2318646 – (CVE-2024-9979, RUSTSEC-2024-0378) CVE-2024-9979 pyo3: Risk of use-after-free in `borrowed` reads from Python weak references

Bug 2318646 (CVE-2024-9979, RUSTSEC-2024-0378) - CVE-2024-9979 pyo3: Risk of use-after-free in `borrowed` reads from Python weak references

Summary: CVE-2024-9979 pyo3: Risk of use-after-free in `borrowed` reads from Python we...

Keywords:
Status:	NEW
Alias:	CVE-2024-9979, RUSTSEC-2024-0378
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-14 21:01 UTC by OSIDB Bzimport
Modified:	2024-10-24 07:32 UTC (History)
CC List:	23 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-14 21:01:48 UTC

The family of functions to read "borrowed" values from Python weak references
were fundamentally unsound, because the weak reference does itself not have
ownership of the value. At any point the last strong reference could
be cleared and the borrowed value would become dangling.

In PyO3 0.22.4 these functions have all been deprecated and patched to leak a
strong reference as a mitigation. PyO3 0.23 will remove these functions entirely.

Comment 1 Lumír Balhar 2024-10-15 09:50:58 UTC

The patch in the latest version is huge: https://github.com/PyO3/pyo3/pull/4590/files

Comment 2 Charalampos Stratakis 2024-10-15 18:19:58 UTC

The weakref python types were added in https://github.com/PyO3/pyo3/pull/3835, that is version 0.22.0. 

We ship 0.15.2 in the bundled crates of cryptography.

The only file that we ship which has some change through the fix is here: https://github.com/PyO3/pyo3/commit/26abde5f858286b78c755da3b2627e4d13b4b234#diff-f7a0cd3c685f42419e34ce7c1be728ffc394d644b49715ae7112a2d6f45849f6

Also this fix is related to free-threaded python. This requires more investigation but from my initial finding we should not be affected.

Comment 3 Lumír Balhar 2024-10-16 10:52:54 UTC

You are right. The python-cryptography in RHEL 8 and 9 and also the versions in the alternative stacks Python 3.11 and 3.12 are too old to include the vulnerable code. The only exception is RHEL 10 where we have version 43.0.0 and that bundles pyo3 version 0.22.0: https://github.com/pyca/cryptography/commit/47aced28c8f27b4dbb61f4fc79af444a18279463

The freethreading implementation for pyo3 hasn't been finished yet: https://github.com/pyca/cryptography/commit/47aced28c8f27b4dbb61f4fc79af444a18279463

Note You need to log in before you can comment on or make changes to this bug.

brking
cstratak
davidn
haoli
hkataria
jcammara
jmitchel
jneedle
kegrant
koliveir
kshier
lbalhar
mabashia
pbraun
relrod
shvarugh
simaishi
smcdonal
stcannon
teagle
tfister
thavo
yguenane