how critical is WHEEL_INFO_RE DoS threat?

[GliderGeek]

In the release notes i read that the newest version 0.38.0 addresses a DoS vulnerability via the WHEEL_INFO_RE regular expression. can someone shine some light on the vulnerability: how can one be affected? what's the effect when affected? a short search didn't help me.

This later version is yanked due to circular dependency problems, so i would like to know what actions i can and should take.

thanks in advance!

[agronholm]

If it works for you, you can use wheel==0.38.0 in your build requirements. I've had to yank a lot of releases lately because no matter what I do, it always seems to break after release.

As for the vulnerability: unless you're trying to use wheel as a library (which you shouldn't anyway), you shouldn't be affected.

[daniel-kun]

Hey there!

wheel <0.38.0 is listed as vulnerable on https://pyupio.github.io/safety-db/, essentially rendering every python environment insecure now, according to PyUp Safety (which is used by pipenv check, for example).

See:

docker run -it --entrypoint bash python:3.10-slim
> pip install pipenv
> pipenv check && echo 'your environment is secure' || echo 'your environment is insecure'

yields:

Checking PEP 508 requirements...
Passed!
Checking installed package safety...
51499: wheel <0.38.0 resolved (0.37.1 installed)!
Wheel 0.38.0 fixes a potential DoS attack via the 'WHEEL_INFO_RE' regular expression.

your environment is insecure

So people are left with no option here.

My recommendation: Back-port the fix regarding WHEEL_INFO_RE to 0.37 and release a 0.37.2.

If I can be of any help here, please tell me what I can do!

[plumdog]

I just found this too, my fix was to replace:

pipenv check

with

pipenv check -i 51499

which still runs the check, but ignores this particular issue, as - at present, as I understand it - there is no actual fix.

[pfmoore]

So people are left with no option here.

See the comment above from the maintainer: unless you're trying to use wheel as a library (which you shouldn't anyway), you shouldn't be affected.

So the answer is to simply ignore the vulnerability as it doesn't apply to you (or if it does, you're using wheel in an unsupported way, so you have other issues to worry about...)

[daniel-kun]

@pfmoore @plumdog You're both absolutely right, of course ignoring that particular issue is a valid option. :-)
Sorry for being overdramatic, that was not my intention.

@agronholm even mentioned a second option that you have, e.g. pinning wheel to explicitly 0.38.0. When you do that, however, you will be forced to take action once this issue is resolved, because otherwise you will not get any updates.

[daniel-kun]

However, the back-port of the issue - and the update of the PyUp Safety DB - is the most reliable solution to this.

The fix seemed to be trivial, judging from the commit: Fixed potential DoS attack via WHEEL_INFO_RE.

I guess the release procedure is the bigger effort.

I wonder how the entry landed in PyUp Safety DB in the first place. Maybe they scrape commit messages for keywords like "DoS"?

[agronholm]

Closing due to the fix being released in v0.38.1.

[kenahoo]

Describing this as a fix for a potential DoS attack seems iffy at best. This is just speeding up a regex in normal ways (by avoiding backtracking), I don't see any evidence presented that this was a viable attack vector.

Somewhat annoyed by this, since I just spent a bunch of time patching environments due to what I (so far) feel like was a non-issue, but I had to for compliance reasons. If it's a real issue, can someone explain? I would like more understanding than "this probably doesn't affect you".