Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 787437 (CVE-2020-27619) - [Tracker] Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP (CVE-2020-27619)
Summary: [Tracker] Lib/test/multibytecodec_support.py CJK codec tests call eval() on c...
Status: CONFIRMED
Alias: CVE-2020-27619
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://python-security.readthedocs.i...
Whiteboard:
Keywords: Tracker
Depends on: 774114 787440 CVE-2021-3426
Blocks:
  Show dependency tree
 
Reported: 2021-05-01 15:34 UTC by Thomas Deutschmann
Modified: 2021-07-29 18:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2021-05-01 15:34:11 UTC
CJK codecs tests call eval() on content retrieved via HTTP

By default, the tests are not run with network resources enabled and so the Python test suite is safe.

But if the Python test suite is run explicitly with the “network” resource enabled (-u network or -u all command line option), the CJK codecs tests of the Python test suite run eval() on content received via HTTP from pythontest.net.

If an attacker can compromise the pythontest.net server, they gain arbitrary code execution on all buildbots.

If an attacker has control over the network connection of a machine running the Python test suite, they gain arbitrary code execution there.

make testall, make testuniversal and make buildbottest commands are impacted (pass -u all option to the test suite).

The CI of the Python project is impacted (buildbot, Travis CI, GitHub Action, Azure Pipelines).

With the fix, content is still retrieved via HTTP, but the unsafe eval() function is no longer used.

    Disclosure date: 2020-10-05 (Python issue bpo-41944 reported)
    Reported at: 2020-10-05 (email sent to the PSRT list)
    Reported by: Florian Bruhin

Fixed In
========
    Python 3.6.13 (2021-02-16) fixed by commit e912e94 (branch 3.6) (2020-10-20)
    Python 3.7.10 (2021-02-16) fixed by commit 43e5231 (branch 3.7) (2020-10-20)
    Python 3.8.7 (2020-12-21) fixed by commit 6c6c256 (branch 3.8) (2020-10-06)
    Python 3.9.1 (2020-12-07) fixed by commit b664a1d (branch 3.9) (2020-10-06)

Python issue
============
[security] Python testsuite calls eval() on content received via HTTP.

    Python issue: bpo-41944
    Creation date: 2020-10-05
    Reporter: Serhiy Storchaka

CVE-2020-27619
==============
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.

    CVE ID: CVE-2020-27619
    Published: 2020-10-22
    CVSS Score: 7.5
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:22:37 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:30:53 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:38:50 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:46:59 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:02:57 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:11:15 UTC
Package list is empty or all packages have requested keywords.