Skip to content

Commit

Permalink
Check for vulnerable openssl (#10988)
Browse files Browse the repository at this point in the history
* Check for vulnerable openssl

* Update OpenSSL on MacOS

* First attempt - openssl Ubuntu 18.04 and 20.04

* place local/bin ahead in PATH

* specify install openssl

* correct path

* run ldconfig

* stop building and check for patched openssl

* spell sudo right by removing it

* Remove openssl building - 1st attempt RHs

* Test Windows OpenSSL version HT @AmineKhaldi
  • Loading branch information
hoffmang9 committed Apr 1, 2022
1 parent bf2976a commit f88abec
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 9 deletions.
8 changes: 8 additions & 0 deletions Install.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,14 @@ if ([version]$pythonVersion -lt [version]"3.7.0")
}
Write-Output "Python version is:" $pythonVersion

$openSSLVersionStr = (py -c 'import ssl; print(ssl.OPENSSL_VERSION)')
$openSSLVersion = (py -c 'import ssl; print(ssl.OPENSSL_VERSION_NUMBER)')
if ($openSSLVersion -lt 269488367)
{
Write-Output "Found Python with OpenSSL version:" $openSSLVersionStr
Write-Output "Anything before 1.1.1n is vulnerable to CVE-2022-0778."
}

py -m venv venv

venv\scripts\python -m pip install --upgrade pip setuptools wheel
Expand Down
31 changes: 22 additions & 9 deletions install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,8 @@ install_python3_and_sqlite3_from_source_with_yum() {
# Preparing installing Python
echo 'yum groupinstall -y "Development Tools"'
sudo yum groupinstall -y "Development Tools"
echo "sudo yum install -y openssl-devel libffi-devel bzip2-devel wget"
sudo yum install -y openssl-devel libffi-devel bzip2-devel wget
echo "sudo yum install -y openssl-devel openssl libffi-devel bzip2-devel wget"
sudo yum install -y openssl-devel openssl libffi-devel bzip2-devel wget

echo "cd $TMP_PATH"
cd "$TMP_PATH"
Expand Down Expand Up @@ -110,27 +110,28 @@ install_python3_and_sqlite3_from_source_with_yum() {
cd "$CURRENT_WD"
}


# Manage npm and other install requirements on an OS specific basis
if [ "$(uname)" = "Linux" ]; then
#LINUX=1
if [ "$UBUNTU" = "true" ] && [ "$UBUNTU_PRE_2004" = "1" ]; then
# Ubuntu
echo "Installing on Ubuntu pre 20.04 LTS."
sudo apt-get update
sudo apt-get install -y python3.7-venv python3.7-distutils
sudo apt-get install -y python3.7-venv python3.7-distutils openssl
apt show openssl
elif [ "$UBUNTU" = "true" ] && [ "$UBUNTU_PRE_2004" = "0" ] && [ "$UBUNTU_2100" = "0" ]; then
echo "Installing on Ubuntu 20.04 LTS."
sudo apt-get update
sudo apt-get install -y python3.8-venv python3-distutils
sudo apt-get install -y python3.8-venv python3-distutils openssl
apt show openssl
elif [ "$UBUNTU" = "true" ] && [ "$UBUNTU_2100" = "1" ]; then
echo "Installing on Ubuntu 21.04 or newer."
sudo apt-get update
sudo apt-get install -y python3.9-venv python3-distutils
sudo apt-get install -y python3.9-venv python3-distutils openssl
elif [ "$DEBIAN" = "true" ]; then
echo "Installing on Debian."
sudo apt-get update
sudo apt-get install -y python3-venv
sudo apt-get install -y python3-venv openssl
elif type pacman >/dev/null 2>&1 && [ -f "/etc/arch-release" ]; then
# Arch Linux
echo "Installing on Arch Linux."
Expand Down Expand Up @@ -163,16 +164,17 @@ if [ "$(uname)" = "Linux" ]; then
elif type yum >/dev/null 2>&1 && [ -f "/etc/redhat-release" ] && grep Rocky /etc/redhat-release; then
echo "Installing on Rocky."
# TODO: make this smarter about getting the latest version
sudo yum install --assumeyes python39
sudo yum install --assumeyes python39 openssl
elif type yum >/dev/null 2>&1 && [ -f "/etc/redhat-release" ] || [ -f "/etc/fedora-release" ]; then
# Redhat or Fedora
echo "Installing on Redhat/Fedora."
if ! command -v python3.9 >/dev/null 2>&1; then
sudo yum install -y python39
sudo yum install -y python39 openssl
fi
fi
elif [ "$(uname)" = "Darwin" ] && ! type brew >/dev/null 2>&1; then
echo "Installation currently requires brew on MacOS - https://brew.sh/"
brew install openssl
elif [ "$(uname)" = "OpenBSD" ]; then
export MAKE=${MAKE:-gmake}
export BUILD_VDF_CLIENT=${BUILD_VDF_CLIENT:-N}
Expand Down Expand Up @@ -230,6 +232,17 @@ if [ "$SQLITE_MAJOR_VER" -lt "3" ] || [ "$SQLITE_MAJOR_VER" = "3" ] && [ "$SQLIT
exit 1
fi

# Check openssl version python will use
OPENSSL_VERSION_STRING=$($INSTALL_PYTHON_PATH -c 'import ssl; print(ssl.OPENSSL_VERSION)')
OPENSSL_VERSION_INT=$($INSTALL_PYTHON_PATH -c 'import ssl; print(ssl.OPENSSL_VERSION_NUMBER)')
# There is also ssl.OPENSSL_VERSION_INFO returning a tuple
# 1.1.1n corresponds to 269488367 as an integer
echo "OpenSSL version for Python is ${OPENSSL_VERSION_STRING}"
if [ "$OPENSSL_VERSION_INT" -lt "269488367" ]; then
echo "WARNING: OpenSSL versions before 3.0.2, 1.1.1n, or 1.0.2zd are vulnerable to CVE-2022-0778"
echo "Your OS may have patched OpenSSL and not updated the version to 1.1.1n"
fi

# If version of `python` and "$INSTALL_PYTHON_VERSION" does not match, clear old version
VENV_CLEAR=""
if [ -e venv/bin/python ]; then
Expand Down

0 comments on commit f88abec

Please sign in to comment.