-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Backport release-22.05] python310Packages.nbconvert: use mistune 2.x #187550
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to use mistune_2_0
.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/jupyter-broken-in-22-05/21108/4 |
This requires To clarify. The package is publicly available in the package set. Changing major version likely changes the API causing breakage for not only our packages that depend on it (which could be fixable) but also for third-party users that use the package directly. That is, they have to deal with an unexpected change in behavior. This package probably should have been upgraded before the 22.05 release, judging from the history of releases of of the package. Now, if we deem the CVE to be so important and it has a massive impact on the package set and it is considered unlikely and acceptable that direct users of mistune 0.8.4 have their packages break because they're relying on this old version, we could do the upgrade. |
We don't have to make |
No, we cannot use multiple versions of a package in the package set. |
Fact is that we're already doing so in the case of mistune since @SuperSandro2000 merged #117917. |
Then that's an error. It does not make it an excuse to make the same mistake elsewhere. |
On nixos-22.05 (currently 00e376e), I count:
(0 packages use It seems like 2.0 is a significant change lepture/mistune#290, unfortunately. Best I can tell, the vulnerability is a ReDoS, and hence probably not severe enough to justify the breakage of upgrading mistune for everyone (though you could make the argument that with a CVSS of 9.8, it's upgrade-the-world-right-now serious! how the hell anyone labelled a ReDoS as having confidentiality impact, I will never know). Though frankly I'm not sure whether mistune 0.8.4 is actually vulnerable in the first place; the regex that was changed in the fix lepture/mistune@a6d4321 was added after v0.8.4's release (in lepture/mistune@ca1e7b5). I am not able to tell with confidence whether the original regex is also vulnerable. |
ReDoS Checker detects the exponential behaviour in the vulnerable The Obviously there are more regexes in mistune than just that one, but I'm not sure that mistune 0.8.4 is vulnerable. |
Thinking about the implication it has on nbconvert. The CVE is about catastrophic backtracking, a potentially endless search. This clearly could be an issue. To me this is a perfect case where having the vulnerability being mentioned is good, and users simply should accept the risk. |
Since mistune 0.8.4 turned out not to be vulnerable (#188031), I think there's little point backporting this change. May as well keep stable as stable as possible. |
Bot-based backport to
release-22.05
, triggered by a label in #186804.