Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 878385 (CVE-2022-42919)

Summary: <dev-lang/python-{3.9.15,3.10.8}_p1 <dev-python/pypy3-7.3.9_p7: local privilege escalation via the multiprocessing forkserver start method
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/python/cpython/issues/97514
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 878379, 878381, 878383, 878643    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-26 15:59:04 UTC 
I don't see a CVE or even a proper bugref but it's listed in 'Security' category of news.


commit 49f61068f49747164988ffc5a442d2a63874fc17
Author:     Gregory P. Smith <greg@krypto.org>
AuthorDate: 2022-10-21 00:30:09 +0200
Commit:     GitHub <noreply@github.com>
CommitDate: 2022-10-21 00:30:09 +0200

    gh-97514: Don't use Linux abstract sockets for multiprocessing (#98501)
    
    Linux abstract sockets are insecure as they lack any form of filesystem
    permissions so their use allows anyone on the system to inject code into
    the process.
    
    This removes the default preference for abstract sockets in
    multiprocessing introduced in Python 3.9+ via
    https://github.com/python/cpython/pull/18866 while fixing
    https://github.com/python/cpython/issues/84031.
    
    Explicit use of an abstract socket by a user now generates a
    RuntimeWarning.  If we choose to keep this warning, it should be
    backported to the 3.7 and 3.8 branches.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-29 06:01:31 UTC 
cleanup done
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-29 06:03:23 UTC 
Hmm, pypy3 is also affected.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 03:01:11 UTC 
Please cleanup.

Very hard to call this a root privilege escalation without anything apparent to exploit, leaving at 3.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 13:56:12 UTC 
pypy3 cleanup done too.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-19 01:15:58 UTC 
GLSA requested