➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2019-04-02 14:48 by bigbigliang, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Messages (9) | |||
|---|---|---|---|
| msg339337 - (view) | Author: bigbigliang (bigbigliang) | Date: 2019-04-02 14:48 | |
Dear Python Community, We’ve found a bug in cpython Lib and already received a cve number (CVE-2019-10268).But to be honest, I'm not sure if it's a loophole. Please tell me what to do next. bigbigliang |
|||
| msg339342 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2019-04-02 15:01 | |
Hi, this is a public bug tracker. Please don't report new security bugs here but follow the guidelines at https://www.python.org/news/security/. Also please don't acquire CVE numbers for issues yourself. The Python Security Response Team will request CVE numbers. |
|||
| msg339343 - (view) | Author: Karthikeyan Singaravelan (xtreak) * |
Date: 2019-04-02 15:03 | |
The security vulnerability disclosure process can be found at https://www.python.org/news/security/ . Please contact security@python.org. |
|||
| msg339350 - (view) | Author: Josh Rosenberg (josh.r) *  |
Date: 2019-04-02 16:52 | |
I'll note that, based on the title, I'm skeptical of the claim of a vulnerability. getattr is effectively *designed* to execute arbitrary code if called on an appropriate object (one where the class defines __getattribute__; defines __getattr__ without defining the name in question; defines the name in question as a property, not an instance attribute; or does something complicated with metaclasses that achieves a similar result looking up the attribute on the class). In all of those cases, the "vulnerability" only exists if: 1. The object in question defines a vulnerable handler for the attribute (that is, provides a code path for arbitrary execution that Python's attribute lookup machinery wasn't responsible for except insofar as it passed control to the unsafe handler in question) 2. Untrusted user input is passed as the name to look up on the vulnerable object If it's something more subtle than that (e.g. something where a "plain" instance with no special execution path supports arbitrary execution), that's an issue, but if it requires a Python developer to both create the vulnerability and open a path to trigger it explicitly, that doesn't really count. |
|||
| msg339351 - (view) | Author: SilentGhost (SilentGhost) * |
Date: 2019-04-02 16:58 | |
As another note, this seem to be a third "security" issue created in less then a week to the same template (others are 36260 and 36462). I hope it's some assignment due soon. |
|||
| msg339372 - (view) | Author: bigbigliang (bigbigliang) | Date: 2019-04-03 00:15 | |
Yes, as you said. I think this problem can be closed. My initial idea was
that if a user carefully constructs a vulnerability point, it may cause
some danger, such as 'getattr(os,"system")("/bin/sh")'. So I have some
ideas about whether it is necessary to filter it.
Thank you for your reply.
from:bigbigliang
Josh Rosenberg <report@bugs.python.org> 于2019年4月3日周三 上午12:52写道:
>
> Josh Rosenberg <shadowranger+python@gmail.com> added the comment:
>
> I'll note that, based on the title, I'm skeptical of the claim of a
> vulnerability. getattr is effectively *designed* to execute arbitrary code
> if called on an appropriate object (one where the class defines
> __getattribute__; defines __getattr__ without defining the name in
> question; defines the name in question as a property, not an instance
> attribute; or does something complicated with metaclasses that achieves a
> similar result looking up the attribute on the class).
>
> In all of those cases, the "vulnerability" only exists if:
>
> 1. The object in question defines a vulnerable handler for the attribute
> (that is, provides a code path for arbitrary execution that Python's
> attribute lookup machinery wasn't responsible for except insofar as it
> passed control to the unsafe handler in question)
> 2. Untrusted user input is passed as the name to look up on the vulnerable
> object
>
> If it's something more subtle than that (e.g. something where a "plain"
> instance with no special execution path supports arbitrary execution),
> that's an issue, but if it requires a Python developer to both create the
> vulnerability and open a path to trigger it explicitly, that doesn't really
> count.
>
> ----------
> keywords: +security_issue
> nosy: +josh.r
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue36506>
> _______________________________________
>
|
|||
| msg339385 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2019-04-03 09:33 | |
Could you please do us a favor and contact MITRE to get the CVE number revoked? Please CC security@python.org so we have a record of the emails. |
|||
| msg339395 - (view) | Author: bigbigliang (bigbigliang) | Date: 2019-04-03 15:17 | |
> > Certainly. > > |
|||
| msg339423 - (view) | Author: bigbigliang (bigbigliang) | Date: 2019-04-04 01:09 | |
Thank you for your answer. I am a student and very interested in python. I want to continue digging for Python bugs, but I am not good at this area. I want to keep looking for loopholes. from:bigbigliang Christian Heimes <report@bugs.python.org> 于2019年4月3日周三 下午5:33写道: > > Christian Heimes <lists@cheimes.de> added the comment: > > Could you please do us a favor and contact MITRE to get the CVE number > revoked? Please CC security@python.org so we have a record of the emails. > > ---------- > > _______________________________________ > Python tracker <report@bugs.python.org> > <https://bugs.python.org/issue36506> > _______________________________________ > |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:13 | admin | set | github: 80687 |
| 2019-04-06 16:24:57 | serhiy.storchaka | set | status: open -> closed resolution: not a bug stage: resolved |
| 2019-04-04 01:09:28 | bigbigliang | set | messages: + msg339423 |
| 2019-04-03 15:17:11 | bigbigliang | set | messages: + msg339395 |
| 2019-04-03 09:33:02 | christian.heimes | set | messages: + msg339385 |
| 2019-04-03 00:15:04 | bigbigliang | set | messages: + msg339372 |
| 2019-04-02 16:58:40 | SilentGhost | set | nosy:
+ SilentGhost messages: + msg339351 |
| 2019-04-02 16:52:16 | josh.r | set | keywords:
+ security_issue nosy: + josh.r messages: + msg339350 |
| 2019-04-02 15:12:11 | vstinner | set | title: An arbitrary execution vulnerability exists in the built-in function getattr -> [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr |
| 2019-04-02 15:08:04 | christian.heimes | set | components: + Interpreter Core, - 2to3 (2.x to 3.x conversion tool) |
| 2019-04-02 15:03:47 | xtreak | set | messages: + msg339343 |
| 2019-04-02 15:01:56 | christian.heimes | set | messages: + msg339342 |
| 2019-04-02 14:48:46 | bigbigliang | create | |