Bug 1889886 (CVE-2020-27619)

Summary: CVE-2020-27619 python: Unsafe use of eval() on data retrieved via HTTP in the test suite
Product: [Other] Security Response Reporter: Todd Cullum <tcullum>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, carl, cstratak, dmalcolm, fcanogab, hhorak, jiehuang, jorton, jshepherd, kevin, kmullins, lbalhar, lzachar, manisandro, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, thrnciar, TicoTimo, tomckay, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 3.6.13, python 3.7.10, python 3.8.7, python 3.9.1 Doc Type: If docs needed, set a value
Doc Text:
In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:36:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1890221, 1890222, 1890223, 1890224, 1890225, 1890226, 1890227, 1890237, 1890238, 1890239, 1890240, 1890243, 1890244, 1959155, 1959156, 1969506, 1969511, 1972202, 1972203    
Bug Blocks: 1886373    

Description Todd Cullum 2020-10-20 19:57:29 UTC 
In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. Affected versions include Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6.
Comment 1 Todd Cullum 2020-10-20 20:28:00 UTC 
References:

Upstream bug: https://bugs.python.org/issue41944

Patches:
https://github.com/python/cpython/commit/2ef5caa58febc8968e670e39e3d37cf8eef3cab8 (master)
https://github.com/python/cpython/commit/b664a1df4ee71d3760ab937653b10997081b1794 (3.9)
https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33 (3.8)
https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9 (3.7)
https://github.com/python/cpython/commit/e912e945f2960029d039d3390ea08835ad39374b (3.6)
Comment 2 Tomas Orsava 2020-10-21 13:16:24 UTC 
(In reply to Todd Cullum from comment #0)
> In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval()
> on content retrieved via HTTP. Affected versions include Python 3.10, Python
> 3.9, Python 3.8, Python 3.7, Python 3.6.

I can see 3 cases where the test suite is being run:

1. During build of each Python package - network connection is disabled, so this does not lead to a security vulnerability.
2. During testing by our QE - I'm not sure if network is enabled here (CC lzachar), could be a problem.
3. When a user manually runs the test suite from the python3*-test package.

In my opinion, case 3 is not serious enough to warrant active fixing (SCL/AppStream Pythons will get the fix eventually through a rebase).
Does that make sense Todd?
Comment 3 Todd Cullum 2020-10-21 17:42:17 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1890227]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1890221]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1890222]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1890223]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1890224]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1890225]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1890226]
Comment 7 Miro Hrončok 2020-10-21 18:40:25 UTC 
The content received via HTTP is fetched from http://www.pythontest.net/ -- HTTPS is not used and if the content is forged by an attacker (e.g. MITM) it is executed.

In Fedora, the test suite is executed on several occasions:

 - offline, in Koji, during package build - safe
 - offline, in mock, when rebuilding the package - safe
 - online, in mock --enable-network or with plain rpmbuild, but the test suite is not executed with the network resource enabled - safe
 - online, by executing pythonX.Y -m test -u network - not safe

I consider the group of users who would run the test suite locally from the installed package so small that I'm inclined to close the Python 3.6+ Fedora bugs as UPSTREAM.
Comment 8 Tomas Orsava 2020-10-22 14:28:19 UTC 
(In reply to Miro Hrončok from comment #7)
> The content received via HTTP is fetched from http://www.pythontest.net/ --
> HTTPS is not used and if the content is forged by an attacker (e.g. MITM) it
> is executed.
> 
> In Fedora, the test suite is executed on several occasions:
> 
>  - offline, in Koji, during package build - safe
>  - offline, in mock, when rebuilding the package - safe
>  - online, in mock --enable-network or with plain rpmbuild, but the test
> suite is not executed with the network resource enabled - safe
>  - online, by executing pythonX.Y -m test -u network - not safe
> 
> I consider the group of users who would run the test suite locally from the
> installed package so small that I'm inclined to close the Python 3.6+ Fedora
> bugs as UPSTREAM.

Agreed.
Comment 9 Miro Hrončok 2020-10-22 16:20:26 UTC 
For clarity (if we decided not to close this as wontfix on 3.5 and 3.4), the 3.6 commit applies to 3.5 and 3.4 without modifications, however, it uses one f-string.
Comment 10 Todd Cullum 2020-10-26 17:18:31 UTC 
Mitigation:

In versions of Python shipped with Red Hat Enterprise Linux and Red Hat Software Collections, the flaw can be mitigated by not running the python tests with network resources enabled. By default, the tests are not run with network resources enabled. Ensure that `-u network` or `-uall` are not passed as options to `python -m test`. For more information on how these commands work, see [1].

1. https://docs.python.org/3/library/test.html
Comment 11 Jason Shepherd 2020-10-28 22:47:30 UTC 
As of Red Hat Quay 3.4 the python runtime will be consumed from RHEL. Currently releases up to 3.3 won't get fixes for this moderate issue.
Comment 12 Jason Shepherd 2020-10-29 03:22:03 UTC 
Statement:

As of Red Hat Quay 3.4 the python runtime will be consumed from RHEL. Currently releases up to 3.3 won't get fixes for this moderate issue.
Comment 17 errata-xmlrpc 2021-05-18 13:51:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1633 https://access.redhat.com/errata/RHSA-2021:1633
Comment 18 Product Security DevOps Team 2021-05-18 20:36:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27619
Comment 25 errata-xmlrpc 2021-08-24 08:05:22 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252
Comment 26 errata-xmlrpc 2021-08-24 08:08:57 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
Comment 27 errata-xmlrpc 2021-11-09 17:24:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151
Comment 28 Todd Cullum 2021-12-23 22:25:17 UTC 
This issue has been addressed in the following products:

Red Hat Enterprise Linux 8 (python38:3.8/python38)

via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162