[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1001411: marked as done (bullseye-pu: package dask.distributed/2021.01.0+ds.1-2.1 fixing CVE-2021-42343)

Your message dated Sat, 26 Mar 2022 11:59:13 +0000
with message-id <c4d20274f6d76a43fb574d2177f6e3af4235e4be.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for updates in 11.3
has caused the Debian Bug report #1001411,
regarding bullseye-pu: package dask.distributed/2021.01.0+ds.1-2.1 fixing CVE-2021-42343
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1001411: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001411
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: carnil@debian.org


[ Reason ]

I attempted to backport the fix for CVE-2021-42343 to
2021.01.01+ds.1-2.1 while trying to test that it was fixed I
discovered there was an import error on Python 3.9 that prevented the
local cluster from launching.

The upstream discussion about the import problem is available here:
https://github.com/dask/distributed/issues/4168

[ Impact ]

Without the update the the local Client object can't run with
python3.9 and if someone patches it to run then they might be subject
to CVE-2021-42343.


[ Tests ]

pass-host-to-local-cluster.path adds the test
test_cluster_host_used_throughout_cluster(host, use_nanny):
to make sure the host argument is passed.

There are 3 tests on ci that fail due to the python3.9-compatibility issue
https://ci.debian.net/data/autopkgtest/stable/amd64/d/dask.distributed/17215513/log.gz
test_nprocs_negative, test_nprocs_negative, test_nprocs_auto

which pass in my autopkgtest runs with the patch applied.


[ Risks ]

The changes are fairly small.

pass-host-to-local-cluster.path is making sure the default is passed
though to the client instatiation.

python3.9-compatibility adds an import to make sure some internal part
of python3.9 is initialized before it's used, avoiding a cyclic import.

[ Checklist ]

  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [\] the issue is verified as fixed in unstable.
      The security vulnerability patch was applied to unstable and is in
      testing.
      The python3.9-compatibility patch isn't necessary for unstable because
      unstable and testing are now on Python 3.10

[ Changes ]


  * Apply pass-host-to-local-cluster.patch. Resolves CVE-2021-42343
  * Add python3.9-compatibility.patch. Fixes cannot import name 'Popen'
    from partially initialized module 'multiprocessing.popen_spawn_posix'


[ Other info ]

Unfortunately there's still 2 CI test failures in my autopkgtests on bullseye
that I don't know how to fix though.

The changes are also committed to the debian/bullseye branch at salsa.

I haven't done a point release before so I'm not sure what else I need to do,
and if mentioning the CVE id was enough to include the security team.

