878385 – (CVE-2022-42919) <dev-lang/python-{3.9.15,3.10.8}_p1 <dev-python/pypy3-7.3.9_p7: local privilege escalation via the multiprocessing forkserver start method

Bug 878385 (CVE-2022-42919) - <dev-lang/python-{3.9.15,3.10.8}_p1 <dev-python/pypy3-7.3.9_p7: local privilege escalation via the multiprocessing forkserver start method

Summary: <dev-lang/python-{3.9.15,3.10.8}_p1 <dev-python/pypy3-7.3.9_p7: local privile...

Status:	RESOLVED FIXED

Alias:	CVE-2022-42919

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/python/cpython/iss...
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	878379 878381 878383 878643
Blocks:
	Show dependency tree

Reported:	2022-10-26 15:59 UTC by Michał Górny
Modified:	2023-05-03 09:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-10-26 15:59:04 UTC

I don't see a CVE or even a proper bugref but it's listed in 'Security' category of news.


commit 49f61068f49747164988ffc5a442d2a63874fc17
Author:     Gregory P. Smith <greg@krypto.org>
AuthorDate: 2022-10-21 00:30:09 +0200
Commit:     GitHub <noreply@github.com>
CommitDate: 2022-10-21 00:30:09 +0200

    gh-97514: Don't use Linux abstract sockets for multiprocessing (#98501)
    
    Linux abstract sockets are insecure as they lack any form of filesystem
    permissions so their use allows anyone on the system to inject code into
    the process.
    
    This removes the default preference for abstract sockets in
    multiprocessing introduced in Python 3.9+ via
    https://github.com/python/cpython/pull/18866 while fixing
    https://github.com/python/cpython/issues/84031.
    
    Explicit use of an abstract socket by a user now generates a
    RuntimeWarning.  If we choose to keep this warning, it should be
    backported to the 3.7 and 3.8 branches.

Comment 1 Michał Górny archtester

2022-10-29 06:01:31 UTC

cleanup done

Comment 2 Michał Górny archtester

2022-10-29 06:03:23 UTC

Hmm, pypy3 is also affected.

Comment 3 John Helmert III archtester

2022-10-31 03:01:11 UTC

Please cleanup.

Very hard to call this a root privilege escalation without anything apparent to exploit, leaving at 3.

Comment 4 Michał Górny archtester

2022-10-31 13:56:12 UTC

pypy3 cleanup done too.

Comment 5 John Helmert III archtester

2022-11-19 01:15:58 UTC

GLSA requested

Comment 6 Larry the Git Cow gentoo-dev

2023-05-03 09:31:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1

commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:12:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:45 +0000

    [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787260
    Bug: https://bugs.gentoo.org/793833
    Bug: https://bugs.gentoo.org/811165
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/835443
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Bug: https://bugs.gentoo.org/876815
    Bug: https://bugs.gentoo.org/877851
    Bug: https://bugs.gentoo.org/878385
    Bug: https://bugs.gentoo.org/880629
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)