Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 919475 (CVE-2023-6507)

Summary: <dev-lang/python-3.12.1:12: Groups not dropped before running subprocess when using empty 'extra_groups' parameter
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 919476    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-12-08 19:18:25 UTC
An issue was found in CPython 3.12.0 `subprocess` module on POSIX
platforms. The issue was fixed in CPython 3.12.1 and does not affect other
stable releases.

It's recommended that if you are affected to upgrade to the latest CPython
3.12.1.


*Affected usages:*

When using the `extra_groups=` parameter with an empty list as a value (ie
`extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)`
before calling `exec()`, thus not dropping the original processes' groups
before starting the new process. There is no issue when the parameter isn't
used or when any value is used besides an empty list.

This issue only impacts CPython processes run with sufficient privilege to
make the `setgroups` system call (typically `root`).

*References:*

   - CVE: https://www.cve.org/CVERecord?id=CVE-2023-6507
   - Patch: https://github.com/python/cpython/pull/112617
   - Issue: https://github.com/python/cpython/issues/112334
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-12-10 19:18:07 UTC
cleanup done.
Comment 2 Larry the Git Cow gentoo-dev 2024-05-04 06:00:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=665ec86173a28118d28182d8381d593988f1adac

commit 665ec86173a28118d28182d8381d593988f1adac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 05:59:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 06:00:31 +0000

    [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/884653
    Bug: https://bugs.gentoo.org/897958
    Bug: https://bugs.gentoo.org/908018
    Bug: https://bugs.gentoo.org/912976
    Bug: https://bugs.gentoo.org/919475
    Bug: https://bugs.gentoo.org/927299
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)