Bug 1855039 (CVE-2020-8315)

Summary: CVE-2020-8315 python: unsafe dll loading in getpathp.c on Windows
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, bdettelb, carl, cstratak, dmalcolm, extras-orphan, hhorak, jeffrey.ness, jorton, jschorr, kevin, manisandro, m.cyprian, mhroncok, mplch, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, steve.traylen, thrnciar, TicoTimo, tomckay, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
In Python (CPython) an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-09 13:27:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1855040    

Description Guilherme de Almeida Suckevicz 2020-07-08 18:02:16 UTC
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.

Reference:
https://bugs.python.org/issue39401

Comment 2 Product Security DevOps Team 2020-07-09 13:27:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8315

Comment 3 Todd Cullum 2020-07-09 16:08:49 UTC
Statement:

This does not affect python as shipped with Red Hat Enterprise Linux of any version, Red Hat Software Collections, or any other Red Hat product. The behavior is specific to Windows proprietary APIs and the Portable Executable (DLL) loading processes.