Bug 2235795 (CVE-2023-41105)

Summary: CVE-2023-41105 python: file path truncation at \0 characters
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, dfreiber, hhorak, jburrell, jorton, kshier, kyoshida, python-maint, rogbas, stcannon, tfister, vkumar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Pyhton 3.11.5 Doc Type: If docs needed, set a value
Doc Text:
Python 3.11 os.path.normpath() function is vulnerable to path truncation if a null byte is inserted in the middle of passed path. This may result in bypass of allow lists if implemented before the verification of the path.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2235796, 2235797    
Bug Blocks: 2235780    

Description Chess Hazlett 2023-08-29 18:49:50 UTC 
Collected: Wed 23 Aug 2023 06:51:31 -0400
Bug URL:https://bugs.gentoo.org/912976
Severity:Moderate
CVE(s): CVE-2023-41105

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

https://github.com/python/cpython/pull/107982
https://github.com/python/cpython/pull/107983
https://github.com/python/cpython/pull/107981
https://github.com/python/cpython/issues/106242
https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
Comment 3 errata-xmlrpc 2023-11-07 08:18:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6494 https://access.redhat.com/errata/RHSA-2023:6494
Comment 4 errata-xmlrpc 2023-11-14 15:18:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7024 https://access.redhat.com/errata/RHSA-2023:7024
Comment 5 errata-xmlrpc 2023-11-14 15:18:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7024 https://access.redhat.com/errata/RHSA-2023:7024