Mailman 3 - Security-announce

[CVE-2024-3220] Default mimetype known files writeable on Windows
by Seth Larson Feb. 14, 2025

Feb. 14, 2025

There is a LOW severity vulnerability affecting CPython. There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\etc\mime.types”). To work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations. There is no patch available yet, the CVE will be updated once there is a fixed version. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2024-3220

1 0

[CVE-2025-0938] URL parser allowed square brackets in domain names
by Seth Larson Jan. 31, 2025

Jan. 31, 2025

There is a new MEDIUM severity vulnerability affecting CPython. The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2025-0938 * https://github.com/python/cpython/pull/129418

1 0

[CVE-2024-12254] Unbounded memory buffering in SelectorSocketTransport.writelines()
by Seth Larson Dec. 6, 2024

Dec. 6, 2024

There is a HIGH severity vulnerability affecting CPython. Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-12254 * https://github.com/python/cpython/pull/127656

1 0

[CVE-2024-11168] Improper validation of IPv6 and IPvFuture addresses
by Seth Larson Nov. 12, 2024

Nov. 12, 2024

There is a MEDIUM severity vulnerability affecting CPython. The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/cverecord?id=CVE-2024-11168 * https://github.com/python/cpython/pull/103849

1 0

[CVE-2024-9287] Virtual environment (venv) activation scripts don't quote paths
by Seth Larson Oct. 22, 2024

Oct. 22, 2024

There is a MEDIUM severity vulnerability affecting CPython. A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the virtual environment creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-9287 * https://github.com/python/cpython/pull/124712

1 0

[CVE-2024-6232] Regular-expression DoS when parsing TarFile headers
by Seth Larson Sept. 3, 2024

Sept. 3, 2024

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-6232 * https://github.com/python/cpython/pull/121286

1 0

[CVE-2024-8088] Infinite loop when iterating over zip archive entry names
by Seth Larson Aug. 26, 2024

Aug. 26, 2024

There is a HIGH severity vulnerability affecting the CPython "zipfile" module. When iterating over names of entries in a zip archive (for example, methods of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-8088 * https://github.com/python/cpython/pull/122906 * https://github.com/python/cpython/issues/122905

1 1

[CVE-2024-7592] Quadratic complexity parsing cookies with backslashes
by Seth Larson Aug. 19, 2024

Aug. 19, 2024

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-7592 * https://github.com/python/cpython/pull/123075 * https://github.com/python/cpython/issues/123067

1 0

[CVE-2024-6923] Email header injection due to unquoted newlines
by Seth Larson Aug. 1, 2024

Aug. 1, 2024

There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. Please see the linked CVE for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-6923 * https://github.com/python/cpython/pull/122233 * https://github.com/python/cpython/issues/121650

1 0

[CVE-2024-3219] Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection
by Seth Larson July 29, 2024

July 29, 2024

There is a MEDIUM severity vulnerability affecting CPython. The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2024-3219 * https://github.com/python/cpython/pull/122134 * https://github.com/python/cpython/issues/122133

1 0

[CVE-2024-5642] Buffer over-read in SSLContext.set_npn_protocols() for Python 3.9 and earlier
by Seth Larson June 27, 2024

June 27, 2024

There is a buffer over-read defect in CPython 3.9 and earlier due to not excluding an invalid value for OpenSSL's NPN APIs. This vulnerability is of severity *LOW*. CPython doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE -2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). Suggested mitigation is one of the following: * Upgrade to Python 3.10 or later where NPN isn't supported * Avoid using NPN via SSLContext.set_npn_protocols() * Avoid providing an empty list as a parameter to SSLContext.set_npn_protocols()

1 0

[CVE-2024-0397] Memory race condition in ssl.SSLContext certificate store methods
by Seth Larson June 17, 2024

June 17, 2024

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. Severity: Low References - https://github.com/python/cpython/issues/114572 - https://github.com/python/cpython/pull/114573

1 0

[CVE-2024-4032] Incorrect IPv4 and IPv6 private ranges
by Seth Larson June 17, 2024

