[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-08-03 Thread Larry Hastings
Larry Hastings added the comment: New changeset f205f1000a2d7f8b044caf281041b3705f293480 by Steve Dower in branch '3.5': [3.5] bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21297) (#21377)

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-20 Thread Eryk Sun
Eryk Sun added the comment: > I still don't understand why this is considered a Python security problem. > If the user can put a malicious "python3.dll" at some arbitrary spot in > the filesystem (e.g. a USB flash drive), and fool Python.exe into loading > it, then surely they could put an

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-20 Thread Larry Hastings
Larry Hastings added the comment: I still don't understand why this is considered a Python security problem. If the user can put a malicious "python3.dll" at some arbitrary spot in the filesystem (e.g. a USB flash drive), and fool Python.exe into loading it, then surely they could put an

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-18 Thread Eryk Sun
Eryk Sun added the comment: > If you can put files in the root of the hard drive where Windows was > installed, surely you have other, easier attack vectors. A rooted path is resolved relative to the process working directory, and Python can be started with any current working directory.

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-16 Thread Larry Hastings
Larry Hastings added the comment: I must have taken my stupid pills today. Why is this considered a "security" "release blocker"? If you can put files in the root of the hard drive where Windows was installed, surely you have other, easier attack vectors. --

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-16 Thread Steve Dower
Steve Dower added the comment: FYI, issue41304 fixed a regression in this patch in 3.7 and later. The regression shipped in 3.8.4 and 3.9.0b4, but will be fixed in the subsequent releases. -- ___ Python tracker

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-13 Thread Steve Dower
Steve Dower added the comment: Correction: the original discovery credit goes to Eran Shimony and Ido Hoorvitch from CyberArk. -- ___ Python tracker ___

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-07 Thread STINNER Victor
STINNER Victor added the comment: New changeset 8f42748ded5e978fe8a924115179d45a74a6363b by Victor Stinner in branch 'master': bpo-29778: test_embed tests the path configuration (GH-21306) https://github.com/python/cpython/commit/8f42748ded5e978fe8a924115179d45a74a6363b --

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-07 Thread Steve Dower
Change by Steve Dower : -- pull_requests: +20520 pull_request: https://github.com/python/cpython/pull/21377 ___ Python tracker ___

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-07 Thread Steve Dower
Steve Dower added the comment: > Python 3.5 is also vulnerable, no? This branch still gets security fixes, do > you plan to backport the fix? You're right. I thought because the backport tag was gone on GitHub that it was EOL already. I can do the backport. -- nosy: +larry

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-07 Thread STINNER Victor
STINNER Victor added the comment: Steve: Python 3.5 is also vulnerable, no? This branch still gets security fixes, do you plan to backport the fix? I can do it if you are not available. -- ___ Python tracker

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-07 Thread STINNER Victor
STINNER Victor added the comment: FYI this vulnerability is now tracked by: https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html -- ___ Python tracker

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-06 Thread Steve Dower
Steve Dower added the comment: Announcement post: https://mail.python.org/archives/list/security-annou...@python.org/thread/C5RIXC2ZIML3NOEIOGFPA6ISGU5L2QXL/ CVE-2020-15523 is an invalid search path in Python 3.6 and later on Windows. It occurs during Py_Initialize() when the runtime

[issue29778] [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

2020-07-06 Thread Steve Dower
Steve Dower added the comment: Fixes are in. Also adding the CVE number to the bug title. -- resolution: -> fixed stage: patch review -> resolved status: open -> closed title: _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath ->