Low severityGHSA Advisory· Published Jan 21, 2022· Updated Feb 2, 2022

CVE-2022-0329

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
loguruPyPI	< 0.6.0	0.6.0

Affected products

Delgan/LoguruGHSA
Range: <= 0.5.3

Patches

4b0070a4f30c

Remove use of "pickle.loads()" to comply with security tools (#563)

https://github.com/delgan/loguruDelganJan 21, 2022via ghsa

commit

2 files changed · +32 −14

loguru/_recattrs.py+7 −11 modified

@@ -64,18 +64,14 @@ def __repr__(self):
         return "(type=%r, value=%r, traceback=%r)" % (self.type, self.value, self.traceback)
 
     def __reduce__(self):
+        # The traceback is not picklable so we need to remove it. Also, some custom exception
+        # values aren't picklable either. For user convenience, we try first to serialize it and
+        # we remove the value in case or error. As an optimization, we could have re-used the
+        # dumped value during unpickling, but this requires using "pickle.loads()" which is
+        # flagged as insecure by some security tools.
         try:
-            pickled_value = pickle.dumps(self.value)
+            pickle.dumps(self.value)
         except pickle.PickleError:
             return (RecordException, (self.type, None, None))
         else:
-            return (RecordException._from_pickled_value, (self.type, pickled_value, None))
-
-    @classmethod
-    def _from_pickled_value(cls, type_, pickled_value, traceback_):
-        try:
-            value = pickle.loads(pickled_value)
-        except pickle.PickleError:
-            return cls(type_, None, traceback_)
-        else:
-            return cls(type_, value, traceback_)
+            return (RecordException, (self.type, self.value, None))

tests/test_add_option_enqueue.py+25 −3 modified

@@ -191,8 +191,7 @@ def slow_sink(message):
     assert err == "".join("%d\n" % i for i in range(10))
 
 
-@pytest.mark.parametrize("arg", [NotPicklable(), NotUnpicklable()])
-def test_logging_not_picklable_exception(arg):
+def test_logging_not_picklable_exception():
     exception = None
 
     def sink(message):
@@ -202,7 +201,30 @@ def sink(message):
     logger.add(sink, enqueue=True, catch=False)
 
     try:
-        raise ValueError(arg)
+        raise ValueError(NotPicklable())
+    except Exception:
+        logger.exception("Oups")
+
+    logger.remove()
+
+    type_, value, traceback_ = exception
+    assert type_ is ValueError
+    assert value is None
+    assert traceback_ is None
+
+
+@pytest.mark.xfail(reason="No way to safely deserialize exception yet")
+def test_logging_not_unpicklable_exception():
+    exception = None
+
+    def sink(message):
+        nonlocal exception
+        exception = message.record["exception"]
+
+    logger.add(sink, enqueue=True, catch=False)
+
+    try:
+        raise ValueError(NotUnpicklable())
     except Exception:
         logger.exception("Oups")

Vulnerability mechanics

Not enough inputs (no patches or CWE) to synthesize mechanics for this CVE.

References

github.com/advisories/GHSA-cvp7-c586-cmf4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-0329ghsaADVISORY
github.com/Delgan/loguru/issues/563ghsaWEB
github.com/delgan/loguru/commit/4b0070a4f30cbf6d5e12e6274b242b62ea11c81bghsaWEB
huntr.dev/bounties/1-pypi-logurughsaWEB
tomforb.es/cve-2022-0329-and-the-problems-with-automated-vulnerability-managementghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000