[CVE-2022-26488] Escalation of privilege via Windows Installer

[zooba]

BPO	46948
Nosy	@gpshead, @pfmoore, @tjguk, @ned-deily, @ambv, @zware, @zooba, @pablogsal, @miss-islington
PRs	bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair #31726 [3.10] bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair #31727 [3.9] bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair #31728 [3.8] bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair #31729 [3.7] bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair #31730 bpo-46948: Fix launcher installer build failure due to first part of fix #31920 [3.10] bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920) #31922 [3.9] bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920) #31923 [3.8] bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920) #31924 [3.7] bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920) #31925

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/zooba'
closed_at = <Date 2022-03-16.12:23:48.554>
created_at = <Date 2022-03-07.16:33:17.993>
labels = ['type-security', '3.8', '3.9', '3.10', '3.11', '3.7', 'release-blocker', 'OS-windows']
title = '[CVE-2022-26488] Escalation of privilege via Windows Installer'
updated_at = <Date 2022-03-16.12:23:48.554>
user = 'https://github.com/zooba'

bugs.python.org fields:

activity = <Date 2022-03-16.12:23:48.554>
actor = 'steve.dower'
assignee = 'steve.dower'
closed = True
closed_date = <Date 2022-03-16.12:23:48.554>
closer = 'steve.dower'
components = ['Windows']
creation = <Date 2022-03-07.16:33:17.993>
creator = 'steve.dower'
dependencies = []
files = []
hgrepos = []
issue_num = 46948
keywords = ['patch']
message_count = 16.0
messages = ['414673', '414678', '414679', '414681', '414682', '414683', '414685', '414711', '414733', '414752', '415306', '415309', '415310', '415314', '415317', '415331']
nosy_count = 9.0
nosy_names = ['gregory.p.smith', 'paul.moore', 'tim.golden', 'ned.deily', 'lukasz.langa', 'zach.ware', 'steve.dower', 'pablogsal', 'miss-islington']
pr_nums = ['31726', '31727', '31728', '31729', '31730', '31920', '31922', '31923', '31924', '31925']
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue46948'
versions = ['Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']

[zooba]

CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython:

• 3.11.0a6 and earlier
• 3.10.2 and earlier
• 3.9.10 and earlier
• 3.8.12 and earlier
• All end-of-life releases of 3.5, 3.6 and 3.7

The vulnerability exists when installed for all users, and when the "Add Python to PATH" option has been selected. A local user without administrative permissions can trigger a repair operation that adds incorrect additional paths to the system PATH variable, and then use search path hijacking to achieve escalation of privilege. Per-user installs (the default) are also affected, but cannot be used for escalation of privilege.

Besides updating, this vulnerability may be mitigated by modifying an existing install to disable the "Add Python to PATH" or "Add Python to environment variables" option. Manually adding the install directory to PATH is not affected.

Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to the Python Security Response Team.