Ubuntu
pyjwt package

python3-jwt (2.3.0-1ubuntu0.1) contains pyjwt 2.4.0 metadata but install 2.3.0 library

Bug #1986487 reported by Leighton
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pyjwt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The security update version of this package contains the metadata for PyJWT 2.4.0, not 2.3.0 that it installs. This doesn't happen in the 2.3.0-1 package.

# dpkg -L python3-jwt
/.
/usr
/usr/lib
/usr/lib/python3
/usr/lib/python3/dist-packages
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/PKG-INFO
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/dependency_links.txt
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/not-zip-safe
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/requires.txt
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/top_level.txt
/usr/lib/python3/dist-packages/jwt
/usr/lib/python3/dist-packages/jwt/__init__.py
/usr/lib/python3/dist-packages/jwt/algorithms.py
/usr/lib/python3/dist-packages/jwt/api_jwk.py
/usr/lib/python3/dist-packages/jwt/api_jws.py
/usr/lib/python3/dist-packages/jwt/api_jwt.py
/usr/lib/python3/dist-packages/jwt/exceptions.py
/usr/lib/python3/dist-packages/jwt/help.py
/usr/lib/python3/dist-packages/jwt/jwks_client.py
/usr/lib/python3/dist-packages/jwt/py.typed
/usr/lib/python3/dist-packages/jwt/utils.py
/usr/share
/usr/share/doc
/usr/share/doc/python3-jwt
/usr/share/doc/python3-jwt/NEWS.Debian.gz
/usr/share/doc/python3-jwt/README.rst
/usr/share/doc/python3-jwt/changelog.Debian.gz
/usr/share/doc/python3-jwt/copyright

# dpkg -s python3-jwt
Package: python3-jwt
Status: install ok installed
Priority: optional
Section: python
Installed-Size: 82
Maintainer: Ubuntu Developers <email address hidden>
Architecture: all
Source: pyjwt
Version: 2.3.0-1ubuntu0.1
Depends: python3:any
Recommends: python3-cryptography
Suggests: python3-crypto
Description: Python 3 implementation of JSON Web Token
 PyJWT implements the JSON Web Token draft 01, a way of representing
 signed content using JSON data structures.
 .
 Supported algorithms for cryptographic signing:
 .
   * HS256 - HMAC using SHA-256 hash algorithm (default)
   * HS384 - HMAC using SHA-384 hash algorithm
   * HS512 - HMAC using SHA-512 hash algorithm
   * RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash
     algorithm
   * RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash
     algorithm
   * RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash
     algorithm
 .
 Supported reserved claim names:
   - "exp" (Expiration Time) Claim
 .
 This package contains the Python 3 version of the library.
Homepage: https://github.com/jpadilla/pyjwt
Original-Maintainer: Debian Python Team <email address hidden>

CVE References

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for taking the time to report this bug and trying to make Ubuntu better.

You are right, in the latest security fix the patch includes the following:

```
--- a/jwt/__init__.py
+++ b/jwt/__init__.py
@@ -25,7 +25,7 @@
 )
 from .jwks_client import PyJWKClient

-__version__ = "2.3.0"
+__version__ = "2.4.0"

 __title__ = "PyJWT"
```

Which bumps the version to 2.4.0. This is a security update regression, I believe we should have skipped this part to avoid bumping the version and backporting just the relevant part for the CVE fix. I am subscribing the security-team to see how can we sort this out.

Revision history for this message
Alex Murray (alexmurray) wrote :

Apologies, I overlooked this part of the patch when backporting it... I'll do an update which reverts this part of the patch.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pyjwt - 2.3.0-1ubuntu0.2

---------------
pyjwt (2.3.0-1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY REGRESSION: Revert inadvertent package version bump to 2.4.0
    (LP: #1986487)
    - debian/patches/CVE-2022-29217.patch: Comment out the part which
      bumps the internal package version number to 2.4.0

 -- Alex Murray <email address hidden> Wed, 17 Aug 2022 10:05:29 +0930

Changed in pyjwt (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.