Description

Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes.

This vulnerability is of severity: MEDIUM.

If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation.

Affected versions

Python 3.12.0a1 to 3.12.0rc1 *
Python 3.11.0 to 3.11.4

* Note that Python 3.12.0rc2 will not be published for approximately two weeks. Pre-release versions of Python are not recommended for production use.

Remediation and Work-arounds

Upgrade to Python 3.12.0rc2 or 3.11.5
Apply the patch for your version of Python.
Do all path normalization before making security critical decisions like allowlisting to avoid truncation having an impact on the application.

Patches are available for all supported feature and security branches of Python:

References

Credits

Finder: Noriko Totsuka of JPCERT/CC
Finder: Masashi Yamane of LAC Co., Ltd
Reporter: Delta Regeer
Remediation Developer: Finn Womack
Remediation Reviewer: Steve Dower
Coordinator: Seth Michael Larson

Timeline

June 29,2023: Issue opened on python/cpython GitHub repository.
July 16th, 2023: Patch authored by Finn Womack.
August 14, 2023: Patch reviewed and applied to all branches by Steve Dower.
August 21, 2023: Issue reported to security@python.org as a security issue.
August 21, 2023: Acknowledgement of the vulnerability, sent CVE ID request to MITRE.
August 23, 2023: CVE-2023-41105 assigned by MITRE.
August 24, 2023: Python 3.11.5 is released containing the fix for CVE-2023-41105.
August 24, 2023: Advisory is published.