Message 411338 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	serhiy.storchaka, vstinner
Date	2022-01-23.03:38:48
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1642909128.93.0.607023254036.issue46478@roundup.psfhosted.org>
In-reply-to

Content
I read the Rust CVE-2022-21658 vulnerability of std::fs::remove_dir_all: https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html It's a race condition if an attacker replaces a directory with a symlink while Rust is removing the parent directory, Rust follows the symlink rather than just removing the symlink. shutil._rmtree_safe_fd() uses os.scandir(). If entry.is_dir(follow_symlinks=False) is true, it calls entry.stat(follow_symlinks=False). It opens the directory as a file to remove the directory. It checks os.path.samestat(orig_st, os.fstat(dirfd)): if it's false, it raises an exception: try: # This can only happen if someone replaces # a directory with a symlink after the call to # os.scandir or stat.S_ISDIR above. raise OSError("Cannot call rmtree on a symbolic " "link") except OSError: onerror(os.path.islink, fullname, sys.exc_info()) I understand that this check is in place to detect the Rust CVE-2022-21658 vulnerability. I noticed that the first entry.is_dir(follow_symlinks=False) call does a stat() syscall, but it doesn't pass the directory file descriptor. It would be even safer to pass it, just in case if the parent directory has been modified in the meanwhile as well.

I read the Rust CVE-2022-21658 vulnerability of std::fs::remove_dir_all:
https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html

It's a race condition if an attacker replaces a directory with a symlink while Rust is removing the parent directory, Rust follows the symlink rather than just removing the symlink.

shutil._rmtree_safe_fd() uses os.scandir(). If entry.is_dir(follow_symlinks=False) is true, it calls entry.stat(follow_symlinks=False). It opens the directory as a file to remove the directory. It checks os.path.samestat(orig_st, os.fstat(dirfd)): if it's false, it raises an exception:

try:
    # This can only happen if someone replaces
    # a directory with a symlink after the call to
    # os.scandir or stat.S_ISDIR above.
    raise OSError("Cannot call rmtree on a symbolic "
                  "link")
except OSError:
    onerror(os.path.islink, fullname, sys.exc_info())

I understand that this check is in place to detect the Rust CVE-2022-21658 vulnerability.

I noticed that the first entry.is_dir(follow_symlinks=False) call does a stat() syscall, but it doesn't pass the directory file descriptor. It would be even safer to pass it, just in case if the parent directory has been modified in the meanwhile as well.

History
Date	User	Action	Args
2022-01-23 03:38:48	vstinner	set	recipients: + vstinner, serhiy.storchaka
2022-01-23 03:38:48	vstinner	set	messageid: <1642909128.93.0.607023254036.issue46478@roundup.psfhosted.org>
2022-01-23 03:38:48	vstinner	link	issue46478 messages
2022-01-23 03:38:48	vstinner	create