upgrades==0.1 unidiff==0.5.4 urllib3==1.24.1 -zipp==3.15.0 \ No newline at end of file +zipp==3.15.0 diff --git a/sonic-slave-bullseye/Dockerfile.j2 b/sonic-slave-bullseye/Dockerfile.j2 index 76ca039a2c..fc129a5f68 100644 --- a/sonic-slave-bullseye/Dockerfile.j2 +++ b/sonic-slave-bullseye/Dockerfile.j2 @@ -474,7 +474,7 @@ RUN apt-get purge -y python3-pip python3-yaml # For building Python packages RUN pip3 install setuptools==49.6.00 -RUN pip3 install wheel==0.35.1 +RUN pip3 install wheel==0.38.1 {%- if CONFIGURED_ARCH == "armhf" %} # Allow only manylinux wheels on armhf, to ensure that binaries/libraries work correctly on armhf @@ -494,6 +494,19 @@ RUN pip3 install pytest-runner==5.2 RUN pip3 install nose==1.3.7 RUN pip3 install mockredispy==2.9.3 +# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0 +{%- if CONFIGURED_ARCH == "armhf" %} +RUN TMP_DIR=$(mktemp -d) && \ + cd $TMP_DIR && \ + apt-get install -y nasm && \ + apt-get source libjpeg-turbo && \ + cd $(ls -d libjpeg-turbo*/) && \ + dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \ + dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \ + rm -rf $TMP_DIR +{%- endif %} +RUN pip3 install pillow==9.4.0 + # For p4 build RUN pip3 install \ ctypesgen==1.0.2 \ @@ -512,7 +525,7 @@ RUN pip3 install j2cli==0.3.10 # For sonic-mgmt-framework RUN pip3 install "PyYAML==5.4.1" {%- if CROSS_BUILD_ENVIRON != "y" %} -RUN pip3 install "lxml==4.6.2" +RUN pip3 install "lxml==4.9.1" {%- endif %} # For sonic-platform-common testing diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2 index 084d28d686..60282b627a 100644 --- a/sonic-slave-buster/Dockerfile.j2 +++ b/sonic-slave-buster/Dockerfile.j2 @@ -69,7 +69,7 @@ RUN cd /python_virtualenv && python3 -m virtualenv -p /usr/bin/python env2 RUN cd /python_virtualenv && python3 -m virtualenv --copies -p /usr/bin/python3 env3 RUN PATH=/python_virtualenv/env2/bin/:$PATH pip2 install setuptools==40.8.0 wheel==0.35.1 fastentrypoints pytest pytest-cov pytest-runner==4.4 nose==1.3.7 mockredispy==2.9.3 mock==3.0.5 j2cli==0.3.10 PyYAML==5.4.1 pexpect==4.6.0 Pympler==0.8 ctypesgen==1.0.2 natsort==6.2.1 redis==3.5.3 protobuf==3.17.3 -RUN PATH=/python_virtualenv/env3/bin/:$PATH pip3 install setuptools==49.6.00 wheel==0.35.1 fastentrypoints pytest pytest-cov pytest-runner==5.2 nose==1.3.7 mockredispy==2.9.3 mock==3.0.5 PyYAML==5.4.1 redis==3.5.3 pexpect==4.8.0 Pympler==0.8 parameterized natsort==6.2.1 MarkupSafe==2.0.1 Jinja2==3.0.3 sphinx && ln -s /python_virtualenv/env3/bin/pytest /python_virtualenv/env3/bin/pytest-3 +RUN PATH=/python_virtualenv/env3/bin/:$PATH pip3 install setuptools==49.6.00 wheel==0.35.1 fastentrypoints pytest pytest-cov pytest-runner==5.2 nose==1.3.7 mockredispy==2.9.3 mock==3.0.5 PyYAML==5.4.1 redis==3.5.3 pexpect==4.8.0 Pympler==0.8 parameterized natsort==6.2.1 MarkupSafe==2.0.1 Jinja2==3.0.3 sphinx && ln -s /python_virtualenv/env3/bin/pytest /python_virtualenv/env3/bin/pytest-3 RUN apt-get --fix-broken install -y RUN LIBPYTHON3_DEPS="`apt-cache depends libpython3-dev:$arch |grep Depends|awk {'print \$2;'}|tr "\n" " "`" && apt-get install -y libpython2.7-dev:$arch $LIBPYTHON3_DEPS libxml2-dev:$arch libxslt-dev:$arch libssl-dev:$arch libz-dev:$arch @@ -487,7 +487,7 @@ RUN apt-get purge -y python-pip python3-pip python3-yaml RUN pip2 install setuptools==40.8.0 RUN pip2 install wheel==0.35.1 RUN pip3 install setuptools==49.6.00 -RUN pip3 install wheel==0.35.1 +RUN pip3 install wheel==0.38.1 # For building sonic-utilities RUN pip2 install fastentrypoints @@ -501,6 +501,19 @@ RUN pip3 install nose==1.3.7 RUN pip2 install mockredispy==2.9.3 RUN pip3 install mockredispy==2.9.3 +# Fix CVE-2021-23437, need to build and install libjpeg-dev for armhf for pillow 9.4.0 +{%- if CONFIGURED_ARCH == "armhf" %} +RUN TMP_DIR=$(mktemp -d) && \ + cd $TMP_DIR && \ + apt-get install -y nasm && \ + apt-get source libjpeg-turbo && \ + cd $(ls -d libjpeg-turbo*/) && \ + dpkg-buildpackage -rfakeroot -b -us -uc > $TMP_DIR/libjpeg-dev.log && \ + dpkg -i $TMP_DIR/libjpeg*-dev*.deb && \ + rm -rf $TMP_DIR +{%- endif %} +RUN pip3 install pillow==9.4.0 + # For Python 2 unit tests, we need 'mock'. The last version of 'mock' # which supports Python 2 is 3.0.5. In Python 3, 'mock' is part of 'unittest' # in the standard library @@ -531,8 +544,8 @@ RUN pip2 install "PyYAML==5.4.1" RUN pip3 install "PyYAML==5.4.1" {%- if CROSS_BUILD_ENVIRON != "y" %} -RUN pip2 install "lxml==4.6.5" -RUN pip3 install "lxml==4.6.5" +RUN pip2 install "lxml==4.9.1" +RUN pip3 install "lxml==4.9.1" {%- endif %} # For sonic-platform-common testing diff --git a/sonic-slave-stretch/Dockerfile.j2 b/sonic-slave-stretch/Dockerfile.j2 index 1397df1c73..e8a235eab6 100644 --- a/sonic-slave-stretch/Dockerfile.j2 +++ b/sonic-slave-stretch/Dockerfile.j2 @@ -331,8 +331,8 @@ RUN pip3 install mockredispy==2.9.3 # For sonic-mgmt-framework RUN pip2 install "PyYAML==5.3.1" RUN pip3 install "PyYAML==5.3.1" -RUN pip2 install "lxml==4.6.5" -RUN pip3 install "lxml==4.6.5" +RUN pip2 install "lxml==4.9.1" +RUN pip3 install "lxml==4.9.1" # For sonic-platform-common testing