CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython:

* 3.11.0a6 and earlier
* 3.10.2 and earlier
* 3.9.10 and earlier
* 3.8.12 and earlier
* All end-of-life releases of 3.5, 3.6 and 3.7

The vulnerability exists when installed for all users, and when the "Add Python to PATH" option has been selected. A local user without administrative permissions can trigger a repair operation that adds incorrect additional paths to the system PATH variable, and then use search path hijacking to achieve escalation of privilege. Per-user installs (the default) are also affected, but cannot be used for escalation of privilege.

Besides updating, this vulnerability may be mitigated by modifying an existing install to disable the "Add Python to PATH" or "Add Python to environment variables" option. Manually adding the install directory to PATH is not affected.

Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to the Python Security Response Team.

The 3.11.0a6 release is ongoing. I assume is ok to not block this release on this issue, given that an alpha is inherently unsafe

Yeah, this is fine to still be in alpha 6. Very unlikely that anyone is making it a system-wide default anyway, and certainly not in secure/production systems.

New changeset 136842c91b5783e205e217c4855baa9dadd4ad41 by Steve Dower in branch '3.10':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair (GH-31727)
https://github.com/python/cpython/commit/136842c91b5783e205e217c4855baa9dadd4ad41

New changeset 77446d2aa56e9e3262d9d2247342bbbb0ff5e907 by Steve Dower in branch 'main':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair (GH-31726)
https://github.com/python/cpython/commit/77446d2aa56e9e3262d9d2247342bbbb0ff5e907

New changeset 101a1bee1953b82339115c5e648e1717359c78eb by Steve Dower in branch '3.9':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair (GH-31728)
https://github.com/python/cpython/commit/101a1bee1953b82339115c5e648e1717359c78eb

New changeset 97476271275a4bd1340230677b7301d7b78b3317 by Steve Dower in branch '3.7':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair (GH-31730)
https://github.com/python/cpython/commit/97476271275a4bd1340230677b7301d7b78b3317

Is there anything on our end we can do to prevent this kind of issue in the future?

Am I wrong to see this as just fixing our package to avoid a design flaw in Windows OS level package management?

Certainly other packages in the world must run into similar problems.

New changeset cff1b78c1dfb2a62b1e16fabc5f43bc3634d9de7 by Steve Dower in branch '3.8':
bpo-46948: Fix CVE-2022-26488 by ensuring the Windows Installer correctly uses the install path during repair (GH-31729)
https://github.com/python/cpython/commit/cff1b78c1dfb2a62b1e16fabc5f43bc3634d9de7

> Is there anything on our end we can do to prevent this kind of issue in the future?

Probably not, I think it's just a lesson learned about the capabilities of the MSI format and its integration with Windows (well, we could hurry up moving everyone to the Windows Store, which doesn't have this issue, but that seems unlikely ;) )

Similar issues have been reported to the Windows Installer team (e.g. CVE-2021-41379, CVE-2021-26415) that could have been fixed by disabling the unelevated repair function, but weren't. So I think it just has to become a known thing for people building MSIs that a "repair" can be run by non-elevated users, and install-time variables may not be preserved for the repair. (In our case, that means actually searching for the existing install rather than trusting the variable our bundle normally provides to the MSI.)

The fix for this regressed the installer for the py.exe launcher, which breaks our release builds.

I'm patching it now. It's going under the same issue number because it will be needed for anyone applying this patch directly and then building the installer themselves.

New changeset 708812085355c92f32e547d1f1d1f29aefbbc27e by Steve Dower in branch 'main':
bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920)
https://github.com/python/cpython/commit/708812085355c92f32e547d1f1d1f29aefbbc27e

New changeset 58d30b992d67c8471f79a7307e4c1cda64311e3b by Miss Islington (bot) in branch '3.10':
bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920)
https://github.com/python/cpython/commit/58d30b992d67c8471f79a7307e4c1cda64311e3b

New changeset 70eb9db39817a8f9abef801a2a4a7bb2c7411654 by Miss Islington (bot) in branch '3.9':
bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920)
https://github.com/python/cpython/commit/70eb9db39817a8f9abef801a2a4a7bb2c7411654

New changeset 4a1d65fe8528c3a6e0cf2f4f9d4b58249164589d by Miss Islington (bot) in branch '3.7':
bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920) (GH-31925)
https://github.com/python/cpython/commit/4a1d65fe8528c3a6e0cf2f4f9d4b58249164589d

New changeset 2b97cfdce8df9d0d455f65a22b1e0d34a29dc200 by Miss Islington (bot) in branch '3.8':
bpo-46948: Fix launcher installer build failure due to first part of fix (GH-31920) (GH-31924)
https://github.com/python/cpython/commit/2b97cfdce8df9d0d455f65a22b1e0d34a29dc200