Mailman 3 - Security-announce

[CVE-2023-5752] Mercurial configuration injectable in repo revision when installing via pip
by Seth Larson 25 Oct '23

25 Oct '23

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing Mercurial VCS URLs. This is a *MEDIUM* severity vulnerability. *Affected versions:* pip before v23.3 are affected by this vulnerability. *Remediation:* - Upgrade to at least pip v23.3 - Don't clone Mercurial repositories or allow uncontrolled input to the target Mercurial URL and revision. *References:* - https://www.cve.org/CVERecord?id=CVE-2023-5752 - https://github.com/pypa/pip/pull/12306

1 0

[CVE-2022-48560] Use-after-free in heappushpop() of heapq module
by Seth Larson 29 Aug '23

29 Aug '23

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security(a)python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. *Description* A use-after-free exists in Python through 3.9 via heappushpop in heapq. *Affected versions* - Python 3.9.0a1 to 3.9.0a2 * - Python 3.8.0 to 3.8.1 - Python 3.7.0 to 3.7.6 ** - Python 3.6.10 and earlier ** * *Pre-release versions of Python are not recommended for production use.* ** *Note that Python 3.7.17 and earlier will not be receiving an upstreamsecurity fix due to being end-of-life* ( https://devguide.python.org/versions) contact your distributor of Python for additional guidance. *Remediation and work-arounds* - Upgrade to Python 3.9.0, 3.8.2, 3.7.7, or 3.6.11. - Apply a patch for your corresponding version of Python Patches are available for all supported feature, bugfix, and security branches of Python: - main: https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491cc… - 3.8: https://github.com/python/cpython/commit/993811ffe75c2573f97fb3fd1414b34609… - 3.7: https://github.com/python/cpython/commit/958064f8d2b84062b0582bbae911df8ccf… - 3.6: https://github.com/python/cpython/commit/c563f409ea30bcb0623d785428c9257917… *References* - https://www.cve.org/CVERecord?id=CVE-2022-48560 - https://bugs.python.org/issue39421 - https://github.com/python/cpython/pull/18118 *Credits* - Reporter: Samuel Henrique

1 0

[CVE-2022-48564] DoS when reading malformed Apple Property List files in binary format
by Seth Larson 28 Aug '23

28 Aug '23

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security(a)python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. <https://gist.github.com/#description>Description read_ints in plistlib.py in Python 3.9.0, 3.8.6 to 3.8.6, 3.7.0 to 3.7.9, and 3.6.13 and earlier is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. <https://gist.github.com/#affected-versions>Affected versions - Python 3.9.0a1 to 3.9.0 - Python 3.8.0 to 3.8.6 - Python 3.7.0 to 3.7.9 ** - Python 3.6.13 and earlier ** ** *Note that Python 3.7.17 and earlier are end-of-life (https://devguide.python.org/versions <https://devguide.python.org/versions>)* contact your distributor of Python for additional guidance. <https://gist.github.com/#remediation-and-work-arounds>Remediation and work-arounds - Upgrade to Python 3.9.1, 3.8.7, 3.7.10, or 3.6.13 - Apply a patch for your corresponding version of Python Patches are available for all supported feature, bugfix, and security branches of Python: - main: 34637a0ce21e7261b952fbd9d006474cc29b681f <https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc2…> - 3.9: e277cb76989958fdbc092bf0b2cb55c43e86610a <https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e…> - 3.8: 547d2bcc55e348043b2f338027c1acd9549ada76 <https://github.com/python/cpython/commit/547d2bcc55e348043b2f338027c1acd954…> - 3.7: 225e3659556616ad70186e7efc02baeebfeb5ec4 <https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebf…> - 3.6: a63234c49b2fbfb6f0aca32525e525ce3d43b2b4 <https://github.com/python/cpython/commit/a63234c49b2fbfb6f0aca32525e525ce3d…> <https://gist.github.com/#references>References - https://www.cve.org/CVERecord?id=CVE-2022-48564 - https://bugs.python.org/issue42103 - https://github.com/python/cpython/pull/22882 <https://gist.github.com/#credits>Credits - Reporter: Samuel Henrique

1 0

[CVE-2023-40217] Bypass TLS handshake on closed sockets
by Seth Larson 25 Aug '23

