Bug 1772014 (CVE-2019-18874) - CVE-2019-18874 python-psutil: Double free because of refcount mishandling
Summary: CVE-2019-18874 python-psutil: Double free because of refcount mishandling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-18874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1772015 1772016 1772020 1773616 1774340 1774341 1774342 1774343 1774355 1774356 1777134 1807126 1847774 1885525 1885526 1886094 1886095 1886660 1887535 1976757
Blocks: 1772019
TreeView+ depends on / blocked
 
Reported: 2019-11-13 13:01 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
58 users (show)

Fixed In Version: python-psutil 5.6.6
Doc Type: If docs needed, set a value
Doc Text:
A double free issue has been discovered in python-psutil because of the mishandling of refcounts while converting system data into Python objects in functions like psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs(), and others. In particular cases, a local attacker may be able to get code execution by manipulating system resources that python-psutil then tries to convert.
Clone Of:
Environment:
Last Closed: 2020-06-23 05:20:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2583 0 None None None 2020-06-22 23:48:38 UTC
Red Hat Product Errata RHSA-2020:2593 0 None None None 2020-07-01 16:03:37 UTC
Red Hat Product Errata RHSA-2020:2635 0 None None None 2020-06-23 19:35:22 UTC
Red Hat Product Errata RHSA-2020:4254 0 None None None 2020-10-14 13:04:12 UTC
Red Hat Product Errata RHSA-2020:4255 0 None None None 2020-10-14 13:08:48 UTC
Red Hat Product Errata RHSA-2020:4299 0 None None None 2020-10-20 20:00:12 UTC
Red Hat Product Errata RHSA-2021:4162 0 None None None 2021-11-09 17:28:04 UTC
Red Hat Product Errata RHSA-2021:4324 0 None None None 2021-11-09 18:14:36 UTC

Description Guilherme de Almeida Suckevicz 2019-11-13 13:01:19 UTC 
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.

Reference:
https://github.com/giampaolo/psutil/pull/1616
Comment 1 Guilherme de Almeida Suckevicz 2019-11-13 13:01:42 UTC 
Created python-psutil tracking bugs for this issue:

Affects: epel-all [bug 1772016]
Affects: fedora-all [bug 1772015]
Comment 2 Guilherme de Almeida Suckevicz 2019-11-13 13:06:03 UTC 
Created python-psutil tracking bugs for this issue:

Affects: openstack-rdo [bug 1772020]
Comment 3 Riccardo Schirone 2019-11-18 14:20:52 UTC 
Upstream fixes:
https://github.com/giampaolo/psutil/commit/7d512c8e4442a896d56505be3e78f1156f443465
https://github.com/giampaolo/psutil/commit/3a9bccfd2c6d2e6538298cd3892058b1204056e0
Comment 4 Riccardo Schirone 2019-11-18 14:20:56 UTC 
Acknowledgments:

Name: Riccardo Schirone (Red Hat)
Comment 5 Riccardo Schirone 2019-11-18 14:30:14 UTC 
Most of the functions in  psutil/_psutil_*.c contain loops that convert system data into python objects and during the process they create python objects and decrement their refcounts after they have been added to the result list, at the end of the loop. In case of errors during the conversion of one of those objects, variables pointing to those python objects have their refcounts decremented, to ensure that objects do not leak memory on the error path.

However, after the first iteration variables may still point to already freed python objects and if an attacker is able to make the parsing of such objects fail, it is possible to decrement the refcount two times thus causing a double-free issue. This could be used by a local attacker to get code execution with the privileges of the user running the python-psutil application.
Comment 7 Riccardo Schirone 2019-11-18 14:44:35 UTC 
No upstream release yet with the fix mentioned in comment 3.
Comment 8 Riccardo Schirone 2019-11-18 14:49:51 UTC 
Affected functions in psutil/_psutil_linux.c and psutil/_psutil_posix.c are psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs(). The last two can hardly be manipulated by an attacker as they list the users and the network interfaces on a system, while the first could be manipulated by a user who can mount filesystems (e.g. with FUSE).
Comment 10 Riccardo Schirone 2019-11-18 14:53:26 UTC 
Attack Vector (AV) of CVSSv3 set to Local as affected functions for linux are just psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs() and they would require a user to manipulate users, network interface and/or disk partitions to try to trigger the flaw.
Comment 16 Cedric Buissart 2020-02-26 13:34:32 UTC 
Clarification regarding the case of the Satellite 6 product : the affected component runs on the clients using Satellite-Tools and being registered against a Satellite. The Satellite server itself does not ship python-psutil.
Comment 20 errata-xmlrpc 2020-06-22 23:48:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2583 https://access.redhat.com/errata/RHSA-2020:2583
Comment 21 Product Security DevOps Team 2020-06-23 05:20:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18874
Comment 22 errata-xmlrpc 2020-06-23 19:35:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2635 https://access.redhat.com/errata/RHSA-2020:2635
Comment 23 errata-xmlrpc 2020-07-01 16:03:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2593 https://access.redhat.com/errata/RHSA-2020:2593
Comment 32 errata-xmlrpc 2020-10-14 13:04:08 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.7 for RHEL 7

Via RHSA-2020:4254 https://access.redhat.com/errata/RHSA-2020:4254
Comment 33 errata-xmlrpc 2020-10-14 13:08:41 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.6 for RHEL 7

Via RHSA-2020:4255 https://access.redhat.com/errata/RHSA-2020:4255
Comment 36 errata-xmlrpc 2020-10-20 20:00:07 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299
Comment 37 errata-xmlrpc 2021-04-21 13:10:13 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.8 for RHEL 7

Via RHSA-2021:1313 https://access.redhat.com/errata/RHSA-2021:1313
Comment 39 errata-xmlrpc 2021-11-09 17:28:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
Comment 40 errata-xmlrpc 2021-11-09 18:14:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4324 https://access.redhat.com/errata/RHSA-2021:4324
Note You need to log in before you can comment on or make changes to this bug.