packages/python3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!203 fix CVE-2022-42919

Browse Source 
From: @zhuofeng6 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6
This commit is contained in:
openeuler-ci-bot 2022-11-09 11:52:50 +00:00 committed by Gitee
commit c105e104bd
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 80 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
backport-CVE-2022-42919.patch Normal file
View File

@ -0,0 +1,71 @@
From eae692eed18892309bcc25a2c0f8980038305ea2 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Thu, 20 Oct 2022 16:55:51 -0700
Subject: [PATCH] [3.10] gh-97514: Don't use Linux abstract sockets for
multiprocessing (GH-98501) (GH-98503)
Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.
This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
https://github.com/python/cpython/pull/18866 while fixing
https://github.com/python/cpython/issues/84031.
Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Automerge-Triggered-By: GH:gpshead
---
Lib/multiprocessing/connection.py | 5 -----
.../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
2 files changed, 15 insertions(+), 5 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
index 510e4b5aba..8e2facf92a 100644
--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
@@ -73,11 +73,6 @@ def arbitrary_address(family):
if family == 'AF_INET':
return ('localhost', 0)
elif family == 'AF_UNIX':
- # Prefer abstract sockets if possible to avoid problems with the address
- # size. When coding portable applications, some implementations have
- # sun_path as short as 92 bytes in the sockaddr_un struct.
- if util.abstract_sockets_supported:
- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
elif family == 'AF_PIPE':
return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
new file mode 100644
index 0000000000..02d95b5705
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
@@ -0,0 +1,15 @@
+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
+unix domain sockets for communication with the *forkserver* process instead of
+the Linux abstract socket namespace. Only code that chooses to use the
+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
+
+Abstract sockets have no permissions and could allow any user on the system in
+the same `network namespace
+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
+whole system) to inject code into the multiprocessing *forkserver* process.
+This was a potential privilege escalation. Filesystem based socket permissions
+restrict this to the *forkserver* process user as was the default in Python 3.8
+and earlier.
+
+This prevents Linux `CVE-2022-42919
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
--
2.27.0

10
python3.spec
View File

@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
URL: https://www.python.org/ URL: https://www.python.org/
Version: 3.10.2 Version: 3.10.2
Release: 9 Release: 10
License: Python-2.0 License: Python-2.0
%global branchversion 3.10 %global branchversion 3.10
@ -93,6 +93,7 @@ Patch6002: backport-CVE-2021-28861.patch
Patch6003: backport-0001-CVE-2020-10735.patch Patch6003: backport-0001-CVE-2020-10735.patch
Patch6004: backport-0002-CVE-2020-10735.patch Patch6004: backport-0002-CVE-2020-10735.patch
Patch6005: backport-0003-CVE-2020-10735.patch Patch6005: backport-0003-CVE-2020-10735.patch
Patch6006: backport-CVE-2022-42919.patch
Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
@ -194,6 +195,7 @@ rm configure pyconfig.h.in
%patch6003 -p1 %patch6003 -p1
%patch6004 -p1 %patch6004 -p1
%patch6005 -p1 %patch6005 -p1
%patch6006 -p1
%patch9000 -p1 %patch9000 -p1
@ -811,6 +813,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Wed Nov 09 2022 zhuofeng <zhuofeng2@huawei.com> - 3.10.2-10
- Type:CVE
- CVE:CVE-2022-42919
- SUG:NA
- DESC:fix CVE-2022-42919
* Thu Sep 08 2022 shixuantong <shixuantong@h-partners.com> - 3.10.2-9 * Thu Sep 08 2022 shixuantong <shixuantong@h-partners.com> - 3.10.2-9
- Type:CVE - Type:CVE
- CVE:CVE-2020-10735 - CVE:CVE-2020-10735