Vulnerability in Python 3.10 (setuptools inside ensurepip folder)

[bhupendra-vaishnav]

We are working on Python 3.10 and found vulnerable version of setuptools package which is setuptools-65.5.0.

We did see Python 3.10 already has a fix for setuptools package and updated version of setuptools package which is setuptools-65.5.1. Though while doing analysis, we found the traces of vulnerable version inside ensurepip folder.

Please refer absolute file paths highlighted by blue in attached screenshot :

Vulnerability reference : GHSA-r9hx-vwmv-q579

CC: @samruddhikhandale, @eljog, @gauravsaini04

[samruddhikhandale]

./usr/local/lib/python3.10/ensurepip/_bundled/setuptools-65.5.0-py3-none-any.whl

As ensurepip module is part of pip, does the Python image needs an update for the pip package as well?

We use the python image as base for the dev container images which are getting flagged with the setuptools vulnerability in our scanners.

We appreciate the quick fix for #783, hoping to get this resolved as well. Thank you!

// cc @tianon

[tianon]

The ensurepip module is part of Python's own stdlib (which is thus where this is coming from), not pip 😭

[samruddhikhandale]

Hmmm. @tianon Is there any way to patch this? 🤔

[tianon]

I'm sure there's a way -- the best one would be for Python upstream to do new releases with the updated setuptools bundled (because this really isn't a Docker-specific problem -- it just looks like one because we seem to be one of the few parties publishing builds of their sources fairly "vanilla"). I don't know what the likelihood of that happening is, though.

For your builds, it would probably be pretty reasonable to purge the ensurepip module completely from your derivative images, but I must admit I don't know how common ensurepip is for users to actually use.

[samruddhikhandale]

For your builds, it would probably be pretty reasonable to purge the ensurepip module completely from your derivative images, but I must admit I don't know how common ensurepip is for users to actually use.

Removing ensurepip could break the ability to bootstrap pip into new virtual environments created with venv (a tool for creating isolated Python environments), or other systems that rely on ensurepip to ensure pip is available. Hence, I don't think we should remove ensurepip from our images.

it just looks like one because we seem to be one of the few parties publishing builds of their sources fairly "vanilla"

@tianon Is the python image always build with latest builds of Python?

@bhupendra-vaishnav can you raise this issue in https://github.com/python/cpython and request them to update their ensurepip bundle?

[tianon]

Yep, we build from the latest published releases and try to keep any changes minimal.

See https://github.com/docker-library/python/blob/b273afc57978521d33fefe5887ad901d0d35de87/3.10/bookworm/Dockerfile for the current Dockerfile for python:3.10.

[edmorley]

I think this issue should be closed as wontfix, given that the fix should come from upstream (as the wheel in the ensurepip folder comes from upstream).