Bug 2321440 (CVE-2024-9287) - CVE-2024-9287 python: Virtual environment (venv) activation scripts don't quote paths
Summary: CVE-2024-9287 python: Virtual environment (venv) activation scripts don't quo...
Keywords:
Status: NEW
Alias: CVE-2024-9287
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2321661 2321653 2321654 2321655 2321656 2321657 2321658 2321659 2321660 2321662
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-24 10:14 UTC by OSIDB Bzimport
Modified: 2025-04-11 10:51 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:10790 0 None None None 2024-12-04 10:50:04 UTC
Red Hat Product Errata RHBA-2024:10792 0 None None None 2024-12-04 12:31:07 UTC
Red Hat Product Errata RHBA-2024:10809 0 None None None 2024-12-04 21:23:54 UTC
Red Hat Product Errata RHBA-2024:10811 0 None None None 2024-12-04 21:59:21 UTC
Red Hat Product Errata RHBA-2024:10837 0 None None None 2024-12-05 10:23:09 UTC
Red Hat Product Errata RHBA-2024:10875 0 None None None 2024-12-09 09:09:30 UTC
Red Hat Product Errata RHBA-2024:10876 0 None None None 2024-12-09 09:09:37 UTC
Red Hat Product Errata RHBA-2024:10877 0 None None None 2024-12-09 09:09:34 UTC
Red Hat Product Errata RHBA-2024:10878 0 None None None 2024-12-09 09:09:49 UTC
Red Hat Product Errata RHBA-2024:10884 0 None None None 2024-12-09 14:36:19 UTC
Red Hat Product Errata RHBA-2024:10885 0 None None None 2024-12-09 14:07:53 UTC
Red Hat Product Errata RHBA-2024:10922 0 None None None 2024-12-10 14:03:22 UTC
Red Hat Product Errata RHBA-2024:10981 0 None None None 2024-12-12 08:45:06 UTC
Red Hat Product Errata RHBA-2024:10995 0 None None None 2024-12-12 11:46:56 UTC
Red Hat Product Errata RHBA-2024:10997 0 None None None 2024-12-12 12:29:01 UTC
Red Hat Product Errata RHBA-2024:10998 0 None None None 2024-12-12 12:39:49 UTC
Red Hat Product Errata RHBA-2024:10999 0 None None None 2024-12-12 12:57:53 UTC
Red Hat Product Errata RHBA-2024:11000 0 None None None 2024-12-12 13:28:05 UTC
Red Hat Product Errata RHBA-2024:11006 0 None None None 2024-12-12 14:49:51 UTC
Red Hat Product Errata RHBA-2024:11020 0 None None None 2024-12-12 19:14:30 UTC
Red Hat Product Errata RHBA-2024:11036 0 None None None 2024-12-13 09:15:51 UTC
Red Hat Product Errata RHBA-2024:11061 0 None None None 2024-12-16 01:36:16 UTC
Red Hat Product Errata RHBA-2024:11147 0 None None None 2024-12-16 20:27:02 UTC
Red Hat Product Errata RHBA-2024:11408 0 None None None 2024-12-18 15:56:56 UTC
Red Hat Product Errata RHBA-2024:11410 0 None None None 2024-12-18 16:16:37 UTC
Red Hat Product Errata RHBA-2024:11542 0 None None None 2024-12-19 13:37:59 UTC
Red Hat Product Errata RHBA-2024:11556 0 None None None 2024-12-19 15:49:08 UTC
Red Hat Product Errata RHBA-2025:0380 0 None None None 2025-01-16 17:06:36 UTC
Red Hat Product Errata RHBA-2025:1237 0 None None None 2025-02-10 16:09:27 UTC
Red Hat Product Errata RHSA-2024:10779 0 None None None 2024-12-04 08:12:30 UTC
Red Hat Product Errata RHSA-2024:10978 0 None None None 2024-12-12 08:38:17 UTC
Red Hat Product Errata RHSA-2024:10979 0 None None None 2024-12-12 08:50:22 UTC
Red Hat Product Errata RHSA-2024:10980 0 None None None 2024-12-12 08:50:30 UTC
Red Hat Product Errata RHSA-2024:10983 0 None None None 2024-12-12 09:15:51 UTC
Red Hat Product Errata RHSA-2024:11024 0 None None None 2024-12-12 21:04:11 UTC
Red Hat Product Errata RHSA-2024:11035 0 None None None 2024-12-13 09:15:03 UTC
Red Hat Product Errata RHSA-2024:11111 0 None None None 2024-12-16 12:00:21 UTC
Red Hat Product Errata RHSA-2025:0280 0 None None None 2025-01-13 11:35:18 UTC

Description OSIDB Bzimport 2024-10-24 10:14:35 UTC 
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Comment 1 Lumír Balhar 2024-11-04 06:47:35 UTC 
Upstream issue: https://github.com/python/cpython/issues/124651

The fix has already been merged into 3.11+, PRs for 3.10 and 3.9 are waiting and all versions should get a security release after that.
Comment 2 errata-xmlrpc 2024-12-04 08:12:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10779 https://access.redhat.com/errata/RHSA-2024:10779
Comment 3 errata-xmlrpc 2024-12-12 08:38:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10978 https://access.redhat.com/errata/RHSA-2024:10978
Comment 4 errata-xmlrpc 2024-12-12 08:50:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10979 https://access.redhat.com/errata/RHSA-2024:10979
Comment 5 errata-xmlrpc 2024-12-12 08:50:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10980 https://access.redhat.com/errata/RHSA-2024:10980
Comment 6 errata-xmlrpc 2024-12-12 09:15:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10983 https://access.redhat.com/errata/RHSA-2024:10983
Comment 7 errata-xmlrpc 2024-12-12 21:04:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:11024 https://access.redhat.com/errata/RHSA-2024:11024
Comment 8 errata-xmlrpc 2024-12-13 09:15:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:11035 https://access.redhat.com/errata/RHSA-2024:11035
Comment 9 errata-xmlrpc 2024-12-16 12:00:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:11111 https://access.redhat.com/errata/RHSA-2024:11111
Comment 10 errata-xmlrpc 2025-01-13 11:35:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:0280 https://access.redhat.com/errata/RHSA-2025:0280
Note You need to log in before you can comment on or make changes to this bug.