25 Aug '23

Description Instances of ssl.SSLSocket are vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data if the socket is closed before initiating its own handshake. This vulnerability is of severity: *HIGH*. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Affected usages This vulnerability *primarily affects* HTTPS servers and other server-side protocols using TLS client authentication (such as mTLS) due to requiring reading data immediately after the handshake to be vulnerable. Operations which would fail on a closed socket (like sending data) immediately after the handshake are not affected by this vulnerability. Because disconnecting the socket is a necessary step to trigger the vulnerability *there is no risk of data exfiltration or data leakage directly from the malicious TLS connection*, however the vulnerability *does* carry risk for modifying or deleting resources which are authenticated using only TLS client certificates. This vulnerability *affects* clients who are reading and processing data from the server after a TLS handshake without sending any data first. Our team is unaware of a protocol that uses TLS that fits this usage pattern. This vulnerability *does not affect* client-side HTTPS connections like pip or requests as an HTTP request must be sent before an HTTP response is read meaning the connection would already be closed by the time the client is sending an HTTP request, leading to an error. This vulnerability *affects, but has no impact* on servers that aren’t using TLS client certificate authentication as traffic to a non-authenticating TLS server loses nothing from a bypassed handshake to inject a query and close the connection as the same action could be taken by a peer using a TLS connection with a proper handshake. Affected versions - Python 3.12.0a1 to 3.12.0rc1 * - Python 3.11.0 to 3.11.4 - Python 3.10.0 to 3.10.12 - Python 3.9.0 to 3.9.17 - Python 3.8.0 to 3.8.17 - Python 3.7.17 and earlier ** * Note that Python 3.12.0rc2 will not be published for a few weeks. *Pre-release versions of Python are not recommended for production use.* ** *Note that Python 3.7.17 and earlier will not be receiving an upstream security fix due to being end-of-life <https://devguide.python.org/versions/#versions>,* contact your distributor of Python for additional guidance. Remediation and work-arounds - Upgrade to Python 3.11.5, 3.10.13, 3.9.18, or 3.8.18. - Apply a patch for your corresponding version of Python. - Add a call to SSLSocket.getpeername() after calling SSLSocket.wrap_socket() before any calls to SSLSocket.recv(). This call to getpeername() will raise an OSError if the socket isn’t connected thus mitigating the vulnerability. Patches are available for all affected feature, bugfix, and security branches of Python: - main: 0cb0c238d520a8718e313b52cffc356a5a7561bf <https://github.com/python/cpython/commit/0cb0c238d520a8718e313b52cffc356a5a…> - 3.12: 256586ab8776e4526ca594b4866b9a3492e628f1 <https://github.com/python/cpython/commit/256586ab8776e4526ca594b4866b9a3492…> - 3.11: 75a875e0df0530b75b1470d797942f90f4a718d3 <https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4…> - 3.10: 37d7180cb647f0bed0c1caab0037f3bc82e2af96 <https://github.com/python/cpython/commit/37d7180cb647f0bed0c1caab0037f3bc82…> - 3.9: 264b1dacc67346efa0933d1e63f622676e0ed96b <https://github.com/python/cpython/commit/264b1dacc67346efa0933d1e63f622676e…> - 3.8: b4bcc06a9cfe13d96d5270809d963f8ba278f89b <https://github.com/python/cpython/commit/b4bcc06a9cfe13d96d5270809d963f8ba2…> Additional patches to stabilize the test suite may also be applied to all versions: - 64f99350351bc46e016b2286f36ba7cd669b79e3 <https://github.com/python/cpython/commit/64f99350351bc46e016b2286f36ba7cd66…> - 592bacb6fc0833336c0453e818e9b95016e9fd47 <https://github.com/python/cpython/commit/592bacb6fc0833336c0453e818e9b95016…> References - https://github.com/python/cpython/issues/108310 - https://github.com/python/cpython/pull/108315 Credits - Reporter: Aapo Oksman - Remediation Developer: Gregory P. Smith - Remediation Reviewer: Thomas Wouters - Coordinator: Seth Michael Larson Timeline - August 8,2023: Reported by Aapo Oksman to security(a)python.org. - August 8, 2023: Acknowledged the report. - August 9, 2023: Acknowledgement of the vulnerability, sent CVE ID request to MITRE. - August 10, 2023: CVE-2023-40217 assigned by MITRE. - August 15, 2023: Patch authored by Gregory P Smith, reviewed by Thomas Wouters. - August 22, 2023: Patch applied to feature and security branches by Łukasz Langa. - August 24, 2023: Python 3.11.5, 3.10.13, 3.9.18, 3.8.18 are published containing the fix for CVE-2023-40217. - August 24, 2023: Advisory published.

