Bug 1718212 (CVE-2019-12760) - CVE-2019-12760 parso: parsing leads to arbitrary code execution
Summary: CVE-2019-12760 parso: parsing leads to arbitrary code execution
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2019-12760
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1718213 1718214
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-07 09:24 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-14 11:07:11 UTC


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-06-07 09:24:16 UTC
A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution.

Upstream commit:
https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7

Comment 1 Dhananjay Arunesh 2019-06-07 09:25:10 UTC
Created python-parso tracking bugs for this issue:

Affects: fedora-all [bug 1718213]

Comment 2 Dhananjay Arunesh 2019-06-07 09:25:31 UTC
Created python-parso tracking bugs for this issue:

Affects: epel-7 [bug 1718214]

Comment 3 Product Security DevOps Team 2019-06-10 10:56:54 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 4 Carl George 2019-06-13 13:43:19 UTC
This is not yet resolved upstream.  The upstream commit link in this bug is a gist of a proof of concept exploit.

https://github.com/davidhalter/parso/issues/75

Comment 5 Martin Prpič 2019-06-14 11:07:11 UTC
Carl, if you read comment 3 you'll see it notes that the progress on fixing this issue is tracked in the dependent bugs: bug 1718213 for Fedora, and bug 1718214 for EPEL 7. There is nothing else to do in this bug since it's just a container that holds security metadata (note that it's filed against the "Security Response / vulnerability" component, not against a specific product/component.) The actual work of fixing this issue needs to happen (and is tracked) in the aforementioned bugs, both of which are in NEW as of right now. The status and resolution of this bug merely reflects the completeness of information about this issue, it holds no meaning with regard to the fixes in any affected component.


Note You need to log in before you can comment on or make changes to this bug.