[Security-announce][CVE-2023-41105] os.path.normpath() truncates on null bytes

Description

Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes.

This vulnerability is of severity: *MEDIUM*.

If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation. <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#affected-versions>Affected versions

• Python 3.12.0a1 to 3.12.0rc1 *
• Python 3.11.0 to 3.11.4

• Note that Python 3.12.0rc2 will not be published for approximately two weeks. *Pre-release versions of Python are not recommended for production use*. <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#remediation-and-work-arounds>Remediation and Work-arounds

  • Upgrade to Python 3.12.0rc2 or 3.11.5
  • Apply the patch for your version of Python.
  • Do all path normalization before making security critical decisions like allowlisting to avoid truncation having an impact on the application.

Patches are available for all supported feature and security branches of Python:

• main: 0cb0c238d520a8718e313b52cffc356a5a7561bf <https://github.com/python/cpython/commit/0cb0c238d520a8718e313b52cffc356a5a7561bf>
• 3.12: 256586ab8776e4526ca594b4866b9a3492e628f1 <https://github.com/python/cpython/commit/256586ab8776e4526ca594b4866b9a3492e628f1>
• 3.11: 75a875e0df0530b75b1470d797942f90f4a718d3 <https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4a718d3>

<https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#references> References

• https://github.com/python/cpython/issues/106242
• https://github.com/python/cpython/pull/106816

<https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#credits> Credits

• Finder: Noriko Totsuka of JPCERT/CC
• Finder: Masashi Yamane of LAC Co., Ltd
• Reporter: Delta Regeer
• Remediation Developer: Finn Womack
• Remediation Reviewer: Steve Dower
• Coordinator: Seth Michael Larson

<https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#timeline> Timeline

• June 29,2023: Issue opened on python/cpython GitHub repository.
• July 16th, 2023: Patch authored by Finn Womack.
• August 14, 2023: Patch reviewed and applied to all branches by Steve Dower.
• August 21, 2023: Issue reported to security@python.org as a security issue.
• August 21, 2023: Acknowledgement of the vulnerability, sent CVE ID request to MITRE.
• August 23, 2023: CVE-2023-41105 assigned by MITRE.
• August 24, 2023: Python 3.11.5 is released containing the fix for CVE-2023-41105.
• August 24, 2023: Advisory is published.