Fix for CVE-2022-42919
This commit is contained in:
Lumir Balhar
parent
4a5d76b5fe
commit
3bae8212c1
@ -0,0 +1,64 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: "Miss Islington (bot)"
|
||||
<31488909+miss-islington@users.noreply.github.com>
|
||||
Date: Fri, 28 Oct 2022 03:08:30 -0700
|
||||
Subject: [PATCH] 00391: Don't use Linux abstract sockets for multiprocessing
|
||||
|
||||
Linux abstract sockets are insecure as they lack any form of filesystem
|
||||
permissions so their use allows anyone on the system to inject code into
|
||||
the process.
|
||||
|
||||
This removes the default preference for abstract sockets in
|
||||
multiprocessing introduced in Python 3.9+ via
|
||||
https://github.com/python/cpython/pull/18866 while fixing
|
||||
https://github.com/python/cpython/issues/84031.
|
||||
|
||||
Explicit use of an abstract socket by a user now generates a
|
||||
RuntimeWarning. If we choose to keep this warning, it should be
|
||||
backported to the 3.7 and 3.8 branches.
|
||||
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
|
||||
|
||||
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
||||
---
|
||||
Lib/multiprocessing/connection.py | 5 -----
|
||||
.../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
|
||||
2 files changed, 15 insertions(+), 5 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
||||
|
||||
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
|
||||
index 510e4b5aba..8e2facf92a 100644
|
||||
--- a/Lib/multiprocessing/connection.py
|
||||
+++ b/Lib/multiprocessing/connection.py
|
||||
@@ -73,11 +73,6 @@ def arbitrary_address(family):
|
||||
if family == 'AF_INET':
|
||||
return ('localhost', 0)
|
||||
elif family == 'AF_UNIX':
|
||||
- # Prefer abstract sockets if possible to avoid problems with the address
|
||||
- # size. When coding portable applications, some implementations have
|
||||
- # sun_path as short as 92 bytes in the sockaddr_un struct.
|
||||
- if util.abstract_sockets_supported:
|
||||
- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
|
||||
return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
|
||||
elif family == 'AF_PIPE':
|
||||
return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
|
||||
diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
||||
new file mode 100644
|
||||
index 0000000000..02d95b5705
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
||||
@@ -0,0 +1,15 @@
|
||||
+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
|
||||
+unix domain sockets for communication with the *forkserver* process instead of
|
||||
+the Linux abstract socket namespace. Only code that chooses to use the
|
||||
+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
|
||||
+
|
||||
+Abstract sockets have no permissions and could allow any user on the system in
|
||||
+the same `network namespace
|
||||
+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
|
||||
+whole system) to inject code into the multiprocessing *forkserver* process.
|
||||
+This was a potential privilege escalation. Filesystem based socket permissions
|
||||
+restrict this to the *forkserver* process user as was the default in Python 3.8
|
||||
+and earlier.
|
||||
+
|
||||
+This prevents Linux `CVE-2022-42919
|
||||
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
|
||||
@ -17,7 +17,7 @@ URL: https://www.python.org/
|
||||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: Python
|
||||
|
||||
|
||||
@ -397,6 +397,23 @@ Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-g
|
||||
# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
|
||||
Patch382: 00382-cve-2015-20107.patch
|
||||
|
||||
# 00391 # e6d12d8fca6afad3a56dc076c220f213b723a28e
|
||||
# Don't use Linux abstract sockets for multiprocessing
|
||||
#
|
||||
# Linux abstract sockets are insecure as they lack any form of filesystem
|
||||
# permissions so their use allows anyone on the system to inject code into
|
||||
# the process.
|
||||
#
|
||||
# This removes the default preference for abstract sockets in
|
||||
# multiprocessing introduced in Python 3.9+ via
|
||||
# https://github.com/python/cpython/pull/18866 while fixing
|
||||
# https://github.com/python/cpython/issues/84031.
|
||||
#
|
||||
# Explicit use of an abstract socket by a user now generates a
|
||||
# RuntimeWarning. If we choose to keep this warning, it should be
|
||||
# backported to the 3.7 and 3.8 branches.
|
||||
Patch391: 00391-don-t-use-linux-abstract-sockets-for-multiprocessing.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
@ -1812,6 +1829,10 @@ CheckPython optimized
|
||||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Wed Nov 09 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.15-2
|
||||
- Fix for CVE-2022-42919
|
||||
Resolves: rhbz#2138711
|
||||
|
||||
* Wed Oct 12 2022 Miro Hrončok <mhroncok@redhat.com> - 3.9.15-1
|
||||
- Update to 3.9.15
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user