Hope that's enough.
Diane Trout

diff -Nru dask.distributed-2021.01.0+ds.1/debian/changelog dask.distributed-2021.01.0+ds.1/debian/changelog
--- dask.distributed-2021.01.0+ds.1/debian/changelog	2021-07-13 09:19:56.000000000 -0700
+++ dask.distributed-2021.01.0+ds.1/debian/changelog	2021-11-27 11:29:20.000000000 -0800
@@ -1,3 +1,11 @@
+dask.distributed (2021.01.0+ds.1-2.1+deb11u1) bullseye; urgency=medium
+
+  * Apply pass-host-to-local-cluster.patch. Resolves CVE-2021-42343
+  * Add python3.9-compatibility.patch. Fixes cannot import name 'Popen'
+    from partially initialized module 'multiprocessing.popen_spawn_posix'
+
+ -- Diane Trout <diane@ghic.org>  Sat, 27 Nov 2021 11:29:20 -0800
+
 dask.distributed (2021.01.0+ds.1-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru dask.distributed-2021.01.0+ds.1/debian/patches/pass-host-to-local-cluster.patch dask.distributed-2021.01.0+ds.1/debian/patches/pass-host-to-local-cluster.patch
--- dask.distributed-2021.01.0+ds.1/debian/patches/pass-host-to-local-cluster.patch	1969-12-31 16:00:00.000000000 -0800
+++ dask.distributed-2021.01.0+ds.1/debian/patches/pass-host-to-local-cluster.patch	2021-11-27 11:27:50.000000000 -0800
@@ -0,0 +1,55 @@
+From 295bf8f08fdd99f1767b616e6247253b89f47022 Mon Sep 17 00:00:00 2001
+From: Jim Crist-Harif <jcristharif@gmail.com>
+Date: Mon, 4 Oct 2021 10:02:55 -0500
+Subject: [PATCH] Pass `host` through LocalCluster to workers
+
+Previously the `host` parameter to `LocalCluster` would only be
+forwarded to `Scheduler` instances and not `Worker`/`Nanny` instances,
+leading to workers listening on non-localhost in some configurations.
+This fixes that and adds a test.
+---
+ distributed/deploy/local.py            |  1 +
+ distributed/deploy/tests/test_local.py | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/distributed/deploy/local.py
++++ b/distributed/deploy/local.py
+@@ -189,6 +189,7 @@
+ 
+         worker_kwargs.update(
+             {
++                "host": host,
+                 "nthreads": threads_per_worker,
+                 "services": worker_services,
+                 "dashboard_address": worker_dashboard_address,
+--- a/distributed/deploy/tests/test_local.py
++++ b/distributed/deploy/tests/test_local.py
+@@ -4,6 +4,7 @@
+ import subprocess
+ import sys
+ from time import sleep
++from urllib.parse import urlparse
+ from threading import Lock
+ import unittest
+ import weakref
+@@ -1045,3 +1046,20 @@
+         n_workers=0, silence_logs=False, dashboard_address=None, asynchronous=True
+     ) as c:
+         pass
++
++
++@pytest.mark.asyncio
++@pytest.mark.parametrize("host", [None, "127.0.0.1"])
++@pytest.mark.parametrize("use_nanny", [True, False])
++async def test_cluster_host_used_throughout_cluster(host, use_nanny):
++    """Ensure that the `host` kwarg is propagated through scheduler, nanny, and workers"""
++    async with LocalCluster(host=host, asynchronous=True) as cluster:
++        url = urlparse(cluster.scheduler_address)
++        assert url.hostname == "127.0.0.1"
++        for worker in cluster.workers.values():
++            url = urlparse(worker.address)
++            assert url.hostname == "127.0.0.1"
++
++            if use_nanny:
++                url = urlparse(worker.process.worker_address)
++                assert url.hostname == "127.0.0.1"
diff -Nru dask.distributed-2021.01.0+ds.1/debian/patches/python3.9-compatibility.patch dask.distributed-2021.01.0+ds.1/debian/patches/python3.9-compatibility.patch
--- dask.distributed-2021.01.0+ds.1/debian/patches/python3.9-compatibility.patch	1969-12-31 16:00:00.000000000 -0800
+++ dask.distributed-2021.01.0+ds.1/debian/patches/python3.9-compatibility.patch	2021-11-27 11:29:20.000000000 -0800
@@ -0,0 +1,108 @@
+From 2c482276ed39112c650ed886c66d2c7b7d5e3783 Mon Sep 17 00:00:00 2001
+From: Jim Crist-Harif <jcristharif@gmail.com>