June 17, 2024

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the 'is_private' and 'is_global' properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. Severity: Medium References - https://github.com/python/cpython/issues/113171 - https://github.com/python/cpython/pull/113179 - https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-speci… - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-speci…

1 0

[CVE-2024-4030] tempfile.mkdtemp() may be readable and writeable by all users on Windows
by Seth Larson May 9, 2024

May 9, 2024

On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix “700” for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions. The fix will be made available in CPython versions 3.13.0b1 and 3.12.4. Backports are pending for other security release streams. Severity: Medium Issue: https://github.com/python/cpython/issues/118486 Patch: https://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a7… Patch: https://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7…

2 1

[CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup
by Ee Durbin March 19, 2024

March 19, 2024

An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. *References* * CVE: https://www.cve.org/CVERecord?id=CVE-2023-6597 * Patch: https://github.com/python/cpython/pull/99930 * Issue: https://github.com/python/cpython/issues/91133

1 0

[CVE-2024-0450] Quoted zip-bomb protection for zipfile
by Ee Durbin March 19, 2024

March 19, 2024

An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. *References* * CVE: https://www.cve.org/CVERecord?id=CVE-2024-0450 * Patch: https://github.com/python/cpython/pull/110016 * Issue: https://github.com/python/cpython/issues/109858

1 0

[CVE-2023-6507] Groups not dropped before running subprocess when using empty 'extra_groups' parameter
by Seth Larson Dec. 8, 2023

Dec. 8, 2023

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. It's recommended that if you are affected to upgrade to the latest CPython 3.12.1. *Affected usages:* When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`). *References:* - CVE: https://www.cve.org/CVERecord?id=CVE-2023-6507 - Patch: https://github.com/python/cpython/pull/112617 - Issue: https://github.com/python/cpython/issues/112334

1 0

[CVE-2023-5752] Mercurial configuration injectable in repo revision when installing via pip
by Seth Larson Oct. 24, 2023

Oct. 24, 2023

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing Mercurial VCS URLs. This is a *MEDIUM* severity vulnerability. *Affected versions:* pip before v23.3 are affected by this vulnerability. *Remediation:* - Upgrade to at least pip v23.3 - Don't clone Mercurial repositories or allow uncontrolled input to the target Mercurial URL and revision. *References:* - https://www.cve.org/CVERecord?id=CVE-2023-5752 - https://github.com/pypa/pip/pull/12306

1 0

[CVE-2022-48560] Use-after-free in heappushpop() of heapq module
by Seth Larson Aug. 28, 2023

Aug. 28, 2023

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security(a)python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. *Description* A use-after-free exists in Python through 3.9 via heappushpop in heapq. *Affected versions* - Python 3.9.0a1 to 3.9.0a2 * - Python 3.8.0 to 3.8.1 - Python 3.7.0 to 3.7.6 ** - Python 3.6.10 and earlier ** * *Pre-release versions of Python are not recommended for production use.* ** *Note that Python 3.7.17 and earlier will not be receiving an upstreamsecurity fix due to being end-of-life* ( https://devguide.python.org/versions) contact your distributor of Python for additional guidance. *Remediation and work-arounds* - Upgrade to Python 3.9.0, 3.8.2, 3.7.7, or 3.6.11. - Apply a patch for your corresponding version of Python Patches are available for all supported feature, bugfix, and security branches of Python: - main: https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491cc… - 3.8: https://github.com/python/cpython/commit/993811ffe75c2573f97fb3fd1414b34609… - 3.7: https://github.com/python/cpython/commit/958064f8d2b84062b0582bbae911df8ccf… - 3.6: https://github.com/python/cpython/commit/c563f409ea30bcb0623d785428c9257917… *References* - https://www.cve.org/CVERecord?id=CVE-2022-48560 - https://bugs.python.org/issue39421 - https://github.com/python/cpython/pull/18118 *Credits* - Reporter: Samuel Henrique

1 0

[CVE-2022-48564] DoS when reading malformed Apple Property List files in binary format
by Seth Larson Aug. 28, 2023

