An amendment to this advisory, the correct patches for CVE-2023-41105 are as follows:

• main: 09322724319d4c23195300b222a1c0ea720af56b

https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b

• 3.12: ede98958810b76694cf756d305b564cd6adc1a48

https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48

• 3.11: ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b

https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b

Thank you to everyone who reported this to me promptly.

Seth Larson

On Thu, Aug 24, 2023 at 3:06 PM Seth Larson seth@python.org wrote:

Description

Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes.

This vulnerability is of severity: *MEDIUM*.

If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation.

https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#affected-versionsAffected versions

• Python 3.12.0a1 to 3.12.0rc1 *
• Python 3.11.0 to 3.11.4

• Note that Python 3.12.0rc2 will not be published for approximately two

weeks. *Pre-release versions of Python are not recommended for production use*.

https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#remediation-and-work-aroundsRemediation and Work-arounds

• Upgrade to Python 3.12.0rc2 or 3.11.5
• Apply the patch for your version of Python.
• Do all path normalization before making security critical decisions

like allowlisting to avoid truncation having an impact on the application.

Patches are available for all supported feature and security branches of Python:

• main: 0cb0c238d520a8718e313b52cffc356a5a7561bf

https://github.com/python/cpython/commit/0cb0c238d520a8718e313b52cffc356a5a7561bf

• 3.12: 256586ab8776e4526ca594b4866b9a3492e628f1

https://github.com/python/cpython/commit/256586ab8776e4526ca594b4866b9a3492e628f1

• 3.11: 75a875e0df0530b75b1470d797942f90f4a718d3

https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4a718d3

https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#references References

• https://github.com/python/cpython/issues/106242
• https://github.com/python/cpython/pull/106816

https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#credits Credits

• Finder: Noriko Totsuka of JPCERT/CC
• Finder: Masashi Yamane of LAC Co., Ltd
• Reporter: Delta Regeer
• Remediation Developer: Finn Womack
• Remediation Reviewer: Steve Dower
• Coordinator: Seth Michael Larson

https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#timeline Timeline

• June 29,2023: Issue opened on python/cpython GitHub repository.
• July 16th, 2023: Patch authored by Finn Womack.
• August 14, 2023: Patch reviewed and applied to all branches by Steve

Dower.

• August 21, 2023: Issue reported to security@python.org as a security

issue.

• August 21, 2023: Acknowledgement of the vulnerability, sent CVE ID

request to MITRE.

• August 23, 2023: CVE-2023-41105 assigned by MITRE.
• August 24, 2023: Python 3.11.5 is released containing the fix for

CVE-2023-41105.

• August 24, 2023: Advisory is published.