Bug 2318646 (CVE-2024-9979, RUSTSEC-2024-0378)

Summary: CVE-2024-9979 pyo3: Risk of use-after-free in `borrowed` reads from Python weak references
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brking, cstratak, haoli, hkataria, jcammara, jmitchel, jneedle, kegrant, koliveir, kshier, lbalhar, mabashia, pbraun, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-10-14 21:01:48 UTC 
The family of functions to read "borrowed" values from Python weak references
were fundamentally unsound, because the weak reference does itself not have
ownership of the value. At any point the last strong reference could
be cleared and the borrowed value would become dangling.

In PyO3 0.22.4 these functions have all been deprecated and patched to leak a
strong reference as a mitigation. PyO3 0.23 will remove these functions entirely.
Comment 1 Lumír Balhar 2024-10-15 09:50:58 UTC 
The patch in the latest version is huge: https://github.com/PyO3/pyo3/pull/4590/files
Comment 2 Charalampos Stratakis 2024-10-15 18:19:58 UTC 
The weakref python types were added in https://github.com/PyO3/pyo3/pull/3835, that is version 0.22.0. 

We ship 0.15.2 in the bundled crates of cryptography.

The only file that we ship which has some change through the fix is here: https://github.com/PyO3/pyo3/commit/26abde5f858286b78c755da3b2627e4d13b4b234#diff-f7a0cd3c685f42419e34ce7c1be728ffc394d644b49715ae7112a2d6f45849f6

Also this fix is related to free-threaded python. This requires more investigation but from my initial finding we should not be affected.
Comment 3 Lumír Balhar 2024-10-16 10:52:54 UTC 
You are right. The python-cryptography in RHEL 8 and 9 and also the versions in the alternative stacks Python 3.11 and 3.12 are too old to include the vulnerable code. The only exception is RHEL 10 where we have version 43.0.0 and that bundles pyo3 version 0.22.0: https://github.com/pyca/cryptography/commit/47aced28c8f27b4dbb61f4fc79af444a18279463

The freethreading implementation for pyo3 hasn't been finished yet: https://github.com/pyca/cryptography/commit/47aced28c8f27b4dbb61f4fc79af444a18279463