Universal Anaconda Python: Update "setuptools" due to CVE-2022-40897 (devcontainers#455)

samruddhikhandale · web-flow · commit 179197eb84b5 · 2023-02-28T10:14:48.000-08:00
* Universal Anaconda Python: Update "setuptools" due to CVE-2022-40897 * patch anaconda * update test * update test * update how we update setuptools
diff --git a/src/anaconda/.devcontainer/Dockerfile b/src/anaconda/.devcontainer/Dockerfile
@@ -66,6 +66,8 @@ RUN python3 -m pip install \
     numpy \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491
     certifi \
+    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
+    setuptools \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40899
     future \
     # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40898
diff --git a/src/anaconda/manifest.json b/src/anaconda/manifest.json
@@ -30,6 +30,7 @@
 			"mistune",
 			"numpy",
 			"certifi",
+			"setuptools",
 			"future",
 			"wheel"
 		],
diff --git a/src/anaconda/test-project/test.sh b/src/anaconda/test-project/test.sh
@@ -44,6 +44,9 @@ check-version-ge "mistune-requirement" "${mistune_version}" "2.0.3"
 numpy_version=$(python -c "import numpy; print(numpy.__version__)")
 check-version-ge "numpy-requirement" "${numpy_version}" "1.22"
 
+setuptools_version=$(python -c "import setuptools; print(setuptools.__version__)")
+check-version-ge "setuptools-requirement" "${setuptools_version}" "65.5.1"
+
 future_version=$(python -c "import future; print(future.__version__)")
 check-version-ge "future-requirement" "${future_version}" "0.18.3"
 
diff --git a/src/python/.devcontainer/Dockerfile b/src/python/.devcontainer/Dockerfile
@@ -6,6 +6,10 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     # Remove imagemagick due to https://security-tracker.debian.org/tracker/CVE-2019-10131
     && apt-get purge -y imagemagick imagemagick-6-common 
 
+# Temporary: Upgrade python packages due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
+# They are installed by the base image (python) which does not have the patch.
+RUN python3 -m pip install --upgrade setuptools
+
 # [Optional] If your pip requirements rarely change, uncomment this section to add them to the image.
 # COPY requirements.txt /tmp/pip-tmp/
 # RUN pip3 --disable-pip-version-check --no-cache-dir install -r /tmp/pip-tmp/requirements.txt \
diff --git a/src/python/manifest.json b/src/python/manifest.json
@@ -106,6 +106,9 @@
 			"virtualenv",
 			"pipx"
 		],
+		"pip": [
+			"setuptools"
+		],
 		"languages": {
 			"Python": {
 				"cgIgnore": true,
diff --git a/src/python/test-project/test.sh b/src/python/test-project/test.sh
@@ -39,5 +39,8 @@ check "gitconfig-contains-name" sh -c "cat /etc/gitconfig | grep 'name = devcont
 
 check "usr-local-etc-config-does-not-exist" test ! -f "/usr/local/etc/gitconfig"
 
+setuptools_version=$(python -c "import setuptools; print(setuptools.__version__)")
+check-version-ge "setuptools-requirement" "${setuptools_version}" "65.5.1"
+
 # Report result
 reportResults
diff --git a/src/universal/.devcontainer/local-features/setup-user/install.sh b/src/universal/.devcontainer/local-features/setup-user/install.sh
@@ -39,6 +39,20 @@ rm -rf /usr/local/nvs/deps/node_modules/follow-redirects/*
 curl -sSL https://github.com/follow-redirects/follow-redirects/archive/refs/tags/v1.15.2.tar.gz | tar -xzC /tmp 2>&1
 mv /tmp/follow-redirects-1.15.2/*  /usr/local/nvs/deps/node_modules/follow-redirects/
 
+sudo_if() {
+    COMMAND="$*"
+    if [ "$(id -u)" -eq 0 ] && [ "$USERNAME" != "root" ]; then
+        su - "$USERNAME" -c "$COMMAND"
+    else
+        "$COMMAND"
+    fi
+}
+
+# Temporary: Upgrade python packages due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
+# They are installed by the base image (python) which does not have the patch.
+sudo_if /usr/local/python/current/bin/python -m pip uninstall --yes setuptools
+sudo_if /usr/local/python/current/bin/python -m pip install --user --upgrade --no-cache-dir setuptools
+
 # Enables the oryx tool to generate manifest-dir which is needed for running the postcreate tool
 DEBIAN_FLAVOR="focal-scm"
 mkdir -p /opt/oryx && echo "vso-focal" > /opt/oryx/.imagetype
diff --git a/src/universal/manifest.json b/src/universal/manifest.json
@@ -119,6 +119,7 @@
 			"plotly",
 			"jupyterlab-git",
 			"certifi",
+			"setuptools",
 			"wheel"
 		],
 		"other": {
diff --git a/src/universal/test-project/test.sh b/src/universal/test-project/test.sh
@@ -55,6 +55,9 @@ check "torch" python -c "import torch; print(torch.__version__)"
 check "requests" python -c "import requests; print(requests.__version__)"
 check "jupyterlab-git" bash -c "python3 -m pip list | grep jupyterlab-git"
 
+setuptools_version=$(python3 -c "import setuptools; print(setuptools.__version__)")
+check-version-ge "setuptools-requirement" "${setuptools_version}" "65.5.1"
+
 # Check JupyterLab
 check "jupyter-lab" jupyter-lab --version
 check "jupyter-lab config" grep ".*.allow_origin = '*'" /home/codespace/.jupyter/jupyter_server_config.py
