Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 912976 (CVE-2023-40217, CVE-2023-41105)

Summary: <dev-lang/python-{3.8.18,3.9.18,3.10.13,3.11.5,3.12.0_rc1_p4}, <dev-python/pypy3_9-7.3.12_p2, <dev-python/pypy3_10-7.3.12_p5: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/python/cpython/issues/108310
https://github.com/python/cpython/issues/106242
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 912978, 912979, 912980, 912981, 912988    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-24 20:55:37 UTC 
"Instances of ssl.SSLSocket are vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and could lead applications to treat unencrypted data received pre-TLS-handshake that is followed by an immediate connection close as if it were post-handshake TLS encrypted data."

3.8/3.9/3.10/3.11/3.12 are vulnerable, but they're not making a 3.12 release so we have to backport it manually.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-24 21:02:37 UTC 
Another issue:
"""
Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated
at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null
bytes.

This vulnerability is of severity: MEDIUM.

If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be
circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted
resource after truncation.
"""
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-08-25 02:33:58 UTC 
TODO: I need to verify if pypy3 is actually affected.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-08-26 13:32:38 UTC 
Cleanup done.  I've left 3.12.0_beta4_p2 around since keeping an older version of the testing branch is helpful for regression testing.
Comment 4 Larry the Git Cow gentoo-dev 2024-05-04 06:00:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=665ec86173a28118d28182d8381d593988f1adac

commit 665ec86173a28118d28182d8381d593988f1adac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 05:59:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 06:00:31 +0000

    [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/884653
    Bug: https://bugs.gentoo.org/897958
    Bug: https://bugs.gentoo.org/908018
    Bug: https://bugs.gentoo.org/912976
    Bug: https://bugs.gentoo.org/919475
    Bug: https://bugs.gentoo.org/927299
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)