Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 912976 (CVE-2023-40217, CVE-2023-41105) - <dev-lang/python-{3.8.18,3.9.18,3.10.13,3.11.5,3.12.0_rc1_p4}, <dev-python/pypy3_9-7.3.12_p2, <dev-python/pypy3_10-7.3.12_p5: Multiple vulnerabilities
Summary: <dev-lang/python-{3.8.18,3.9.18,3.10.13,3.11.5,3.12.0_rc1_p4}, <dev-python/py...
Status: RESOLVED FIXED
Alias: CVE-2023-40217, CVE-2023-41105
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 912978 912979 912980 912981 912988
Blocks:
  Show dependency tree
 
Reported: 2023-08-24 20:55 UTC by Sam James
Modified: 2024-05-04 06:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-24 20:55:37 UTC
"Instances of ssl.SSLSocket are vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and could lead applications to treat unencrypted data received pre-TLS-handshake that is followed by an immediate connection close as if it were post-handshake TLS encrypted data."

3.8/3.9/3.10/3.11/3.12 are vulnerable, but they're not making a 3.12 release so we have to backport it manually.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-24 21:02:37 UTC
Another issue:
"""
Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated
at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null
bytes.

This vulnerability is of severity: MEDIUM.

If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be
circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted
resource after truncation.
"""
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-08-25 02:33:58 UTC
TODO: I need to verify if pypy3 is actually affected.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-08-26 13:32:38 UTC
Cleanup done.  I've left 3.12.0_beta4_p2 around since keeping an older version of the testing branch is helpful for regression testing.
Comment 4 Larry the Git Cow gentoo-dev 2024-05-04 06:00:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=665ec86173a28118d28182d8381d593988f1adac

commit 665ec86173a28118d28182d8381d593988f1adac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 05:59:08 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 06:00:31 +0000

    [ GLSA 202405-01 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/884653
    Bug: https://bugs.gentoo.org/897958
    Bug: https://bugs.gentoo.org/908018
    Bug: https://bugs.gentoo.org/912976
    Bug: https://bugs.gentoo.org/919475
    Bug: https://bugs.gentoo.org/927299
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-01.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)