Bug 2039830 (CVE-2022-21668)

Summary: CVE-2022-21668 pipenv: code execution via crafted requirements.txt file
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ksurma, mhroncok, python-sig, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pipenv 2022.1.8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-12 15:30:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2039831    
Bug Blocks:    

Description Marian Rehak 2022-01-12 14:15:29 UTC 
Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8.

Reference:

https://github.com/pypa/pipenv/releases/tag/v2022.1.8
https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w
https://github.com/pypa/pipenv/commit/439782a8ae36c4762c88e43d5f0d8e563371b46f
Comment 1 Marian Rehak 2022-01-12 14:15:45 UTC 
Created pipenv tracking bugs for this issue:

Affects: fedora-all [bug 2039831]
Comment 2 Product Security DevOps Team 2022-01-12 15:30:35 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.