This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author steve.dower
Recipients izbyshev, paul.moore, steve.dower, tim.golden, zach.ware
Date 2018-03-05.18:04:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1520273082.67.0.467229070634.issue33001@psf.upfronthosting.co.za>
In-reply-to
Content
On February 27th, 2018, the Python Security Response team was notified of a buffer overflow issue in the os.symlink() method on Windows. The issue affects all versions of Python between 3.2 and 3.6.4, including the 3.7 beta releases. It will be patched for the next releases of 3.4, 3.5, 3.6 and 3.7.

Scripts may be vulnerable if they use os.symlink() on Windows and an attacker is able to influence the location where links are created. As os.symlink requires administrative privileges on most versions of Windows, exploits using this vulnerability are likely to achieve escalation of privilege.

Besides applying the fix to CPython, scripts can also ensure that the length of each path argument is less than 260, and if the source is a relative path, that its combination with the destination is also shorter than 260 characters. That is:

    assert (len(src) < 260 and
            len(dest) < 260 and
            len(os.path.join(os.path.dirname(dest), src)) < 260)
    os.symlink(src, dest)

Scripts that explicitly pass the target_is_directory argument as True are not vulnerable. Also, scripts on Python 3.5 that use bytes for paths are not vulnerable, because of a combination of stack layout and added parameter validation.

I will be requesting a CVE for this once the patches are applied to maintenance branches, and then notifying the security-announce list. The patch has been reviewed by the PSRT and reporter, and while it prevents the buffer overflow, it does not raise any new errors or enable the use of long paths when creating symlinks.

Many thanks to Alexey Izbyshev for the report, and helping us work through developing the patch.
History
Date User Action Args
2018-03-05 18:04:42steve.dowersetrecipients: + steve.dower, paul.moore, tim.golden, zach.ware, izbyshev
2018-03-05 18:04:42steve.dowersetmessageid: <1520273082.67.0.467229070634.issue33001@psf.upfronthosting.co.za>
2018-03-05 18:04:42steve.dowerlinkissue33001 messages
2018-03-05 18:04:42steve.dowercreate