-
-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2022-26488] Escalation of privilege via Windows Installer #91104
Comments
CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython:
The vulnerability exists when installed for all users, and when the "Add Python to PATH" option has been selected. A local user without administrative permissions can trigger a repair operation that adds incorrect additional paths to the system PATH variable, and then use search path hijacking to achieve escalation of privilege. Per-user installs (the default) are also affected, but cannot be used for escalation of privilege. Besides updating, this vulnerability may be mitigated by modifying an existing install to disable the "Add Python to PATH" or "Add Python to environment variables" option. Manually adding the install directory to PATH is not affected. Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to the Python Security Response Team. |
The 3.11.0a6 release is ongoing. I assume is ok to not block this release on this issue, given that an alpha is inherently unsafe |
Yeah, this is fine to still be in alpha 6. Very unlikely that anyone is making it a system-wide default anyway, and certainly not in secure/production systems. |
New changeset 136842c by Steve Dower in branch '3.10': |
New changeset 77446d2 by Steve Dower in branch 'main': |
New changeset 101a1be by Steve Dower in branch '3.9': |
New changeset 9747627 by Steve Dower in branch '3.7': |
Is there anything on our end we can do to prevent this kind of issue in the future? Am I wrong to see this as just fixing our package to avoid a design flaw in Windows OS level package management? Certainly other packages in the world must run into similar problems. |
New changeset cff1b78 by Steve Dower in branch '3.8': |
Probably not, I think it's just a lesson learned about the capabilities of the MSI format and its integration with Windows (well, we could hurry up moving everyone to the Windows Store, which doesn't have this issue, but that seems unlikely ;) ) Similar issues have been reported to the Windows Installer team (e.g. CVE-2021-41379, CVE-2021-26415) that could have been fixed by disabling the unelevated repair function, but weren't. So I think it just has to become a known thing for people building MSIs that a "repair" can be run by non-elevated users, and install-time variables may not be preserved for the repair. (In our case, that means actually searching for the existing install rather than trusting the variable our bundle normally provides to the MSI.) |
The fix for this regressed the installer for the py.exe launcher, which breaks our release builds. I'm patching it now. It's going under the same issue number because it will be needed for anyone applying this patch directly and then building the installer themselves. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: