Bug 1889886 (CVE-2020-27619) - CVE-2020-27619 python: Unsafe use of eval() on data retrieved via HTTP in the test suite
Summary: CVE-2020-27619 python: Unsafe use of eval() on data retrieved via HTTP in the...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-27619
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1890221 1890222 1890223 1890224 1890225 1890226 1890227 1890237 1890238 1890239 1890240 1890243 1890244 1959155 1959156 1969506 1969511 1972202 1972203
Blocks: 1886373
TreeView+ depends on / blocked
 
Reported: 2020-10-20 19:57 UTC by Todd Cullum
Modified: 2021-11-09 17:25 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
Clone Of:
Environment:
Last Closed: 2021-05-18 20:36:45 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3252 0 None None None 2021-08-24 08:05:25 UTC
Red Hat Product Errata RHSA-2021:3254 0 None None None 2021-08-24 08:09:00 UTC
Red Hat Product Errata RHSA-2021:4151 0 None None None 2021-11-09 17:25:00 UTC

Description Todd Cullum 2020-10-20 19:57:29 UTC
In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. Affected versions include Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6.

Comment 2 Tomas Orsava 2020-10-21 13:16:24 UTC
(In reply to Todd Cullum from comment #0)
> In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval()
> on content retrieved via HTTP. Affected versions include Python 3.10, Python
> 3.9, Python 3.8, Python 3.7, Python 3.6.

I can see 3 cases where the test suite is being run:

1. During build of each Python package - network connection is disabled, so this does not lead to a security vulnerability.
2. During testing by our QE - I'm not sure if network is enabled here (CC lzachar), could be a problem.
3. When a user manually runs the test suite from the python3*-test package.

In my opinion, case 3 is not serious enough to warrant active fixing (SCL/AppStream Pythons will get the fix eventually through a rebase).
Does that make sense Todd?

Comment 3 Todd Cullum 2020-10-21 17:42:17 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1890227]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1890221]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1890222]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1890223]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1890224]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1890225]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1890226]

Comment 7 Miro Hrončok 2020-10-21 18:40:25 UTC
The content received via HTTP is fetched from http://www.pythontest.net/ -- HTTPS is not used and if the content is forged by an attacker (e.g. MITM) it is executed.

In Fedora, the test suite is executed on several occasions:

 - offline, in Koji, during package build - safe
 - offline, in mock, when rebuilding the package - safe
 - online, in mock --enable-network or with plain rpmbuild, but the test suite is not executed with the network resource enabled - safe
 - online, by executing pythonX.Y -m test -u network - not safe

I consider the group of users who would run the test suite locally from the installed package so small that I'm inclined to close the Python 3.6+ Fedora bugs as UPSTREAM.

Comment 8 Tomas Orsava 2020-10-22 14:28:19 UTC
(In reply to Miro Hrončok from comment #7)
> The content received via HTTP is fetched from http://www.pythontest.net/ --
> HTTPS is not used and if the content is forged by an attacker (e.g. MITM) it
> is executed.
> 
> In Fedora, the test suite is executed on several occasions:
> 
>  - offline, in Koji, during package build - safe
>  - offline, in mock, when rebuilding the package - safe
>  - online, in mock --enable-network or with plain rpmbuild, but the test
> suite is not executed with the network resource enabled - safe
>  - online, by executing pythonX.Y -m test -u network - not safe
> 
> I consider the group of users who would run the test suite locally from the
> installed package so small that I'm inclined to close the Python 3.6+ Fedora
> bugs as UPSTREAM.

Agreed.

Comment 9 Miro Hrončok 2020-10-22 16:20:26 UTC
For clarity (if we decided not to close this as wontfix on 3.5 and 3.4), the 3.6 commit applies to 3.5 and 3.4 without modifications, however, it uses one f-string.

Comment 10 Todd Cullum 2020-10-26 17:18:31 UTC
Mitigation:

In versions of Python shipped with Red Hat Enterprise Linux and Red Hat Software Collections, the flaw can be mitigated by not running the python tests with network resources enabled. By default, the tests are not run with network resources enabled. Ensure that `-u network` or `-uall` are not passed as options to `python -m test`. For more information on how these commands work, see [1].

1. https://docs.python.org/3/library/test.html

Comment 11 Jason Shepherd 2020-10-28 22:47:30 UTC
As of Red Hat Quay 3.4 the python runtime will be consumed from RHEL. Currently releases up to 3.3 won't get fixes for this moderate issue.

Comment 12 Jason Shepherd 2020-10-29 03:22:03 UTC
Statement:

As of Red Hat Quay 3.4 the python runtime will be consumed from RHEL. Currently releases up to 3.3 won't get fixes for this moderate issue.

Comment 17 errata-xmlrpc 2021-05-18 13:51:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1633 https://access.redhat.com/errata/RHSA-2021:1633

Comment 18 Product Security DevOps Team 2021-05-18 20:36:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27619

Comment 25 errata-xmlrpc 2021-08-24 08:05:22 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252

Comment 26 errata-xmlrpc 2021-08-24 08:08:57 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254

Comment 27 errata-xmlrpc 2021-11-09 17:24:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151


Note You need to log in before you can comment on or make changes to this bug.