-
Notifications
You must be signed in to change notification settings - Fork 493
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[universal] Conda: patch Python due to CVE-2023-32681 and GHSA-5cpq-8…
…wj7-hf2v (#627) * [universal] Conda: patch Python due to CVE-2023-32681 and GHSA-5cpq-8wj7-hf2v - Reorganize features installation queue; - Introduce patch-conda feature; * Review comment: Update features schema and container schema * Restart checks * Revert "Review comment: Update features schema and container schema" This reverts commit 046b94c. * Review comment: Update features schema and container schema * Review comment: Add tests * Set up `installsAfter` for features * Define `installsAfter` for `patch-conda` feature * Lock packages version * Add tests for conda * Rework patch * Bump `cryptography` version * Bump `cryptography` version * Restart checks * Add tests * Revert "Add tests" This reverts commit a74d406. * Update test-utils.sh * Restart checks * Restart checks
- Loading branch information
1 parent
47bbd23
commit ec6f6a9
Showing
6 changed files
with
104 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,4 +4,4 @@ | |
"installsAfter": [ | ||
"ghcr.io/devcontainers/features/python" | ||
] | ||
} | ||
} |
7 changes: 7 additions & 0 deletions
7
src/universal/.devcontainer/local-features/patch-conda/devcontainer-feature.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{ | ||
"id": "patch-conda", | ||
"name": "Patch Conda Packages", | ||
"installsAfter": [ | ||
"ghcr.io/devcontainers/features/conda" | ||
] | ||
} |
58 changes: 58 additions & 0 deletions
58
src/universal/.devcontainer/local-features/patch-conda/install.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
#!/usr/bin/env bash | ||
#------------------------------------------------------------------------------------------------------------- | ||
# Copyright (c) Microsoft Corporation. All rights reserved. | ||
# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. | ||
#------------------------------------------------------------------------------------------------------------- | ||
|
||
USERNAME=${USERNAME:-"codespace"} | ||
|
||
set -eux | ||
|
||
if [ "$(id -u)" -ne 0 ]; then | ||
echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' | ||
exit 1 | ||
fi | ||
|
||
# Ensure that login shells get the correct path if the user updated the PATH using ENV. | ||
rm -f /etc/profile.d/00-restore-env.sh | ||
echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\$PATH}" > /etc/profile.d/00-restore-env.sh | ||
chmod +x /etc/profile.d/00-restore-env.sh | ||
|
||
export DEBIAN_FRONTEND=noninteractive | ||
|
||
sudo_if() { | ||
COMMAND="$*" | ||
if [ "$(id -u)" -eq 0 ] && [ "$USERNAME" != "root" ]; then | ||
su - "$USERNAME" -c "$COMMAND" | ||
else | ||
"$COMMAND" | ||
fi | ||
} | ||
|
||
update_python_package() { | ||
PYTHON_PATH=$1 | ||
PACKAGE=$2 | ||
VERSION=$3 | ||
|
||
sudo_if "$PYTHON_PATH -m pip uninstall --yes $PACKAGE" | ||
sudo_if "$PYTHON_PATH -m pip install --upgrade --no-cache-dir $PACKAGE==$VERSION" | ||
} | ||
|
||
update_conda_package() { | ||
PACKAGE=$1 | ||
VERSION=$2 | ||
|
||
sudo_if "conda install $PACKAGE=$VERSION" | ||
} | ||
|
||
sudo_if /opt/conda/bin/python3 -m pip install --upgrade pip | ||
|
||
# Temporary: Upgrade python packages due to security vulnerabilities | ||
# They are installed by the conda feature and Conda distribution does not have the patches. | ||
|
||
# https://github.com/advisories/GHSA-5cpq-8wj7-hf2v | ||
update_conda_package pyopenssl "23.2.0" | ||
update_conda_package cryptography "41.0.2" | ||
|
||
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32681 | ||
update_conda_package requests "2.31.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters