Message 373164 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	steve.dower
Recipients	Tibor Csonka, anthonywee, lukasz.langa, miss-islington, ned.deily, paul.moore, steve.dower, tim.golden, vstinner, zach.ware
Date	2020-07-06.19:46:05
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1594064766.16.0.29907869318.issue29778@roundup.psfhosted.org>
In-reply-to

Content
Announcement post: https://mail.python.org/archives/list/security-announce@python.org/thread/C5RIXC2ZIML3NOEIOGFPA6ISGU5L2QXL/ CVE-2020-15523 is an invalid search path in Python 3.6 and later on Windows. It occurs during Py_Initialize() when the runtime attempts to pre-load python3.dll. If Py_SetPath() has been called, the expected location is not set, and locations elsewhere on the user's system will be searched. This issue is not triggered when running python.exe. It only applies when CPython has been embedded in another application. Issue: https://bugs.python.org/issue29778 Patch: https://github.com/python/cpython/pull/21297 The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only), 3.6.12 (source only) Other than applying the patch, applications may mitigate the vulnerability by explicitly calling LoadLibrary() on their copy of python3.dll before calling Py_Initialize(). Even with the patch applied, applications should include a copy of python3.dll alongside their main Python DLL. Thanks to Eric Gantumur for detecting and reporting the issue to the Python Security Response Team.

Announcement post: https://mail.python.org/archives/list/security-announce@python.org/thread/C5RIXC2ZIML3NOEIOGFPA6ISGU5L2QXL/

CVE-2020-15523 is an invalid search path in Python 3.6 and later on 
Windows. It occurs during Py_Initialize() when the runtime attempts to 
pre-load python3.dll. If Py_SetPath() has been called, the expected 
location is not set, and locations elsewhere on the user's system will 
be searched.

This issue is not triggered when running python.exe. It only applies 
when CPython has been embedded in another application.

Issue: https://bugs.python.org/issue29778
Patch: https://github.com/python/cpython/pull/21297

The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only), 
3.6.12 (source only)

Other than applying the patch, applications may mitigate the 
vulnerability by explicitly calling LoadLibrary() on their copy of 
python3.dll before calling Py_Initialize(). Even with the patch applied, 
applications should include a copy of python3.dll alongside their main 
Python DLL.

Thanks to Eric Gantumur for detecting and reporting the issue to the 
Python Security Response Team.

History
Date	User	Action	Args
2020-07-06 19:46:06	steve.dower	set	recipients: + steve.dower, paul.moore, vstinner, tim.golden, ned.deily, lukasz.langa, zach.ware, Tibor Csonka, miss-islington, anthonywee
2020-07-06 19:46:06	steve.dower	set	messageid: <1594064766.16.0.29907869318.issue29778@roundup.psfhosted.org>
2020-07-06 19:46:06	steve.dower	link	issue29778 messages
2020-07-06 19:46:05	steve.dower	create