Message373164
Announcement post: https://mail.python.org/archives/list/security-announce@python.org/thread/C5RIXC2ZIML3NOEIOGFPA6ISGU5L2QXL/
CVE-2020-15523 is an invalid search path in Python 3.6 and later on
Windows. It occurs during Py_Initialize() when the runtime attempts to
pre-load python3.dll. If Py_SetPath() has been called, the expected
location is not set, and locations elsewhere on the user's system will
be searched.
This issue is not triggered when running python.exe. It only applies
when CPython has been embedded in another application.
Issue: https://bugs.python.org/issue29778
Patch: https://github.com/python/cpython/pull/21297
The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only),
3.6.12 (source only)
Other than applying the patch, applications may mitigate the
vulnerability by explicitly calling LoadLibrary() on their copy of
python3.dll before calling Py_Initialize(). Even with the patch applied,
applications should include a copy of python3.dll alongside their main
Python DLL.
Thanks to Eric Gantumur for detecting and reporting the issue to the
Python Security Response Team. |
|
Date |
User |
Action |
Args |
2020-07-06 19:46:06 | steve.dower | set | recipients:
+ steve.dower, paul.moore, vstinner, tim.golden, ned.deily, lukasz.langa, zach.ware, Tibor Csonka, miss-islington, anthonywee |
2020-07-06 19:46:06 | steve.dower | set | messageid: <1594064766.16.0.29907869318.issue29778@roundup.psfhosted.org> |
2020-07-06 19:46:06 | steve.dower | link | issue29778 messages |
2020-07-06 19:46:05 | steve.dower | create | |
|