1 0

[CVE-2023-41105] os.path.normpath() truncates on null bytes
by Seth Larson 25 Aug '23

25 Aug '23

Description Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes. This vulnerability is of severity: *MEDIUM*. If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation. <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#a…>Affected versions - Python 3.12.0a1 to 3.12.0rc1 * - Python 3.11.0 to 3.11.4 * Note that Python 3.12.0rc2 will not be published for approximately two weeks. *Pre-release versions of Python are not recommended for production use*. <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#r…>Remediation and Work-arounds - Upgrade to Python 3.12.0rc2 or 3.11.5 - Apply the patch for your version of Python. - Do all path normalization before making security critical decisions like allowlisting to avoid truncation having an impact on the application. Patches are available for all supported feature and security branches of Python: - main: 0cb0c238d520a8718e313b52cffc356a5a7561bf <https://github.com/python/cpython/commit/0cb0c238d520a8718e313b52cffc356a5a…> - 3.12: 256586ab8776e4526ca594b4866b9a3492e628f1 <https://github.com/python/cpython/commit/256586ab8776e4526ca594b4866b9a3492…> - 3.11: 75a875e0df0530b75b1470d797942f90f4a718d3 <https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4…> <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#r…> References - https://github.com/python/cpython/issues/106242 - https://github.com/python/cpython/pull/106816 <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#c…> Credits - Finder: Noriko Totsuka of JPCERT/CC - Finder: Masashi Yamane of LAC Co., Ltd - Reporter: Delta Regeer - Remediation Developer: Finn Womack - Remediation Reviewer: Steve Dower - Coordinator: Seth Michael Larson <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#t…> Timeline - June 29,2023: Issue opened on python/cpython GitHub repository. - July 16th, 2023: Patch authored by Finn Womack. - August 14, 2023: Patch reviewed and applied to all branches by Steve Dower. - August 21, 2023: Issue reported to security(a)python.org as a security issue. - August 21, 2023: Acknowledgement of the vulnerability, sent CVE ID request to MITRE. - August 23, 2023: CVE-2023-41105 assigned by MITRE. - August 24, 2023: Python 3.11.5 is released containing the fix for CVE-2023-41105. - August 24, 2023: Advisory is published.

2 1

Incident Report: Malicious takeover of ctx project on PyPI
by ee＠python.org 25 May '22

25 May '22

Takeover of the ctx project was reported on multiple channels overnight and was mitigated as of 6:07 AM Eastern. We confirmed via investigation that this compromise was of a single user account due to re-registration over an expired domain. The domain that hosted the users email address was re-registered 2022-05-14T18:40:05Z and a password reset completed successfully for the user at 2022-05-14T18:52:40Z. Original releases were then deleted and malicious copies uploaded. PyPI itself was not directly compromised. Read the full incident report at https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domai… -Ee Durbin Director of Infrastructure Python Software Foundation

1 0

[CVE-2015-20107] Shell injection in mailcap module
by Steve Dower 14 Apr '22

14 Apr '22

CVE-2015-20107 has been assigned for an issue previously reported against the mailcap module. The mailcap module reads registered commands on Linux systems to determine how to launch certain file types. The Python module does not add additional escape characters to these commands, which may allow an attacker to provide file paths or parameters that include additional shell commands. These may be executed during mailcap.find_match() depending on the system's configuration. All users of the mailcap module in any version of CPython may be impacted. No patch is currently available, and the module is likely to be deprecated due to lack of an active maintainer. Please visit the issue tracker at the link below to join the discussion if you are able to assist. To mitigate, applications that use this module should verify user input before passing it to the mailcap module, and the returned command before executing it. Issue: https://github.com/python/cpython/issues/68966 Discussions to security-sig(a)python.org. Cheers, Steve Dower Python Security Response Team

1 0

[CVE-2022-26488] Escalation of privilege via Windows installer
by Steve Dower 08 Mar '22

