Bug 2293948 (CVE-2023-6507) - CVE-2023-6507 python: Improper privileges drop on subprocess module
Summary: CVE-2023-6507 python: Improper privileges drop on subprocess module
Keywords:
Status: NEW
Alias: CVE-2023-6507
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2293949
TreeView+ depends on / blocked
 
Reported: 2024-06-24 15:17 UTC by Marco Benatto
Modified: 2024-06-26 16:21 UTC (History)
27 users (show)

Fixed In Version: python 3.12.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marco Benatto 2024-06-24 15:17:04 UTC 
An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.

When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.

This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).

References:
https://mail.python.org/archives/list/security-announce@python.org/thread/AUL7QFHBLILGISS7U63B47AYSSGJJQZD/
https://github.com/python/cpython/issues/112334

Upstream patches:
https://github.com/python/cpython/commit/10e9bb13b8dcaa414645b9bd10718d8f7179e82b
https://github.com/python/cpython/commit/85bbfa8a4bbdbb61a3a84fbd7cb29a4096ab8a06
https://github.com/python/cpython/commit/9fe7655c6ce0b8e9adc229daf681b6d30e6b1610
Note You need to log in before you can comment on or make changes to this bug.