!203 fix CVE-2022-42919

From: @zhuofeng6 Reviewed-by: @lvying6 Signed-off-by: @lvying6
2022-11-09 11:52:50 +00:00 · 2022-11-09 11:52:50 +00:00 · c105e104bd
commit c105e104bd
parent 9f3ddadc66 c79f942d8d
2 changed files with 80 additions and 1 deletions
--- a/backport-CVE-2022-42919.patch
+++ b/backport-CVE-2022-42919.patch
@ -0,0 +1,71 @@
+From eae692eed18892309bcc25a2c0f8980038305ea2 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Thu, 20 Oct 2022 16:55:51 -0700
+Subject: [PATCH] [3.10] gh-97514: Don't use Linux abstract sockets for
+ multiprocessing (GH-98501) (GH-98503)
+
+Linux abstract sockets are insecure as they lack any form of filesystem
+permissions so their use allows anyone on the system to inject code into
+the process.
+
+This removes the default preference for abstract sockets in
+multiprocessing introduced in Python 3.9+ via
+https://github.com/python/cpython/pull/18866 while fixing
+https://github.com/python/cpython/issues/84031.
+
+Explicit use of an abstract socket by a user now generates a
+RuntimeWarning.  If we choose to keep this warning, it should be
+backported to the 3.7 and 3.8 branches.
+(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
+
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+
+Automerge-Triggered-By: GH:gpshead
+---
+ Lib/multiprocessing/connection.py                 |  5 -----
+ .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
+
+diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
+index 510e4b5aba..8e2facf92a 100644
+--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
+@@ -73,11 +73,6 @@ def arbitrary_address(family):
+     if family == 'AF_INET':
+         return ('localhost', 0)
+     elif family == 'AF_UNIX':
+-        # Prefer abstract sockets if possible to avoid problems with the address
+-        # size.  When coding portable applications, some implementations have
+-        # sun_path as short as 92 bytes in the sockaddr_un struct.
+-        if util.abstract_sockets_supported:
+-            return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
+         return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
+     elif family == 'AF_PIPE':
+         return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
+diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
+new file mode 100644
+index 0000000000..02d95b5705
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
+@@ -0,0 +1,15 @@
+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
+unix domain sockets for communication with the *forkserver* process instead of
+the Linux abstract socket namespace.  Only code that chooses to use the
+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
+
+Abstract sockets have no permissions and could allow any user on the system in
+the same `network namespace
+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
+whole system) to inject code into the multiprocessing *forkserver* process.
+This was a potential privilege escalation. Filesystem based socket permissions
+restrict this to the *forkserver* process user as was the default in Python 3.8
+and earlier.
+
+This prevents Linux `CVE-2022-42919
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
+-- 
+2.27.0
+
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/

 Version: 3.10.2
-Release: 9
+Release: 10
 License: Python-2.0

 %global branchversion 3.10
@ -93,6 +93,7 @@ Patch6002:  backport-CVE-2021-28861.patch
 Patch6003:  backport-0001-CVE-2020-10735.patch
 Patch6004:  backport-0002-CVE-2020-10735.patch
 Patch6005:  backport-0003-CVE-2020-10735.patch
+Patch6006:  backport-CVE-2022-42919.patch

 Patch9000:  add-the-sm3-method-for-obtaining-the-salt-value.patch

@ -194,6 +195,7 @@ rm configure pyconfig.h.in
 %patch6003 -p1
 %patch6004 -p1
 %patch6005 -p1
+%patch6006 -p1

 %patch9000 -p1

@ -811,6 +813,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*

 %changelog
+* Wed Nov 09 2022 zhuofeng <zhuofeng2@huawei.com> - 3.10.2-10
+- Type:CVE
+- CVE:CVE-2022-42919
+- SUG:NA
+- DESC:fix CVE-2022-42919
+
 * Thu Sep 08 2022 shixuantong <shixuantong@h-partners.com> - 3.10.2-9
 - Type:CVE
 - CVE:CVE-2020-10735