Описание
Security update for python39
This update for python39 fixes the following issues:
Security fixes:
- CVE-2022-42919: Fixed local privilege escalation via the multiprocessing forkserver start method (bsc#1204886).
- CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244).
Other fixes:
-
Allow building of documentation with the latest Sphinx 5.3.0 (gh#python/cpython#98366).
-
Update to 3.9.15:
- Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size.
- Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. (originally filed as CVE-2022-37460, later withdrawn)
- Fix command line parsing: reject -X int_max_str_digits option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit.
- When ValueError is raised if an integer is larger than the limit, mention the sys.set_int_max_str_digits() function in the error message.
- Update bundled libexpat to 2.4.9
Список пакетов
Container bci/python:3
Container containers/python:3.9
Image python_15_6
SUSE Linux Enterprise Module for Basesystem 15 SP3
SUSE Linux Enterprise Module for Development Tools 15 SP3
openSUSE Leap 15.3
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2022:4071-1
- E-Mail link for SUSE-SU-2022:4071-1
- SUSE Security Ratings
- SUSE Bug 1204886
- SUSE Bug 1205244
- SUSE CVE CVE-2022-42919 page
- SUSE CVE CVE-2022-45061 page
Описание
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
Затронутые продукты
Ссылки
- CVE-2022-42919
- SUSE Bug 1204886
Описание
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
Затронутые продукты
Ссылки
- CVE-2022-45061
- SUSE Bug 1205244
- SUSE Bug 1211488