Mailman 3 - Security-announce

[CVE-2024-5642] Buffer over-read in SSLContext.set_npn_protocols() for Python 3.9 and earlier
by Seth Larson June 27, 2024

June 27, 2024

There is a buffer over-read defect in CPython 3.9 and earlier due to not excluding an invalid value for OpenSSL's NPN APIs. This vulnerability is of severity *LOW*. CPython doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE -2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured). Suggested mitigation is one of the following: * Upgrade to Python 3.10 or later where NPN isn't supported * Avoid using NPN via SSLContext.set_npn_protocols() * Avoid providing an empty list as a parameter to SSLContext.set_npn_protocols()

1 0

[CVE-2024-0397] Memory race condition in ssl.SSLContext certificate store methods
by Seth Larson June 17, 2024

June 17, 2024

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. Severity: Low References - https://github.com/python/cpython/issues/114572 - https://github.com/python/cpython/pull/114573

1 0

[CVE-2024-4032] Incorrect IPv4 and IPv6 private ranges
by Seth Larson June 17, 2024

June 17, 2024

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the 'is_private' and 'is_global' properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. Severity: Medium References - https://github.com/python/cpython/issues/113171 - https://github.com/python/cpython/pull/113179 - https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-speci… - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-speci…

1 0

[CVE-2024-4030] tempfile.mkdtemp() may be readable and writeable by all users on Windows
by Seth Larson May 9, 2024

May 9, 2024

On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix “700” for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions. The fix will be made available in CPython versions 3.13.0b1 and 3.12.4. Backports are pending for other security release streams. Severity: Medium Issue: https://github.com/python/cpython/issues/118486 Patch: https://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a7… Patch: https://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7…

2 1

[CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup
by Ee Durbin March 19, 2024

March 19, 2024

An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. *References* * CVE: https://www.cve.org/CVERecord?id=CVE-2023-6597 * Patch: https://github.com/python/cpython/pull/99930 * Issue: https://github.com/python/cpython/issues/91133

1 0

[CVE-2024-0450] Quoted zip-bomb protection for zipfile
by Ee Durbin March 19, 2024

March 19, 2024

An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. *References* * CVE: https://www.cve.org/CVERecord?id=CVE-2024-0450 * Patch: https://github.com/python/cpython/pull/110016 * Issue: https://github.com/python/cpython/issues/109858

1 0

[CVE-2023-6507] Groups not dropped before running subprocess when using empty 'extra_groups' parameter
by Seth Larson Dec. 8, 2023

Dec. 8, 2023

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. It's recommended that if you are affected to upgrade to the latest CPython 3.12.1. *Affected usages:* When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`). *References:* - CVE: https://www.cve.org/CVERecord?id=CVE-2023-6507 - Patch: https://github.com/python/cpython/pull/112617 - Issue: https://github.com/python/cpython/issues/112334

1 0

[CVE-2023-5752] Mercurial configuration injectable in repo revision when installing via pip
by Seth Larson Oct. 24, 2023

Oct. 24, 2023

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing Mercurial VCS URLs. This is a *MEDIUM* severity vulnerability. *Affected versions:* pip before v23.3 are affected by this vulnerability. *Remediation:* - Upgrade to at least pip v23.3 - Don't clone Mercurial repositories or allow uncontrolled input to the target Mercurial URL and revision. *References:* - https://www.cve.org/CVERecord?id=CVE-2023-5752 - https://github.com/pypa/pip/pull/12306

1 0

[CVE-2022-48560] Use-after-free in heappushpop() of heapq module
by Seth Larson Aug. 28, 2023

Aug. 28, 2023

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security(a)python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. *Description* A use-after-free exists in Python through 3.9 via heappushpop in heapq. *Affected versions* - Python 3.9.0a1 to 3.9.0a2 * - Python 3.8.0 to 3.8.1 - Python 3.7.0 to 3.7.6 ** - Python 3.6.10 and earlier ** * *Pre-release versions of Python are not recommended for production use.* ** *Note that Python 3.7.17 and earlier will not be receiving an upstreamsecurity fix due to being end-of-life* ( https://devguide.python.org/versions) contact your distributor of Python for additional guidance. *Remediation and work-arounds* - Upgrade to Python 3.9.0, 3.8.2, 3.7.7, or 3.6.11. - Apply a patch for your corresponding version of Python Patches are available for all supported feature, bugfix, and security branches of Python: - main: https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491cc… - 3.8: https://github.com/python/cpython/commit/993811ffe75c2573f97fb3fd1414b34609… - 3.7: https://github.com/python/cpython/commit/958064f8d2b84062b0582bbae911df8ccf… - 3.6: https://github.com/python/cpython/commit/c563f409ea30bcb0623d785428c9257917… *References* - https://www.cve.org/CVERecord?id=CVE-2022-48560 - https://bugs.python.org/issue39421 - https://github.com/python/cpython/pull/18118 *Credits* - Reporter: Samuel Henrique

1 0

[CVE-2022-48564] DoS when reading malformed Apple Property List files in binary format
by Seth Larson Aug. 28, 2023

Aug. 28, 2023

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security(a)python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. <https://gist.github.com/#description>Description read_ints in plistlib.py in Python 3.9.0, 3.8.6 to 3.8.6, 3.7.0 to 3.7.9, and 3.6.13 and earlier is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. <https://gist.github.com/#affected-versions>Affected versions - Python 3.9.0a1 to 3.9.0 - Python 3.8.0 to 3.8.6 - Python 3.7.0 to 3.7.9 ** - Python 3.6.13 and earlier ** ** *Note that Python 3.7.17 and earlier are end-of-life (https://devguide.python.org/versions <https://devguide.python.org/versions>)* contact your distributor of Python for additional guidance. <https://gist.github.com/#remediation-and-work-arounds>Remediation and work-arounds - Upgrade to Python 3.9.1, 3.8.7, 3.7.10, or 3.6.13 - Apply a patch for your corresponding version of Python Patches are available for all supported feature, bugfix, and security branches of Python: - main: 34637a0ce21e7261b952fbd9d006474cc29b681f <https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc2…> - 3.9: e277cb76989958fdbc092bf0b2cb55c43e86610a <https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e…> - 3.8: 547d2bcc55e348043b2f338027c1acd9549ada76 <https://github.com/python/cpython/commit/547d2bcc55e348043b2f338027c1acd954…> - 3.7: 225e3659556616ad70186e7efc02baeebfeb5ec4 <https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebf…> - 3.6: a63234c49b2fbfb6f0aca32525e525ce3d43b2b4 <https://github.com/python/cpython/commit/a63234c49b2fbfb6f0aca32525e525ce3d…> <https://gist.github.com/#references>References - https://www.cve.org/CVERecord?id=CVE-2022-48564 - https://bugs.python.org/issue42103 - https://github.com/python/cpython/pull/22882 <https://gist.github.com/#credits>Credits - Reporter: Samuel Henrique

1 0