Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 912976 (CVE-2023-40217, CVE-2023-41105) - <dev-lang/python-{3.8.18,3.9.18,3.10.13,3.11.5,3.12.0_rc1_p4}, <dev-python/pypy3_9-7.3.12_p2, <dev-python/pypy3_10-7.3.12_p5: Multiple vulnerabilities
Summary: <dev-lang/python-{3.8.18,3.9.18,3.10.13,3.11.5,3.12.0_rc1_p4}, <dev-python/py...
Status: IN_PROGRESS
Alias: CVE-2023-40217, CVE-2023-41105
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 912978 912979 912980 912981 912988
Blocks:
  Show dependency tree
 
Reported: 2023-08-24 20:55 UTC by Sam James
Modified: 2023-11-16 03:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-24 20:55:37 UTC
"Instances of ssl.SSLSocket are vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and could lead applications to treat unencrypted data received pre-TLS-handshake that is followed by an immediate connection close as if it were post-handshake TLS encrypted data."

3.8/3.9/3.10/3.11/3.12 are vulnerable, but they're not making a 3.12 release so we have to backport it manually.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-24 21:02:37 UTC
Another issue:
"""
Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated
at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null
bytes.

This vulnerability is of severity: MEDIUM.

If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be
circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted
resource after truncation.
"""
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-08-25 02:33:58 UTC
TODO: I need to verify if pypy3 is actually affected.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-08-26 13:32:38 UTC
Cleanup done.  I've left 3.12.0_beta4_p2 around since keeping an older version of the testing branch is helpful for regression testing.