+Date: Tue, 10 Nov 2020 16:29:57 -0600
+Subject: [PATCH 1/4] Python 3.9 compatibility
+Bug: https://github.com/dask/distributed/issues/4168
+
+---
+ distributed/utils.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/distributed/utils.py b/distributed/utils.py
+index 77487f8cec..c1a0d2caa8 100644
+--- a/distributed/utils.py
++++ b/distributed/utils.py
+@@ -72,6 +72,10 @@
+ 
+ 
+ def _initialize_mp_context():
++    if not WINDOWS:
++        # For some reason this is required in python >= 3.9
++        import multiprocessing.popen_spawn_posix
++
+     if WINDOWS or PYPY:
+         return multiprocessing
+     else:
+
+From ef5bd0f8729a2c8c6f63c38dcac29020af01a7c4 Mon Sep 17 00:00:00 2001
+From: Matthew Rocklin <mrocklin@gmail.com>
+Date: Mon, 25 Jan 2021 10:51:36 -0800
+Subject: [PATCH 2/4] import multiprocessing
+
+---
+ distributed/utils.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/distributed/utils.py b/distributed/utils.py
+index a6af0b8f45..949b39cf52 100644
+--- a/distributed/utils.py
++++ b/distributed/utils.py
+@@ -10,7 +10,7 @@
+ import html
+ import json
+ import logging
+-import multiprocessing
++import multiprocessing  # noqa: F401
+ import os
+ import re
+ import shutil
+@@ -71,6 +71,8 @@
+ 
+ 
+ def _initialize_mp_context():
++    import multiprocessing  # noqa: F401
++
+     if not WINDOWS:
+         # For some reason this is required in python >= 3.9
+         import multiprocessing.popen_spawn_posix
+
+From 60eecf8cf82026e4e48f570e255693bd01c3019b Mon Sep 17 00:00:00 2001
+From: Matthew Rocklin <mrocklin@gmail.com>
+Date: Mon, 25 Jan 2021 13:39:18 -0800
+Subject: [PATCH 3/4] Add Python 3.9 to CI
+
+---
+ .github/workflows/ci-windows.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/workflows/ci-windows.yaml b/.github/workflows/ci-windows.yaml
+index 6d5923eb18..a807bf187b 100644
+--- a/.github/workflows/ci-windows.yaml
++++ b/.github/workflows/ci-windows.yaml
+@@ -8,7 +8,7 @@ jobs:
+     strategy:
+       fail-fast: false
+       matrix:
+-        python-version: ["3.6", "3.7", "3.8"]
++        python-version: ["3.6", "3.7", "3.8", "3.9"]
+ 
+     steps:
+       - name: Checkout source
+
+From 236f8af2e6ff2dc409f83dd0270620443943624f Mon Sep 17 00:00:00 2001
+From: James Bourbeau <jrbourbeau@gmail.com>
+Date: Tue, 26 Jan 2021 10:58:15 -0600
+Subject: [PATCH 4/4] Update tornado install
+
+---
+ .github/workflows/ci-windows.yaml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/.github/workflows/ci-windows.yaml b/.github/workflows/ci-windows.yaml
+index a807bf187b..3fff13179f 100644
+--- a/.github/workflows/ci-windows.yaml
++++ b/.github/workflows/ci-windows.yaml
+@@ -33,10 +33,10 @@ jobs:
+       - name: Install tornado
+         shell: bash -l {0}
+         run: |
+-          if [[ "${{ matrix.python-version }}" = "3.8" ]]; then
+-            conda install -c conda-forge tornado=6
+-          else
++          if [[ "${{ matrix.python-version }}" = "3.6" ]]; then
+             conda install -c conda-forge tornado=5
++          else
++            conda install -c conda-forge tornado=6
+           fi
+ 
+       - name: Install distributed from source
diff -Nru dask.distributed-2021.01.0+ds.1/debian/patches/series dask.distributed-2021.01.0+ds.1/debian/patches/series
--- dask.distributed-2021.01.0+ds.1/debian/patches/series	2021-07-13 09:19:56.000000000 -0700
+++ dask.distributed-2021.01.0+ds.1/debian/patches/series	2021-11-27 11:29:20.000000000 -0800
@@ -8,3 +8,5 @@
 mark-tests-require-installation.patch
 fall-back-to-ipv6-localhost.patch
 0001-Remove-tests-for-process_time-and-thread_time-4895.patch
+pass-host-to-local-cluster.patch
+python3.9-compatibility.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.3

Hi,

The updates referenced by these bugs were included in stable as part of
this morning's 11.3 point release.

Regards,

Adam

--- End Message ---
Reply to: