subject:"\[issue46948\] \[CVE\-2022\-26488\] Escalation of privilege via Windows Installer"

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-16 Thread Steve Dower



Change by Steve Dower :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-16 Thread Łukasz Langa


Łukasz Langa  added the comment:


New changeset 2b97cfdce8df9d0d455f65a22b1e0d34a29dc200 by Miss Islington (bot) 
in branch '3.8':
bpo-46948: Fix launcher installer build failure due to first part of fix 
(GH-31920) (GH-31924)
https://github.com/python/cpython/commit/2b97cfdce8df9d0d455f65a22b1e0d34a29dc200


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread Ned Deily



Ned Deily  added the comment:


New changeset 4a1d65fe8528c3a6e0cf2f4f9d4b58249164589d by Miss Islington (bot) 
in branch '3.7':
bpo-46948: Fix launcher installer build failure due to first part of fix 
(GH-31920) (GH-31925)
https://github.com/python/cpython/commit/4a1d65fe8528c3a6e0cf2f4f9d4b58249164589d


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread miss-islington



miss-islington  added the comment:


New changeset 70eb9db39817a8f9abef801a2a4a7bb2c7411654 by Miss Islington (bot) 
in branch '3.9':
bpo-46948: Fix launcher installer build failure due to first part of fix 
(GH-31920)
https://github.com/python/cpython/commit/70eb9db39817a8f9abef801a2a4a7bb2c7411654


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread miss-islington



miss-islington  added the comment:


New changeset 58d30b992d67c8471f79a7307e4c1cda64311e3b by Miss Islington (bot) 
in branch '3.10':
bpo-46948: Fix launcher installer build failure due to first part of fix 
(GH-31920)
https://github.com/python/cpython/commit/58d30b992d67c8471f79a7307e4c1cda64311e3b


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread miss-islington



Change by miss-islington :


--
pull_requests: +30016
pull_request: https://github.com/python/cpython/pull/31925

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread miss-islington



Change by miss-islington :


--
pull_requests: +30015
pull_request: https://github.com/python/cpython/pull/31924

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread miss-islington



Change by miss-islington :


--
pull_requests: +30014
pull_request: https://github.com/python/cpython/pull/31923

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread miss-islington



Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 8.0 -> 9.0
pull_requests: +30013
pull_request: https://github.com/python/cpython/pull/31922

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread Steve Dower



Steve Dower  added the comment:


New changeset 708812085355c92f32e547d1f1d1f29aefbbc27e by Steve Dower in branch 
'main':
bpo-46948: Fix launcher installer build failure due to first part of fix 
(GH-31920)
https://github.com/python/cpython/commit/708812085355c92f32e547d1f1d1f29aefbbc27e


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread Steve Dower



Change by Steve Dower :


--
pull_requests: +30011
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/31920

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-15 Thread Steve Dower



Steve Dower  added the comment:

The fix for this regressed the installer for the py.exe launcher, which breaks 
our release builds.

I'm patching it now. It's going under the same issue number because it will be 
needed for anyone applying this patch directly and then building the installer 
themselves.

--
resolution: fixed -> 
stage: resolved -> needs patch
status: closed -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-08 Thread Steve Dower



Steve Dower  added the comment:

> Is there anything on our end we can do to prevent this kind of issue in the 
> future?

Probably not, I think it's just a lesson learned about the capabilities of the 
MSI format and its integration with Windows (well, we could hurry up moving 
everyone to the Windows Store, which doesn't have this issue, but that seems 
unlikely ;) )

Similar issues have been reported to the Windows Installer team (e.g. 
CVE-2021-41379, CVE-2021-26415) that could have been fixed by disabling the 
unelevated repair function, but weren't. So I think it just has to become a 
known thing for people building MSIs that a "repair" can be run by non-elevated 
users, and install-time variables may not be preserved for the repair. (In our 
case, that means actually searching for the existing install rather than 
trusting the variable our bundle normally provides to the MSI.)

--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-08 Thread Łukasz Langa


Łukasz Langa  added the comment:


New changeset cff1b78c1dfb2a62b1e16fabc5f43bc3634d9de7 by Steve Dower in branch 
'3.8':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses 
the install path during repair (GH-31729)
https://github.com/python/cpython/commit/cff1b78c1dfb2a62b1e16fabc5f43bc3634d9de7


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Gregory P. Smith



Gregory P. Smith  added the comment:

Is there anything on our end we can do to prevent this kind of issue in the 
future?

Am I wrong to see this as just fixing our package to avoid a design flaw in 
Windows OS level package management?

Certainly other packages in the world must run into similar problems.

--
nosy: +gregory.p.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Ned Deily



Ned Deily  added the comment:


New changeset 97476271275a4bd1340230677b7301d7b78b3317 by Steve Dower in branch 
'3.7':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses 
the install path during repair (GH-31730)
https://github.com/python/cpython/commit/97476271275a4bd1340230677b7301d7b78b3317


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Steve Dower  added the comment:


New changeset 101a1bee1953b82339115c5e648e1717359c78eb by Steve Dower in branch 
'3.9':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses 
the install path during repair (GH-31728)
https://github.com/python/cpython/commit/101a1bee1953b82339115c5e648e1717359c78eb


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Steve Dower  added the comment:


New changeset 77446d2aa56e9e3262d9d22473420ff5e907 by Steve Dower in branch 
'main':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses 
the install path during repair (GH-31726)
https://github.com/python/cpython/commit/77446d2aa56e9e3262d9d22473420ff5e907


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Steve Dower  added the comment:


New changeset 136842c91b5783e205e217c4855baa9dadd4ad41 by Steve Dower in branch 
'3.10':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses 
the install path during repair (GH-31727)
https://github.com/python/cpython/commit/136842c91b5783e205e217c4855baa9dadd4ad41


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Steve Dower  added the comment:

Yeah, this is fine to still be in alpha 6. Very unlikely that anyone is making 
it a system-wide default anyway, and certainly not in secure/production systems.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Pablo Galindo Salgado



Pablo Galindo Salgado  added the comment:

The 3.11.0a6 release is ongoing. I assume is ok to not block this release on 
this issue, given that an alpha is inherently unsafe

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Change by Steve Dower :


--
pull_requests: +29847
pull_request: https://github.com/python/cpython/pull/31730

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Change by Steve Dower :


--
pull_requests: +29846
pull_request: https://github.com/python/cpython/pull/31729

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Change by Steve Dower :


--
pull_requests: +29845
pull_request: https://github.com/python/cpython/pull/31728

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Change by Steve Dower :


--
pull_requests: +29844
pull_request: https://github.com/python/cpython/pull/31727

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



Change by Steve Dower :


--
keywords: +patch
pull_requests: +29843
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/31726

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

2022-03-07 Thread Steve Dower



New submission from Steve Dower :

CVE-2022-26488 is an escalation of privilege vulnerability in the Windows 
installer for the following releases of CPython:

* 3.11.0a6 and earlier
* 3.10.2 and earlier
* 3.9.10 and earlier
* 3.8.12 and earlier
* All end-of-life releases of 3.5, 3.6 and 3.7

The vulnerability exists when installed for all users, and when the "Add Python 
to PATH" option has been selected. A local user without administrative 
permissions can trigger a repair operation that adds incorrect additional paths 
to the system PATH variable, and then use search path hijacking to achieve 
escalation of privilege. Per-user installs (the default) are also affected, but 
cannot be used for escalation of privilege.

Besides updating, this vulnerability may be mitigated by modifying an existing 
install to disable the "Add Python to PATH" or "Add Python to environment 
variables" option. Manually adding the install directory to PATH is not 
affected.

Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to 
the Python Security Response Team.

--
assignee: steve.dower
components: Windows
messages: 414673
nosy: lukasz.langa, ned.deily, pablogsal, paul.moore, steve.dower, tim.golden, 
zach.ware
priority: release blocker
severity: normal
stage: needs patch
status: open
title: [CVE-2022-26488] Escalation of privilege via Windows Installer
type: security
versions: Python 3.10, Python 3.11, Python 3.7, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

[issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

27 matches

Site Navigation

Mail list logo

Footer information