classification
Title: [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr
Type: security Stage: resolved
Components: Interpreter Core Versions: Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: 18z, SilentGhost, bigbigliang, christian.heimes, josh.r, krnick, serhiy.storchaka, vstinner, xtreak
Priority: normal Keywords: security_issue

Created on 2019-04-02 14:48 by bigbigliang, last changed 2019-04-06 16:24 by serhiy.storchaka. This issue is now closed.

Messages (9)
msg339337 - (view) Author: bigbigliang (bigbigliang) Date: 2019-04-02 14:48
Dear Python Community, 

We’ve found a bug in cpython Lib and already received a cve number (CVE-2019-10268).But to be honest, I'm not sure if it's a loophole.
Please tell me what to do next.

bigbigliang
msg339342 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-04-02 15:01
Hi,

this is a public bug tracker. Please don't report new security bugs here but follow the guidelines at https://www.python.org/news/security/. Also please don't acquire CVE numbers for issues yourself. The Python Security Response Team will request CVE numbers.
msg339343 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python triager) Date: 2019-04-02 15:03
The security vulnerability disclosure process can be found at https://www.python.org/news/security/ . Please contact security@python.org.
msg339350 - (view) Author: Josh Rosenberg (josh.r) * (Python triager) Date: 2019-04-02 16:52
I'll note that, based on the title, I'm skeptical of the claim of a vulnerability. getattr is effectively *designed* to execute arbitrary code if called on an appropriate object (one where the class defines __getattribute__; defines __getattr__ without defining the name in question; defines the name in question as a property, not an instance attribute; or does something complicated with metaclasses that achieves a similar result looking up the attribute on the class).

In all of those cases, the "vulnerability" only exists if:

1. The object in question defines a vulnerable handler for the attribute (that is, provides a code path for arbitrary execution that Python's attribute lookup machinery wasn't responsible for except insofar as it passed control to the unsafe handler in question)
2. Untrusted user input is passed as the name to look up on the vulnerable object

If it's something more subtle than that (e.g. something where a "plain" instance with no special execution path supports arbitrary execution), that's an issue, but if it requires a Python developer to both create the vulnerability and open a path to trigger it explicitly, that doesn't really count.
msg339351 - (view) Author: SilentGhost (SilentGhost) * (Python triager) Date: 2019-04-02 16:58
As another note, this seem to be a third "security" issue created in less then a week to the same template (others are 36260 and 36462). I hope it's some assignment due soon.
msg339372 - (view) Author: bigbigliang (bigbigliang) Date: 2019-04-03 00:15
Yes, as you said. I think this problem can be closed. My initial idea was
that if a user carefully constructs a vulnerability point, it may cause
some danger, such as 'getattr(os,"system")("/bin/sh")'. So I have some
ideas about whether it is necessary to filter it.
Thank you for your reply.

from:bigbigliang

Josh Rosenberg <report@bugs.python.org> 于2019年4月3日周三 上午12:52写道:

>
> Josh Rosenberg <shadowranger+python@gmail.com> added the comment:
>
> I'll note that, based on the title, I'm skeptical of the claim of a
> vulnerability. getattr is effectively *designed* to execute arbitrary code
> if called on an appropriate object (one where the class defines
> __getattribute__; defines __getattr__ without defining the name in
> question; defines the name in question as a property, not an instance
> attribute; or does something complicated with metaclasses that achieves a
> similar result looking up the attribute on the class).
>
> In all of those cases, the "vulnerability" only exists if:
>
> 1. The object in question defines a vulnerable handler for the attribute
> (that is, provides a code path for arbitrary execution that Python's
> attribute lookup machinery wasn't responsible for except insofar as it
> passed control to the unsafe handler in question)
> 2. Untrusted user input is passed as the name to look up on the vulnerable
> object
>
> If it's something more subtle than that (e.g. something where a "plain"
> instance with no special execution path supports arbitrary execution),
> that's an issue, but if it requires a Python developer to both create the
> vulnerability and open a path to trigger it explicitly, that doesn't really
> count.
>
> ----------
> keywords: +security_issue
> nosy: +josh.r
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue36506>
> _______________________________________
>
msg339385 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-04-03 09:33
Could you please do us a favor and contact MITRE to get the CVE number revoked? Please CC security@python.org so we have a record of the emails.
msg339395 - (view) Author: bigbigliang (bigbigliang) Date: 2019-04-03 15:17
>
> Certainly.
>
>
msg339423 - (view) Author: bigbigliang (bigbigliang) Date: 2019-04-04 01:09
Thank you for your answer. I am a student and very interested in python. I
want to continue digging for Python bugs, but I am not good at this area. I
want to keep looking for loopholes.

from:bigbigliang

Christian Heimes <report@bugs.python.org> 于2019年4月3日周三 下午5:33写道:

>
> Christian Heimes <lists@cheimes.de> added the comment:
>
> Could you please do us a favor and contact MITRE to get the CVE number
> revoked? Please CC security@python.org so we have a record of the emails.
>
> ----------
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue36506>
> _______________________________________
>
History
Date User Action Args
2019-04-06 16:24:57serhiy.storchakasetstatus: open -> closed
resolution: not a bug
stage: resolved
2019-04-04 01:09:28bigbigliangsetmessages: + msg339423
2019-04-03 15:17:11bigbigliangsetmessages: + msg339395
2019-04-03 09:33:02christian.heimessetmessages: + msg339385
2019-04-03 00:15:04bigbigliangsetmessages: + msg339372
2019-04-02 16:58:40SilentGhostsetnosy: + SilentGhost
messages: + msg339351
2019-04-02 16:52:16josh.rsetkeywords: + security_issue
nosy: + josh.r
messages: + msg339350

2019-04-02 15:12:11vstinnersettitle: An arbitrary execution vulnerability exists in the built-in function getattr -> [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr
2019-04-02 15:08:04christian.heimessetcomponents: + Interpreter Core, - 2to3 (2.x to 3.x conversion tool)
2019-04-02 15:03:47xtreaksetmessages: + msg339343
2019-04-02 15:01:56christian.heimessetmessages: + msg339342
2019-04-02 14:48:46bigbigliangcreate