Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2020-15801] python 38 embed ignore python38._pth file on windows #85476

Closed
jgiardet mannequin opened this issue Jul 15, 2020 · 14 comments
Closed

[CVE-2020-15801] python 38 embed ignore python38._pth file on windows #85476

jgiardet mannequin opened this issue Jul 15, 2020 · 14 comments
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) OS-windows type-security A security issue

Comments

@jgiardet
Copy link
Mannequin

jgiardet mannequin commented Jul 15, 2020

BPO 41304
Nosy @pfmoore, @tjguk, @ned-deily, @zware, @zooba, @miss-islington, @jgiardet
PRs
  • bpo-41304: Ensure python3x._pth is loaded on Windows #21495
  • [3.9] bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495) #21497
  • [3.8] bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495) #21498
  • [3.7] bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495) #21499
  • bpo-41304: Update NEWS to include CVE-2020-15801 reference #21521
  • [3.9] bpo-41304: Update NEWS to include CVE-2020-15801 reference (GH-21521) #21522
  • [3.7] bpo-41304: Update NEWS to include CVE-2020-15801 reference (GH-21521) #21524
  • [3.8] bpo-41304: Update NEWS to include CVE-2020-15801 reference (GH-21521) #21523
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = <Date 2020-07-16.17:08:16.246>
    created_at = <Date 2020-07-15.14:41:17.913>
    labels = ['type-security', 'interpreter-core', '3.8', '3.9', '3.10', '3.7', 'OS-windows']
    title = '[CVE-2020-15801] python 38 embed ignore python38._pth file on windows'
    updated_at = <Date 2020-08-06.16:10:28.228>
    user = 'https://github.com/jgiardet'

    bugs.python.org fields:

    activity = <Date 2020-08-06.16:10:28.228>
    actor = 'steve.dower'
    assignee = 'none'
    closed = True
    closed_date = <Date 2020-07-16.17:08:16.246>
    closer = 'steve.dower'
    components = ['Interpreter Core', 'Windows']
    creation = <Date 2020-07-15.14:41:17.913>
    creator = 'jgirardet'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 41304
    keywords = ['patch', '3.8regression']
    message_count = 14.0
    messages = ['373698', '373701', '373706', '373727', '373728', '373729', '373731', '373756', '373836', '373837', '373838', '373891', '374912', '374942']
    nosy_count = 8.0
    nosy_names = ['paul.moore', 'tim.golden', 'ned.deily', 'zach.ware', 'steve.dower', 'miss-islington', 'jgirardet', 'owen.huang']
    pr_nums = ['21495', '21497', '21498', '21499', '21521', '21522', '21524', '21523']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'security'
    url = 'https://bugs.python.org/issue41304'
    versions = ['Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

    @jgiardet
    Copy link
    Mannequin Author

    jgiardet mannequin commented Jul 15, 2020

    Hi,
    With python embed unziped in 38 directory(python 3.8.4):

    # python38._pth
    python38.zip
    .
    ..\\app
    # Uncomment to run site.main() automatically
    #import site
    
    PS C:\Users\jimmy\rien\embed> .\38\python.exe -c "import sys;print(sys.path);import hello"
    ['', 'C:\\Users\\jimmy\\rien\\embed\\38\\python38.zip', 'C:\\Users\\jimmy\\rien\\embed\\38\\DLLs', 'C:\\Users\\jimmy\\ri
    en\\embed\\38\\lib', 'C:\\Users\\jimmy\\rien\\embed\\38']
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
    ModuleNotFoundError: No module named 'hello'
    
    
    '\\app' is not added to sys.path. it is under python 3.
    

    Note It's working under python 3.7.8

    @jgiardet jgiardet mannequin added 3.8 (EOL) end of life interpreter-core (Objects, Python, Grammar, and Parser dirs) labels Jul 15, 2020
    @jgiardet jgiardet mannequin changed the title python 38 embed ignore python38._pth file python 38 embed ignore python38._pth file on windows Jul 15, 2020
    @jgiardet
    Copy link
    Mannequin Author

    jgiardet mannequin commented Jul 15, 2020

    replacing python38._pth by python._pth does fix it.

    @zooba
    Copy link
    Member

    zooba commented Jul 15, 2020

    Thanks, this is a regression.

    https://github.com/python/cpython/blob/master/PC/getpathp.c#L672 should be inverted, as a zero return value indicates success.

    @zooba zooba added 3.7 (EOL) end of life 3.9 only security fixes 3.10 only security fixes type-security A security issue labels Jul 15, 2020
    @zooba
    Copy link
    Member

    zooba commented Jul 15, 2020

    New changeset 936a660 by Steve Dower in branch 'master':
    bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495)
    936a660

    @miss-islington
    Copy link
    Contributor

    New changeset 28e93dd by Miss Islington (bot) in branch '3.9':
    bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495)
    28e93dd

    @miss-islington
    Copy link
    Contributor

    New changeset 3b6a8d2 by Miss Islington (bot) in branch '3.8':
    bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495)
    3b6a8d2

    @ned-deily
    Copy link
    Member

    New changeset 4bfcffe by Steve Dower in branch '3.7':
    bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495) (bpo-21499)
    4bfcffe

    @zooba
    Copy link
    Member

    zooba commented Jul 16, 2020

    For clarity, this was caused by the fix for bpo-29778, and was only released in 3.8.4 and 3.9.0b4. No other versions had a release before the fix was merged.

    @zooba zooba closed this as completed Jul 16, 2020
    @zooba
    Copy link
    Member

    zooba commented Jul 17, 2020

    This is now assigned CVE-2020-15801

    @zooba zooba changed the title python 38 embed ignore python38._pth file on windows [CVE-2020-15801] python 38 embed ignore python38._pth file on windows Jul 17, 2020
    @zooba
    Copy link
    Member

    zooba commented Jul 17, 2020

    New changeset a16ac4e by Miss Islington (bot) in branch '3.9':
    bpo-41304: Update NEWS to include CVE-2020-15801 reference (GH-21521)
    a16ac4e

    @zooba
    Copy link
    Member

    zooba commented Jul 17, 2020

    New changeset 79ed1a5 by Miss Islington (bot) in branch '3.8':
    bpo-41304: Update NEWS to include CVE-2020-15801 reference (GH-21521)
    79ed1a5

    @ned-deily
    Copy link
    Member

    New changeset eb0d255 by Miss Islington (bot) in branch '3.7':
    bpo-41304: Update NEWS to include CVE-2020-15801 reference (GH-21521) (GH-21524)
    eb0d255

    @owenhuang
    Copy link
    Mannequin

    owenhuang mannequin commented Aug 6, 2020

    hi, since the affected system is not clearly stated on the NVD, I'd like to confirm with you that:

    Does the CVE-2020-15801 vulnerability affect only the Windows OS?

    thanks a lot!

    @zooba
    Copy link
    Member

    zooba commented Aug 6, 2020

    Yes, it only affects Windows OS.

    On all other platforms, the python38._pth file is _always_ ignored. We have not implemented this support for those platforms.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only security fixes 3.10 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) OS-windows type-security A security issue
    Projects
    None yet
    Development

    No branches or pull requests

    4 participants