.. _cjk-codec-download-eval: CJK codecs tests call eval() on content retrieved via HTTP ========================================================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. By default, the tests are not run with network resources enabled and so the Python test suite is safe. But if the Python test suite is run explicitly with the "network" resource enabled (``-u network`` or ``-u all`` command line option), the CJK codecs tests of the Python test suite run ``eval()`` on content received via HTTP from ``pythontest.net``. If an attacker can compromise the ``pythontest.net`` server, they gain arbitrary code execution on all buildbots. If an attacker has control over the network connection of a machine running the Python test suite, they gain arbitrary code execution there. ``make testall``, ``make testuniversal`` and ``make buildbottest`` commands are impacted (pass ``-u all`` option to the test suite). The CI of the Python project is impacted (buildbot, Travis CI, GitHub Action, Azure Pipelines). With the fix, content is still retrieved via HTTP, but the unsafe eval() function is no longer used. Dates: * Disclosure date: **2020-10-05** (Python issue bpo-41944 reported) * Reported at: 2020-10-05 (email sent to the PSRT list) * Reported by: Florian Bruhin Fixed In -------- * Python **3.6.13** (2021-02-16) fixed by `commit e912e94 (branch 3.6) `_ (2020-10-20) * Python **3.7.10** (2021-02-16) fixed by `commit 43e5231 (branch 3.7) `_ (2020-10-20) * Python **3.8.7** (2020-12-21) fixed by `commit 6c6c256 (branch 3.8) `_ (2020-10-06) * Python **3.9.1** (2020-12-07) fixed by `commit b664a1d (branch 3.9) `_ (2020-10-06) * Python **3.10.0** (2021-10-04) fixed by `commit 2ef5caa (branch 3.10) `_ (2020-10-06) Python issue ------------ [security][CVE-2020-27619] Python testsuite calls eval() on content received via HTTP. * Python issue: `bpo-41944 `_ * Creation date: 2020-10-05 * Reporter: Serhiy Storchaka CVE-2020-27619 -------------- In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. * CVE ID: `CVE-2020-27619 `_ * Published: 2020-10-22 * `CVSS Score `_: 7.5 Timeline -------- Timeline using the disclosure date **2020-10-05** as reference: * 2020-10-05: Reported (email sent to the PSRT list) * 2020-10-05: `Python issue bpo-41944 `_ reported by Serhiy Storchaka * 2020-10-06 (**+1 days**): `commit 2ef5caa (branch 3.10) `_ * 2020-10-06 (**+1 days**): `commit 6c6c256 (branch 3.8) `_ * 2020-10-06 (**+1 days**): `commit b664a1d (branch 3.9) `_ * 2020-10-20 (**+15 days**): `commit 43e5231 (branch 3.7) `_ * 2020-10-20 (**+15 days**): `commit e912e94 (branch 3.6) `_ * 2020-10-22 (**+17 days**): CVE-2020-27619 published * 2020-12-07 (**+63 days**): Python 3.9.1 released * 2020-12-21 (**+77 days**): Python 3.8.7 released * 2021-02-16 (**+134 days**): Python 3.6.13 released * 2021-02-16 (**+134 days**): Python 3.7.10 released * 2021-10-04: Python 3.10.0 released Links ----- * https://access.redhat.com/security/cve/CVE-2020-27619