Running `pydoc -p` allows other local users to extract arbitrary files
Related upstream PRs: https://github.com/python/cpython/pull/24337 https://github.com/python/cpython/pull/24285
Not sure why it's not mentioned upstream, but in Python 3.7.0 alpha 1+, pydoc has the -n command[1][2]. So using -n can additionally expose this to adjacent attackers rather than just local attackers. 1. https://bugs.python.org/issue31128 2. https://github.com/python/cpython/commit/6a396c9807b1674a24e240731f18e20de97117a5
Statement: Red Hat Quay from version 3.4 uses Python from Red Hat Enterprise Linux RPM repositories and therefore may receive an update for this issue in a future release. Earlier versions of Red Hat Quay will not receive an patch for this issue. Python 2.x.x as shipped in any Red Hat product is not affected. This flaw is out of support scope for python3 as shipped with Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ .
There is not yet a fix in an upstream Python release at this time.
Created mingw-python3 tracking bugs for this issue: Affects: fedora-32 [bug 1937475] Affects: fedora-33 [bug 1937483] Created python3 tracking bugs for this issue: Affects: fedora-32 [bug 1937476] Created python34 tracking bugs for this issue: Affects: epel-7 [bug 1937474] Affects: fedora-32 [bug 1937477] Created python35 tracking bugs for this issue: Affects: fedora-32 [bug 1937479] Created python36 tracking bugs for this issue: Affects: fedora-32 [bug 1937480] Created python37 tracking bugs for this issue: Affects: fedora-32 [bug 1937481] Created python39 tracking bugs for this issue: Affects: fedora-32 [bug 1937482]
Mitigation: Use the console (no argument needed) or HTML file (-w argument) output to generate docs rather than the HTTP server options. Put differently, do not use the -p or -n options of pydoc.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3426
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4399 https://access.redhat.com/errata/RHSA-2021:4399