Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 919475 (CVE-2023-6507) - <dev-lang/python-3.12.1:12: Groups not dropped before running subprocess when using empty 'extra_groups' parameter
Summary: <dev-lang/python-3.12.1:12: Groups not dropped before running subprocess when...
Status: CONFIRMED
Alias: CVE-2023-6507
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa?]
Keywords:
Depends on: 919476
Blocks:
  Show dependency tree
 
Reported: 2023-12-08 19:18 UTC by Michał Górny
Modified: 2023-12-22 01:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-12-08 19:18:25 UTC
An issue was found in CPython 3.12.0 `subprocess` module on POSIX
platforms. The issue was fixed in CPython 3.12.1 and does not affect other
stable releases.

It's recommended that if you are affected to upgrade to the latest CPython
3.12.1.


*Affected usages:*

When using the `extra_groups=` parameter with an empty list as a value (ie
`extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)`
before calling `exec()`, thus not dropping the original processes' groups
before starting the new process. There is no issue when the parameter isn't
used or when any value is used besides an empty list.

This issue only impacts CPython processes run with sufficient privilege to
make the `setgroups` system call (typically `root`).

*References:*

   - CVE: https://www.cve.org/CVERecord?id=CVE-2023-6507
   - Patch: https://github.com/python/cpython/pull/112617
   - Issue: https://github.com/python/cpython/issues/112334
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-12-10 19:18:07 UTC
cleanup done.