Bug 1889886 (CVE-2020-27619) - CVE-2020-27619 python: Python 3 eval of http resources during test suite runs
Summary: CVE-2020-27619 python: Python 3 eval of http resources during test suite runs
Keywords:
Status: NEW
Alias: CVE-2020-27619
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1890237 1890221 1890222 1890223 1890224 1890225 1890226 1890227 1890238 1890239 1890240 1890243 1890244
Blocks: 1886373
TreeView+ depends on / blocked
 
Reported: 2020-10-20 19:57 UTC by Todd Cullum
Modified: 2020-11-05 09:51 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Todd Cullum 2020-10-20 19:57:29 UTC
In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. Affected versions include Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6.

Comment 2 Tomas Orsava 2020-10-21 13:16:24 UTC
(In reply to Todd Cullum from comment #0)
> In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval()
> on content retrieved via HTTP. Affected versions include Python 3.10, Python
> 3.9, Python 3.8, Python 3.7, Python 3.6.

I can see 3 cases where the test suite is being run:

1. During build of each Python package - network connection is disabled, so this does not lead to a security vulnerability.
2. During testing by our QE - I'm not sure if network is enabled here (CC lzachar), could be a problem.
3. When a user manually runs the test suite from the python3*-test package.

In my opinion, case 3 is not serious enough to warrant active fixing (SCL/AppStream Pythons will get the fix eventually through a rebase).
Does that make sense Todd?

Comment 3 Todd Cullum 2020-10-21 17:42:17 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1890227]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1890221]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1890222]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1890223]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1890224]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1890225]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1890226]

Comment 7 Miro Hrončok 2020-10-21 18:40:25 UTC
The content received via HTTP is fetched from http://www.pythontest.net/ -- HTTPS is not used and if the content is forged by an attacker (e.g. MITM) it is executed.

In Fedora, the test suite is executed on several occasions:

 - offline, in Koji, during package build - safe
 - offline, in mock, when rebuilding the package - safe
 - online, in mock --enable-network or with plain rpmbuild, but the test suite is not executed with the network resource enabled - safe
 - online, by executing pythonX.Y -m test -u network - not safe

I consider the group of users who would run the test suite locally from the installed package so small that I'm inclined to close the Python 3.6+ Fedora bugs as UPSTREAM.

Comment 8 Tomas Orsava 2020-10-22 14:28:19 UTC
(In reply to Miro Hrončok from comment #7)
> The content received via HTTP is fetched from http://www.pythontest.net/ --
> HTTPS is not used and if the content is forged by an attacker (e.g. MITM) it
> is executed.
> 
> In Fedora, the test suite is executed on several occasions:
> 
>  - offline, in Koji, during package build - safe
>  - offline, in mock, when rebuilding the package - safe
>  - online, in mock --enable-network or with plain rpmbuild, but the test
> suite is not executed with the network resource enabled - safe
>  - online, by executing pythonX.Y -m test -u network - not safe
> 
> I consider the group of users who would run the test suite locally from the
> installed package so small that I'm inclined to close the Python 3.6+ Fedora
> bugs as UPSTREAM.

Agreed.

Comment 9 Miro Hrončok 2020-10-22 16:20:26 UTC
For clarity (if we decided not to close this as wontfix on 3.5 and 3.4), the 3.6 commit applies to 3.5 and 3.4 without modifications, however, it uses one f-string.

Comment 10 Todd Cullum 2020-10-26 17:18:31 UTC
Mitigation:

In versions of Python shipped with Red Hat Enterprise Linux and Red Hat Software Collections, the flaw can be mitigated by not running the python tests with network resources enabled. By default, the tests are not run with network resources enabled. Ensure that `-u network` or `-uall` are not passed as options to `python -m test`. For more information on how these commands work, see [1].

1. https://docs.python.org/3/library/test.html

Comment 11 Jason Shepherd 2020-10-28 22:47:30 UTC
As of Red Hat Quay 3.4 the python runtime will be consumed from RHEL. Currently releases up to 3.3 won't get fixes for this moderate issue.

Comment 12 Jason Shepherd 2020-10-29 03:22:03 UTC
Statement:

As of Red Hat Quay 3.4 the python runtime will be consumed from RHEL. Currently releases up to 3.3 won't get fixes for this moderate issue.


Note You need to log in before you can comment on or make changes to this bug.