In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected. References: https://bugs.python.org/issue41304 https://github.com/python/cpython/pull/21495
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 1860250] Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1860246] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1860247] Created python27 tracking bugs for this issue: Affects: fedora-all [bug 1860251] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1860248] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1860243] Affects: fedora-all [bug 1860253] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1860252] Created python36 tracking bugs for this issue: Affects: fedora-all [bug 1860254] Created python37 tracking bugs for this issue: Affects: fedora-all [bug 1860255] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1860245]
The upstream issue suggests this is only affecting Windows.
The _pth feature for sys.path restrictions is Windows-specific. And mingw-python3 doesn't use the affected releases.
This applies to Windows embedded distribution, see here: https://docs.python.org/3.6/using/windows.html#embedded-distribution >To completely override sys.path, create a ._pth file with the same name as the DLL (python36._pth) or the executable (python._pth) and specify one >line for each path to add to sys.path. The file based on the DLL name overrides the one based on the executable, which allows paths to be restricted >for any program loading the runtime if desired. And getpathp.c says at the top: >Used by DOS, Windows 3.1, Windows 95/98, Windows NT. As mentioned above this is specific to Windows and does not affect versions of Python as shipped with RHEL or Red Hat Software Collections.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15801
Statement: This flaw does not affect versions of python shipped with Red Hat Enterprise Linux, Red Hat Software Collections or Red Hat Quay; the vulnerable code exists in a module specific to Microsoft Windows deployment.