Aug. 28, 2023

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security(a)python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. <https://gist.github.com/#description>Description read_ints in plistlib.py in Python 3.9.0, 3.8.6 to 3.8.6, 3.7.0 to 3.7.9, and 3.6.13 and earlier is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. <https://gist.github.com/#affected-versions>Affected versions - Python 3.9.0a1 to 3.9.0 - Python 3.8.0 to 3.8.6 - Python 3.7.0 to 3.7.9 ** - Python 3.6.13 and earlier ** ** *Note that Python 3.7.17 and earlier are end-of-life (https://devguide.python.org/versions <https://devguide.python.org/versions>)* contact your distributor of Python for additional guidance. <https://gist.github.com/#remediation-and-work-arounds>Remediation and work-arounds - Upgrade to Python 3.9.1, 3.8.7, 3.7.10, or 3.6.13 - Apply a patch for your corresponding version of Python Patches are available for all supported feature, bugfix, and security branches of Python: - main: 34637a0ce21e7261b952fbd9d006474cc29b681f <https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc2…> - 3.9: e277cb76989958fdbc092bf0b2cb55c43e86610a <https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e…> - 3.8: 547d2bcc55e348043b2f338027c1acd9549ada76 <https://github.com/python/cpython/commit/547d2bcc55e348043b2f338027c1acd954…> - 3.7: 225e3659556616ad70186e7efc02baeebfeb5ec4 <https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebf…> - 3.6: a63234c49b2fbfb6f0aca32525e525ce3d43b2b4 <https://github.com/python/cpython/commit/a63234c49b2fbfb6f0aca32525e525ce3d…> <https://gist.github.com/#references>References - https://www.cve.org/CVERecord?id=CVE-2022-48564 - https://bugs.python.org/issue42103 - https://github.com/python/cpython/pull/22882 <https://gist.github.com/#credits>Credits - Reporter: Samuel Henrique

1 0

[CVE-2023-40217] Bypass TLS handshake on closed sockets
by Seth Larson Aug. 24, 2023

