Mailman 3 - Security-announce

[CVE-2024-4030] tempfile.mkdtemp() may be readable and writeable by all users on Windows
by Seth Larson 09 May '24

09 May '24

On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you’re not using Windows or haven’t changed the temporary directory location then you aren’t affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix “700” for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions. The fix will be made available in CPython versions 3.13.0b1 and 3.12.4. Backports are pending for other security release streams. Severity: Medium Issue: https://github.com/python/cpython/issues/118486 Patch: https://github.com/python/cpython/commit/81939dad77001556c527485d31a2d0f4a7… Patch: https://github.com/python/cpython/commit/8ed546679524140d8282175411fd141fe7…

2 1

[CVE-2023-6597] tempfile.TemporaryDirectory dereferences symlinks during cleanup
by Ee Durbin 19 Mar '24

19 Mar '24

An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. *References* * CVE: https://www.cve.org/CVERecord?id=CVE-2023-6597 * Patch: https://github.com/python/cpython/pull/99930 * Issue: https://github.com/python/cpython/issues/91133

1 0

[CVE-2024-0450] Quoted zip-bomb protection for zipfile
by Ee Durbin 19 Mar '24

19 Mar '24

An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. *References* * CVE: https://www.cve.org/CVERecord?id=CVE-2024-0450 * Patch: https://github.com/python/cpython/pull/110016 * Issue: https://github.com/python/cpython/issues/109858

1 0

[CVE-2023-6507] Groups not dropped before running subprocess when using empty 'extra_groups' parameter
by Seth Larson 08 Dec '23

08 Dec '23

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. It's recommended that if you are affected to upgrade to the latest CPython 3.12.1. *Affected usages:* When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`). *References:* - CVE: https://www.cve.org/CVERecord?id=CVE-2023-6507 - Patch: https://github.com/python/cpython/pull/112617 - Issue: https://github.com/python/cpython/issues/112334

1 0

[CVE-2023-5752] Mercurial configuration injectable in repo revision when installing via pip
by Seth Larson 24 Oct '23

24 Oct '23

When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing Mercurial VCS URLs. This is a *MEDIUM* severity vulnerability. *Affected versions:* pip before v23.3 are affected by this vulnerability. *Remediation:* - Upgrade to at least pip v23.3 - Don't clone Mercurial repositories or allow uncontrolled input to the target Mercurial URL and revision. *References:* - https://www.cve.org/CVERecord?id=CVE-2023-5752 - https://github.com/pypa/pip/pull/12306

1 0

[CVE-2022-48560] Use-after-free in heappushpop() of heapq module
by Seth Larson 28 Aug '23

28 Aug '23

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security(a)python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. *Description* A use-after-free exists in Python through 3.9 via heappushpop in heapq. *Affected versions* - Python 3.9.0a1 to 3.9.0a2 * - Python 3.8.0 to 3.8.1 - Python 3.7.0 to 3.7.6 ** - Python 3.6.10 and earlier ** * *Pre-release versions of Python are not recommended for production use.* ** *Note that Python 3.7.17 and earlier will not be receiving an upstreamsecurity fix due to being end-of-life* ( https://devguide.python.org/versions) contact your distributor of Python for additional guidance. *Remediation and work-arounds* - Upgrade to Python 3.9.0, 3.8.2, 3.7.7, or 3.6.11. - Apply a patch for your corresponding version of Python Patches are available for all supported feature, bugfix, and security branches of Python: - main: https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491cc… - 3.8: https://github.com/python/cpython/commit/993811ffe75c2573f97fb3fd1414b34609… - 3.7: https://github.com/python/cpython/commit/958064f8d2b84062b0582bbae911df8ccf… - 3.6: https://github.com/python/cpython/commit/c563f409ea30bcb0623d785428c9257917… *References* - https://www.cve.org/CVERecord?id=CVE-2022-48560 - https://bugs.python.org/issue39421 - https://github.com/python/cpython/pull/18118 *Credits* - Reporter: Samuel Henrique

1 0

[CVE-2022-48564] DoS when reading malformed Apple Property List files in binary format
by Seth Larson 28 Aug '23

28 Aug '23

This vulnerability was reported to MITRE without a report to the Python Security Response Team (security(a)python.org). Thanks to *Samuel Henrique* for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly. <https://gist.github.com/#description>Description read_ints in plistlib.py in Python 3.9.0, 3.8.6 to 3.8.6, 3.7.0 to 3.7.9, and 3.6.13 and earlier is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. <https://gist.github.com/#affected-versions>Affected versions - Python 3.9.0a1 to 3.9.0 - Python 3.8.0 to 3.8.6 - Python 3.7.0 to 3.7.9 ** - Python 3.6.13 and earlier ** ** *Note that Python 3.7.17 and earlier are end-of-life (https://devguide.python.org/versions <https://devguide.python.org/versions>)* contact your distributor of Python for additional guidance. <https://gist.github.com/#remediation-and-work-arounds>Remediation and work-arounds - Upgrade to Python 3.9.1, 3.8.7, 3.7.10, or 3.6.13 - Apply a patch for your corresponding version of Python Patches are available for all supported feature, bugfix, and security branches of Python: - main: 34637a0ce21e7261b952fbd9d006474cc29b681f <https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc2…> - 3.9: e277cb76989958fdbc092bf0b2cb55c43e86610a <https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e…> - 3.8: 547d2bcc55e348043b2f338027c1acd9549ada76 <https://github.com/python/cpython/commit/547d2bcc55e348043b2f338027c1acd954…> - 3.7: 225e3659556616ad70186e7efc02baeebfeb5ec4 <https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebf…> - 3.6: a63234c49b2fbfb6f0aca32525e525ce3d43b2b4 <https://github.com/python/cpython/commit/a63234c49b2fbfb6f0aca32525e525ce3d…> <https://gist.github.com/#references>References - https://www.cve.org/CVERecord?id=CVE-2022-48564 - https://bugs.python.org/issue42103 - https://github.com/python/cpython/pull/22882 <https://gist.github.com/#credits>Credits - Reporter: Samuel Henrique

1 0

[CVE-2023-40217] Bypass TLS handshake on closed sockets
by Seth Larson 24 Aug '23

24 Aug '23

Description Instances of ssl.SSLSocket are vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data if the socket is closed before initiating its own handshake. This vulnerability is of severity: *HIGH*. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Affected usages This vulnerability *primarily affects* HTTPS servers and other server-side protocols using TLS client authentication (such as mTLS) due to requiring reading data immediately after the handshake to be vulnerable. Operations which would fail on a closed socket (like sending data) immediately after the handshake are not affected by this vulnerability. Because disconnecting the socket is a necessary step to trigger the vulnerability *there is no risk of data exfiltration or data leakage directly from the malicious TLS connection*, however the vulnerability *does* carry risk for modifying or deleting resources which are authenticated using only TLS client certificates. This vulnerability *affects* clients who are reading and processing data from the server after a TLS handshake without sending any data first. Our team is unaware of a protocol that uses TLS that fits this usage pattern. This vulnerability *does not affect* client-side HTTPS connections like pip or requests as an HTTP request must be sent before an HTTP response is read meaning the connection would already be closed by the time the client is sending an HTTP request, leading to an error. This vulnerability *affects, but has no impact* on servers that aren’t using TLS client certificate authentication as traffic to a non-authenticating TLS server loses nothing from a bypassed handshake to inject a query and close the connection as the same action could be taken by a peer using a TLS connection with a proper handshake. Affected versions - Python 3.12.0a1 to 3.12.0rc1 * - Python 3.11.0 to 3.11.4 - Python 3.10.0 to 3.10.12 - Python 3.9.0 to 3.9.17 - Python 3.8.0 to 3.8.17 - Python 3.7.17 and earlier ** * Note that Python 3.12.0rc2 will not be published for a few weeks. *Pre-release versions of Python are not recommended for production use.* ** *Note that Python 3.7.17 and earlier will not be receiving an upstream security fix due to being end-of-life <https://devguide.python.org/versions/#versions>,* contact your distributor of Python for additional guidance. Remediation and work-arounds - Upgrade to Python 3.11.5, 3.10.13, 3.9.18, or 3.8.18. - Apply a patch for your corresponding version of Python. - Add a call to SSLSocket.getpeername() after calling SSLSocket.wrap_socket() before any calls to SSLSocket.recv(). This call to getpeername() will raise an OSError if the socket isn’t connected thus mitigating the vulnerability. Patches are available for all affected feature, bugfix, and security branches of Python: - main: 0cb0c238d520a8718e313b52cffc356a5a7561bf <https://github.com/python/cpython/commit/0cb0c238d520a8718e313b52cffc356a5a…> - 3.12: 256586ab8776e4526ca594b4866b9a3492e628f1 <https://github.com/python/cpython/commit/256586ab8776e4526ca594b4866b9a3492…> - 3.11: 75a875e0df0530b75b1470d797942f90f4a718d3 <https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4…> - 3.10: 37d7180cb647f0bed0c1caab0037f3bc82e2af96 <https://github.com/python/cpython/commit/37d7180cb647f0bed0c1caab0037f3bc82…> - 3.9: 264b1dacc67346efa0933d1e63f622676e0ed96b <https://github.com/python/cpython/commit/264b1dacc67346efa0933d1e63f622676e…> - 3.8: b4bcc06a9cfe13d96d5270809d963f8ba278f89b <https://github.com/python/cpython/commit/b4bcc06a9cfe13d96d5270809d963f8ba2…> Additional patches to stabilize the test suite may also be applied to all versions: - 64f99350351bc46e016b2286f36ba7cd669b79e3 <https://github.com/python/cpython/commit/64f99350351bc46e016b2286f36ba7cd66…> - 592bacb6fc0833336c0453e818e9b95016e9fd47 <https://github.com/python/cpython/commit/592bacb6fc0833336c0453e818e9b95016…> References - https://github.com/python/cpython/issues/108310 - https://github.com/python/cpython/pull/108315 Credits - Reporter: Aapo Oksman - Remediation Developer: Gregory P. Smith - Remediation Reviewer: Thomas Wouters - Coordinator: Seth Michael Larson Timeline - August 8,2023: Reported by Aapo Oksman to security(a)python.org. - August 8, 2023: Acknowledged the report. - August 9, 2023: Acknowledgement of the vulnerability, sent CVE ID request to MITRE. - August 10, 2023: CVE-2023-40217 assigned by MITRE. - August 15, 2023: Patch authored by Gregory P Smith, reviewed by Thomas Wouters. - August 22, 2023: Patch applied to feature and security branches by Łukasz Langa. - August 24, 2023: Python 3.11.5, 3.10.13, 3.9.18, 3.8.18 are published containing the fix for CVE-2023-40217. - August 24, 2023: Advisory published.

1 0

[CVE-2023-41105] os.path.normpath() truncates on null bytes
by Seth Larson 24 Aug '23

24 Aug '23

Description Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes. This vulnerability is of severity: *MEDIUM*. If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation. <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#a…>Affected versions - Python 3.12.0a1 to 3.12.0rc1 * - Python 3.11.0 to 3.11.4 * Note that Python 3.12.0rc2 will not be published for approximately two weeks. *Pre-release versions of Python are not recommended for production use*. <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#r…>Remediation and Work-arounds - Upgrade to Python 3.12.0rc2 or 3.11.5 - Apply the patch for your version of Python. - Do all path normalization before making security critical decisions like allowlisting to avoid truncation having an impact on the application. Patches are available for all supported feature and security branches of Python: - main: 0cb0c238d520a8718e313b52cffc356a5a7561bf <https://github.com/python/cpython/commit/0cb0c238d520a8718e313b52cffc356a5a…> - 3.12: 256586ab8776e4526ca594b4866b9a3492e628f1 <https://github.com/python/cpython/commit/256586ab8776e4526ca594b4866b9a3492…> - 3.11: 75a875e0df0530b75b1470d797942f90f4a718d3 <https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4…> <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#r…> References - https://github.com/python/cpython/issues/106242 - https://github.com/python/cpython/pull/106816 <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#c…> Credits - Finder: Noriko Totsuka of JPCERT/CC - Finder: Masashi Yamane of LAC Co., Ltd - Reporter: Delta Regeer - Remediation Developer: Finn Womack - Remediation Reviewer: Steve Dower - Coordinator: Seth Michael Larson <https://gist.github.com/sethmlarson/4b59b573b19e19eef684cacaf9d7f205/edit#t…> Timeline - June 29,2023: Issue opened on python/cpython GitHub repository. - July 16th, 2023: Patch authored by Finn Womack. - August 14, 2023: Patch reviewed and applied to all branches by Steve Dower. - August 21, 2023: Issue reported to security(a)python.org as a security issue. - August 21, 2023: Acknowledgement of the vulnerability, sent CVE ID request to MITRE. - August 23, 2023: CVE-2023-41105 assigned by MITRE. - August 24, 2023: Python 3.11.5 is released containing the fix for CVE-2023-41105. - August 24, 2023: Advisory is published.

2 1

Incident Report: Malicious takeover of ctx project on PyPI
by ee＠python.org 24 May '22

24 May '22

Takeover of the ctx project was reported on multiple channels overnight and was mitigated as of 6:07 AM Eastern. We confirmed via investigation that this compromise was of a single user account due to re-registration over an expired domain. The domain that hosted the users email address was re-registered 2022-05-14T18:40:05Z and a password reset completed successfully for the user at 2022-05-14T18:52:40Z. Original releases were then deleted and malicious copies uploaded. PyPI itself was not directly compromised. Read the full incident report at https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domai… -Ee Durbin Director of Infrastructure Python Software Foundation

1 0