Re: 374252 Python Invalid Search Path Vulnerability
Hi, Python 3.6.12 includes a fix for this issue: https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html The commit in the 3.6 branch: https://github.com/python/cpython/commit/46cbf6148a46883110883488d3e9febbe46... Victor On Thu, Jun 17, 2021 at 10:51 AM Prashanth Reddy <reddy.prashanth809@gmail.com> wrote:
Hi Victor,
https://mail.python.org/archives/list/security-announce@python.org/thread/C5...
Short description:
Python Invalid Search Path Vulnerability
CVE-2020-15523 is an invalid search path in Python 3.6 and later on Windows. It occurs during Py_Initialize() when the runtime attempts to pre-load python3.dll. If Py_SetPath() has been called, the expected location is not set, and locations elsewhere on the user's system will be searched.
This issue is not triggered when running python.exe. It only applies when CPython has been embedded in another application.
Issue: https://bugs.python.org/issue29778 Patch: https://github.com/python/cpython/pull/21297
The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only), 3.6.12 (source only)
Other than applying the patch, applications may mitigate the vulnerability by explicitly calling LoadLibrary() on their copy of python3.dll before calling Py_Initialize(). Even with the patch applied, applications should include a copy of python3.dll alongside their main Python DLL.
Thanks to Eric Gantumur for detecting and reporting the issue to the Python Security Response Team.
Questions to security-sig@python.org or security@python.org.
Cheers, Steve Dower Python Security Response Team
Python Invalid Search Path Vulnerability
Python Invalid Search Path Vulnerability
On Thu, Jun 17, 2021 at 3:29 AM Victor Stinner <vstinner@python.org> wrote:
Hi,
https://bugs.python.org/issue374252 is not a valid bug number. Which one do you mean?
Victor
On Wed, Jun 16, 2021 at 6:10 PM Prashanth Reddy <reddy.prashanth809@gmail.com> wrote:
Hi Team,
Can you help you how to resolve the issue.
We are using python 3.6.5 version.
Regards, Prashanth _______________________________________________ Security-SIG mailing list -- security-sig@python.org To unsubscribe send an email to security-sig-leave@python.org https://mail.python.org/mailman3/lists/security-sig.python.org/ Member address: vstinner@python.org
-- Night gathers, and now my watch begins. It shall not end until my death.
-- Night gathers, and now my watch begins. It shall not end until my death.
Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. https://bit.ly/2TO7OuU
participants (2)
-
maryseaubin3690@gmail.com -
Victor Stinner