Aug. 24, 2023

Description Instances of ssl.SSLSocket are vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data if the socket is closed before initiating its own handshake. This vulnerability is of severity: *HIGH*. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Affected usages This vulnerability *primarily affects* HTTPS servers and other server-side protocols using TLS client authentication (such as mTLS) due to requiring reading data immediately after the handshake to be vulnerable. Operations which would fail on a closed socket (like sending data) immediately after the handshake are not affected by this vulnerability. Because disconnecting the socket is a necessary step to trigger the vulnerability *there is no risk of data exfiltration or data leakage directly from the malicious TLS connection*, however the vulnerability *does* carry risk for modifying or deleting resources which are authenticated using only TLS client certificates. This vulnerability *affects* clients who are reading and processing data from the server after a TLS handshake without sending any data first. Our team is unaware of a protocol that uses TLS that fits this usage pattern. This vulnerability *does not affect* client-side HTTPS connections like pip or requests as an HTTP request must be sent before an HTTP response is read meaning the connection would already be closed by the time the client is sending an HTTP request, leading to an error. This vulnerability *affects, but has no impact* on servers that aren’t using TLS client certificate authentication as traffic to a non-authenticating TLS server loses nothing from a bypassed handshake to inject a query and close the connection as the same action could be taken by a peer using a TLS connection with a proper handshake. Affected versions - Python 3.12.0a1 to 3.12.0rc1 * - Python 3.11.0 to 3.11.4 - Python 3.10.0 to 3.10.12 - Python 3.9.0 to 3.9.17 - Python 3.8.0 to 3.8.17 - Python 3.7.17 and earlier ** * Note that Python 3.12.0rc2 will not be published for a few weeks. *Pre-release versions of Python are not recommended for production use.* ** *Note that Python 3.7.17 and earlier will not be receiving an upstream security fix due to being end-of-life <https://devguide.python.org/versions/#versions>,* contact your distributor of Python for additional guidance. Remediation and work-arounds - Upgrade to Python 3.11.5, 3.10.13, 3.9.18, or 3.8.18. - Apply a patch for your corresponding version of Python. - Add a call to SSLSocket.getpeername() after calling SSLSocket.wrap_socket() before any calls to SSLSocket.recv(). This call to getpeername() will raise an OSError if the socket isn’t connected thus mitigating the vulnerability. Patches are available for all affected feature, bugfix, and security branches of Python: - main: 0cb0c238d520a8718e313b52cffc356a5a7561bf <https://github.com/python/cpython/commit/0cb0c238d520a8718e313b52cffc356a5a…> - 3.12: 256586ab8776e4526ca594b4866b9a3492e628f1 <https://github.com/python/cpython/commit/256586ab8776e4526ca594b4866b9a3492…> - 3.11: 75a875e0df0530b75b1470d797942f90f4a718d3 <https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4…> - 3.10: 37d7180cb647f0bed0c1caab0037f3bc82e2af96 <https://github.com/python/cpython/commit/37d7180cb647f0bed0c1caab0037f3bc82…> - 3.9: 264b1dacc67346efa0933d1e63f622676e0ed96b <https://github.com/python/cpython/commit/264b1dacc67346efa0933d1e63f622676e…> - 3.8: b4bcc06a9cfe13d96d5270809d963f8ba278f89b <https://github.com/python/cpython/commit/b4bcc06a9cfe13d96d5270809d963f8ba2…> Additional patches to stabilize the test suite may also be applied to all versions: - 64f99350351bc46e016b2286f36ba7cd669b79e3 <https://github.com/python/cpython/commit/64f99350351bc46e016b2286f36ba7cd66…> - 592bacb6fc0833336c0453e818e9b95016e9fd47 <https://github.com/python/cpython/commit/592bacb6fc0833336c0453e818e9b95016…> References - https://github.com/python/cpython/issues/108310 - https://github.com/python/cpython/pull/108315 Credits - Reporter: Aapo Oksman - Remediation Developer: Gregory P. Smith - Remediation Reviewer: Thomas Wouters - Coordinator: Seth Michael Larson Timeline - August 8,2023: Reported by Aapo Oksman to security(a)python.org. - August 8, 2023: Acknowledged the report. - August 9, 2023: Acknowledgement of the vulnerability, sent CVE ID request to MITRE. - August 10, 2023: CVE-2023-40217 assigned by MITRE. - August 15, 2023: Patch authored by Gregory P Smith, reviewed by Thomas Wouters. - August 22, 2023: Patch applied to feature and security branches by Łukasz Langa. - August 24, 2023: Python 3.11.5, 3.10.13, 3.9.18, 3.8.18 are published containing the fix for CVE-2023-40217. - August 24, 2023: Advisory published.

1 0

[CVE-2023-41105] os.path.normpath() truncates on null bytes
by Seth Larson Aug. 24, 2023

Aug. 24, 2023

Description Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes. This vulnerability is of severity: *MEDIUM*. If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation. <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#a…>Affected versions - Python 3.12.0a1 to 3.12.0rc1 * - Python 3.11.0 to 3.11.4 * Note that Python 3.12.0rc2 will not be published for approximately two weeks. *Pre-release versions of Python are not recommended for production use*. <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#r…>Remediation and Work-arounds - Upgrade to Python 3.12.0rc2 or 3.11.5 - Apply the patch for your version of Python. - Do all path normalization before making security critical decisions like allowlisting to avoid truncation having an impact on the application. Patches are available for all supported feature and security branches of Python: - main: 0cb0c238d520a8718e313b52cffc356a5a7561bf <https://github.com/python/cpython/commit/0cb0c238d520a8718e313b52cffc356a5a…> - 3.12: 256586ab8776e4526ca594b4866b9a3492e628f1 <https://github.com/python/cpython/commit/256586ab8776e4526ca594b4866b9a3492…> - 3.11: 75a875e0df0530b75b1470d797942f90f4a718d3 <https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4…> <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#r…> References - https://github.com/python/cpython/issues/106242 - https://github.com/python/cpython/pull/106816 <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#c…> Credits - Finder: Noriko Totsuka of JPCERT/CC - Finder: Masashi Yamane of LAC Co., Ltd - Reporter: Delta Regeer - Remediation Developer: Finn Womack - Remediation Reviewer: Steve Dower - Coordinator: Seth Michael Larson <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#t…> Timeline - June 29,2023: Issue opened on python/cpython GitHub repository. - July 16th, 2023: Patch authored by Finn Womack. - August 14, 2023: Patch reviewed and applied to all branches by Steve Dower. - August 21, 2023: Issue reported to security(a)python.org as a security issue. - August 21, 2023: Acknowledgement of the vulnerability, sent CVE ID request to MITRE. - August 23, 2023: CVE-2023-41105 assigned by MITRE. - August 24, 2023: Python 3.11.5 is released containing the fix for CVE-2023-41105. - August 24, 2023: Advisory is published.