08 Mar '22

CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython: * 3.11.0a6 and earlier * 3.10.2 and earlier * 3.9.10 and earlier * 3.8.12 and earlier * 3.7.12 and earlier * All end-of-life releases of 3.5 and 3.6 The vulnerability exists when installed for all users with the "Add Python to PATH" option selected. A local user without administrative permissions can trigger a repair operation of this PATH option to add incorrect additional paths to the system PATH variable, and then use search path hijacking to achieve escalation of privilege. Per-user installs (the default) are also affected, but cannot be used for escalation of privilege. Besides updating, this vulnerability may be mitigated by modifying an existing install to disable the "Add Python to PATH" or "Add Python to environment variables" option. Manually adding the install directory to PATH is not affected. Issue: https://bugs.python.org/issue46948 Patches * main: https://github.com/python/cpython/pull/31726 * 3.10: https://github.com/python/cpython/pull/31727 * 3.9: https://github.com/python/cpython/pull/31728 * 3.8: https://github.com/python/cpython/pull/31729 * 3.7: https://github.com/python/cpython/pull/31730 The next patched releases on python.org will be 3.11.0b1, 3.10.3 and 3.9.11 with installers, and 3.8.13 and 3.7.13 as source code only. Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to the Python Security Response Team. Discussion to security-sig(a)python.org. Cheers, Steve Dower Python Security Response Team

1 0

Bug fixed in the bugs.python.org OAuth-based authentication: user logged as the wrong account
by Victor Stinner 16 Sep '21

16 Sep '21

Hi, A bug has been identified and *fixed* in the OAuth-based authentication code used on the Python bug tracker bugs.python.org (BPO) to log in with GitHub, Launchpad or Google. Under some conditions, it was possible to be logged as another person account. We are only aware of a single user affected by the issue. We are not aware of any account takeover. All bugs at bugs.python.org are public: being logged as the wrong account cannot give access to private bugs. The main risk is if an attacker could be logged as an administrator (the "Coordinator" role) which allows to change the bug tracker configuration and to change accounts (add/remove roles, see/change the email address, etc.). We are not aware of any abuse. All OAuth accounts have been removed in the database to fully fix the issue. Users using OAuth-based authentication must associate again (once) their GitHub, Launchpad or Google account with their BPO account. A BPO account contains the following information: Name, Login Name, GitHub Name, Organisation, Timezone, Homepage, Contributor Form Received, Is Committer, E-mail address, Alternate E-mail addresses. All fields but Name and Timezone are hidden to other accounts, only coordinators can see all fields of other accounts. You can check in the "Your Details" page for the your account change log. Thanks Ammar Askar, Berker Peksağ and Ee Durbin who fixed the bug! Source code of bugs.python.org (Roundup fork): https://github.com/psf/bpo-tracker-cpython The OAuth-based authentication is an extension written for bugs.python.org. The bug report and its fix: * https://github.com/python/bugs.python.org/issues/64 * https://github.com/psf/bpo-tracker-cpython/commit/0a32e072aafca20c0bf51cf16… Report issues with bugs.python.org: https://github.com/python/bugs.python.org/issues To report sensitive issues, write to: security(a)python.org Victor -- Night gathers, and now my watch begins. It shall not end until my death.

1 0

[CVE-2020-15523] Python uses invalid DLL path after calling Py_SetPath on Windows
by Steve Dower 07 Jul '20

07 Jul '20

CVE-2020-15523 is an invalid search path in Python 3.6 and later on Windows. It occurs during Py_Initialize() when the runtime attempts to pre-load python3.dll. If Py_SetPath() has been called, the expected location is not set, and locations elsewhere on the user's system will be searched. This issue is not triggered when running python.exe. It only applies when CPython has been embedded in another application. Issue: https://bugs.python.org/issue29778 Patch: https://github.com/python/cpython/pull/21297 The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only), 3.6.12 (source only) Other than applying the patch, applications may mitigate the vulnerability by explicitly calling LoadLibrary() on their copy of python3.dll before calling Py_Initialize(). Even with the patch applied, applications should include a copy of python3.dll alongside their main Python DLL. Thanks to Eric Gantumur for detecting and reporting the issue to the Python Security Response Team. Questions to security-sig(a)python.org or security(a)python.org. Cheers, Steve Dower Python Security Response Team

1 0