Hi, I wrote a set of scripts to check for known Python vulnerabilities: https://github.com/vstinner/python-security/tree/master/check-python-vuln Clone the repository, go to check-python-vuln/ subdirectory, and run: "python check-python-vuln.py" I wrote this project to help me to check easily which vulnerabilities have been fixed or not on a specific Python binary. Right now, I only implemented checks for 4 vulnerabilities... they are many more known vulnerabilities! https://python-security.readthedocs.io/vulnerabilities.html Contact me if you want to help to write tests for more vulnerabilities ;-) I'm not sure that it's possible to write a functional test for all vulnerabilities :-( For example, "CVE-2018-20406: pickle.load denial of service" allocates too much memory with and without the fix, at least using the attached "poc" file. check-python-vuln.py uses functional tests rather than just testing the Python version, because in Fedora and RHEL, we backport security fixes without changing the Python version (especially in RHEL). Example with Python 2 on up to date Fedora 29: --- $ python2 check-python-vuln.py Check: SSL CRL DPS DoS (CVE-2019-5010) Check: gettext.c2py (bpo-28563) Check: SLL NUL in subjectAltNames (CVE-2013-4238) Check: Hash DoS (CVE-2012-1150) Result for /usr/bin/python2 (2.7.15): * SSL CRL DPS DoS (CVE-2019-5010): VULNERABLE * gettext.c2py (bpo-28563): fixed * SLL NUL in subjectAltNames (CVE-2013-4238): fixed * Hash DoS (CVE-2012-1150): fixed Your Python 2.7.15 has 1 KNOWN VULNERABILITY!!! --- Note: My team decided that the "SSL CRL DPS DoS (CVE-2019-5010)" can wait for Python 2.7.16 release. It doesn't deserve an urgent fix. Example with Python 3.0: --- $ ~/prog/python/3.0/python check-python-vuln.py Check: SSL CRL DPS DoS (CVE-2019-5010) Check: gettext.c2py (bpo-28563) Check: SLL NUL in subjectAltNames (CVE-2013-4238) Check: Hash DoS (CVE-2012-1150) Result for /home/vstinner/prog/python/3.0/python (3.0.1): * SSL CRL DPS DoS (CVE-2019-5010): CHECK_ERROR (CHECK FAILED: missing _ssl module: No module named _ssl) * gettext.c2py (bpo-28563): VULNERABLE * SLL NUL in subjectAltNames (CVE-2013-4238): CHECK_ERROR (CHECK FAILED: missing _ssl module: No module named _ssl) * Hash DoS (CVE-2012-1150): VULNERABLE CHECK ERROR :-( Your Python 3.0.1 has 2 KNOWN VULNERABILITIES!!! --- Note: Fedora 29 uses OpenSSL 1.1.1 but Python 3.0 isn't compatible with this OpenSSL version (ssl compilation failed). I should maybe try compat-openssl10 to test my tool on a fully working Python 3.0 (with ssl) :-) On the other side, python3 is safe: --- (...) All tested vulnerabilities are fixed in your Python 3.7.2 :-) --- Victor -- Night gathers, and now my watch begins. It shall not end until my death.
participants (1)
-
Victor Stinner