2 1

Incident Report: Malicious takeover of ctx project on PyPI
by ee＠python.org May 24, 2022

May 24, 2022

Takeover of the ctx project was reported on multiple channels overnight and was mitigated as of 6:07 AM Eastern. We confirmed via investigation that this compromise was of a single user account due to re-registration over an expired domain. The domain that hosted the users email address was re-registered 2022-05-14T18:40:05Z and a password reset completed successfully for the user at 2022-05-14T18:52:40Z. Original releases were then deleted and malicious copies uploaded. PyPI itself was not directly compromised. Read the full incident report at https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domai… -Ee Durbin Director of Infrastructure Python Software Foundation

1 0

[CVE-2015-20107] Shell injection in mailcap module
by Steve Dower April 13, 2022

April 13, 2022

CVE-2015-20107 has been assigned for an issue previously reported against the mailcap module. The mailcap module reads registered commands on Linux systems to determine how to launch certain file types. The Python module does not add additional escape characters to these commands, which may allow an attacker to provide file paths or parameters that include additional shell commands. These may be executed during mailcap.find_match() depending on the system's configuration. All users of the mailcap module in any version of CPython may be impacted. No patch is currently available, and the module is likely to be deprecated due to lack of an active maintainer. Please visit the issue tracker at the link below to join the discussion if you are able to assist. To mitigate, applications that use this module should verify user input before passing it to the mailcap module, and the returned command before executing it. Issue: https://github.com/python/cpython/issues/68966 Discussions to security-sig(a)python.org. Cheers, Steve Dower Python Security Response Team

1 0

[CVE-2022-26488] Escalation of privilege via Windows installer
by Steve Dower March 7, 2022

March 7, 2022

CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython: * 3.11.0a6 and earlier * 3.10.2 and earlier * 3.9.10 and earlier * 3.8.12 and earlier * 3.7.12 and earlier * All end-of-life releases of 3.5 and 3.6 The vulnerability exists when installed for all users with the "Add Python to PATH" option selected. A local user without administrative permissions can trigger a repair operation of this PATH option to add incorrect additional paths to the system PATH variable, and then use search path hijacking to achieve escalation of privilege. Per-user installs (the default) are also affected, but cannot be used for escalation of privilege. Besides updating, this vulnerability may be mitigated by modifying an existing install to disable the "Add Python to PATH" or "Add Python to environment variables" option. Manually adding the install directory to PATH is not affected. Issue: https://bugs.python.org/issue46948 Patches * main: https://github.com/python/cpython/pull/31726 * 3.10: https://github.com/python/cpython/pull/31727 * 3.9: https://github.com/python/cpython/pull/31728 * 3.8: https://github.com/python/cpython/pull/31729 * 3.7: https://github.com/python/cpython/pull/31730 The next patched releases on python.org will be 3.11.0b1, 3.10.3 and 3.9.11 with installers, and 3.8.13 and 3.7.13 as source code only. Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to the Python Security Response Team. Discussion to security-sig(a)python.org. Cheers, Steve Dower Python Security Response Team

1 0