Bug 1935913 (CVE-2021-3426)

Summary: CVE-2021-3426 python: Information disclosure via pydoc
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, bdettelb, carl, cstratak, dmalcolm, hhorak, jeffrey.ness, jorton, kaycoth, lbalhar, manisandro, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, security-response-team, shcherbina.iryna, slavek.kabrda, steve.traylen, thrnciar, TicoTimo, tomckay, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 3.8.9, python 3.9.3, python 3.10.0a7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Python 3's pydoc. This flaw allows a local or adjacent attacker who discovers or can convince another local or adjacent user to start a pydoc server to access the server and then use it to disclose sensitive information belonging to the other user that they would not normally have the ability to access. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-24 15:34:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1936698, 1936699, 1936700, 1936701, 1936702, 1936703, 1936931, 1936933, 1936936, 1936937, 1937474, 1937475, 1937476, 1937477, 1937479, 1937480, 1937481, 1937482, 1937483, 1969518    
Bug Blocks: 1919196, 1937052    

Description msiddiqu 2021-03-05 19:20:02 UTC 
Running `pydoc -p` allows other local users to extract arbitrary files
Comment 1 Todd Cullum 2021-03-05 21:50:00 UTC 
Related upstream PRs:

https://github.com/python/cpython/pull/24337
https://github.com/python/cpython/pull/24285
Comment 11 Todd Cullum 2021-03-10 00:11:13 UTC 
Not sure why it's not mentioned upstream, but in Python 3.7.0 alpha 1+, pydoc has the -n command[1][2]. So using -n can additionally expose this to adjacent attackers rather than just local attackers.

1. https://bugs.python.org/issue31128
2. https://github.com/python/cpython/commit/6a396c9807b1674a24e240731f18e20de97117a5
Comment 13 Todd Cullum 2021-03-10 00:32:09 UTC 
Statement:

Red Hat Quay from version 3.4 uses Python from Red Hat Enterprise Linux RPM repositories and therefore may receive an update for this issue in a future release. Earlier versions of Red Hat Quay will not receive an patch for this issue.

Python 2.x.x as shipped in any Red Hat product is not affected. This flaw is out of support scope for python3 as shipped with Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ .
Comment 16 Todd Cullum 2021-03-10 17:53:06 UTC 
There is not yet a fix in an upstream Python release at this time.
Comment 17 Todd Cullum 2021-03-10 18:00:58 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-32 [bug 1937475]
Affects: fedora-33 [bug 1937483]


Created python3 tracking bugs for this issue:

Affects: fedora-32 [bug 1937476]


Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1937474]
Affects: fedora-32 [bug 1937477]


Created python35 tracking bugs for this issue:

Affects: fedora-32 [bug 1937479]


Created python36 tracking bugs for this issue:

Affects: fedora-32 [bug 1937480]


Created python37 tracking bugs for this issue:

Affects: fedora-32 [bug 1937481]


Created python39 tracking bugs for this issue:

Affects: fedora-32 [bug 1937482]
Comment 19 Todd Cullum 2021-04-08 22:03:52 UTC 
Mitigation:

Use the console (no argument needed) or HTML file (-w argument) output to generate docs rather than the HTTP server options. Put differently, do not use the -p or -n options of pydoc.
Comment 23 errata-xmlrpc 2021-08-24 08:09:10 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
Comment 24 Product Security DevOps Team 2021-08-24 15:34:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3426
Comment 25 errata-xmlrpc 2021-11-09 17:27:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
Comment 26 errata-xmlrpc 2021-11-09 17:28:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
Comment 27 errata-xmlrpc 2021-11-09 18:37:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4399 https://access.redhat.com/errata/RHSA-2021:4399