Python Security
latest
  • Python Security Vulnerabilities
    • [CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface
    • http.client: HTTP Header Injection in the HTTP method
    • CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7
    • Email header injection in Address objects
    • Infinite loop in tarfile module while opening a crafted file
    • Remove newline characters from uu encoding methods
    • urllib basic auth regex denial of service
    • Regular Expression Denial of Service in http.cookiejar
    • CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()
    • Reflected XSS in DocXMLRPCServer
    • ssl.match_hostname() ignores extra string after whitespace in IPv4 address
    • urlsplit does not handle NFKC normalization (second fix)
    • urlsplit does not handle NFKC normalization
    • urllib module local_file:// scheme
    • TALOS-2018-0758 SSL CRL distribution points Denial of Service
    • http.cookiejar: Incorrect validation of path
    • xml package does not obey ignore_environment
    • pickle.load denial of service
    • _elementree C accelerator doesn’t call XML_SetHashSalt()
    • email.utils.parseaddr mistakenly parse an email
    • Email folding function Denial-of-Service
    • Buffer overflow vulnerability in os.symlink on Windows
      • Fixed In
      • Python issue
      • CVE-2018-1000117
      • Timeline
      • Links
    • difflib and poplib catastrophic backtracking
    • Python 2.7 readahead is not thread safe
    • Expat 2.2.3
    • Environment variables injection in subprocess on Windows
    • Expat 2.2.1
    • PyString_DecodeEscape integer overflow
    • bpo-30500: urllib connects to a wrong host
    • HTTP Header Injection (follow-up of CVE-2016-5699)
    • [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath
    • urllib FTP protocol stream injection
    • Expat 2.2 (Expat bug #537)
    • Zlib 1.2.11
    • gettext.c2py()
    • Sweet32 attack (DES, 3DES)
    • HTTPoxy attack
    • smtplib TLS stripping
    • Issue #26657: HTTP server directory traversal
    • Issue #26556: Expat 2.1.1
    • zipimporter overflow
    • HTTP header injection
    • Validate TLS certificate
    • buffer() integer overflows
    • JSONDecoder.raw_decode
    • os.makedirs() not thread-safe
    • socket.recvfrom_into() overflow
    • zipfile DoS using invalid file size
    • CGI directory traversal (URL parsing)
    • ssl: NULL in subjectAltNames
    • ssl.match_hostname() IDNA issue
    • ssl.match_hostname() wildcard DoS
    • Limit imaplib.IMAP4_SSL.readline()
    • ftplib unlimited read
    • nntplib unlimited read
    • poplib unlimited read
    • smtplib unlimited read
    • xmlrpc gzip unlimited read
    • Hash function not randomized properly
    • Vulnerability in the utf-16 decoder after error handling
    • XML-RPC DoS
    • ssl CBC IV attack
    • Hash DoS
    • pypirc created insecurely
    • urllib redirect
    • SimpleHTTPServer UTF-7
    • audioop integer overflows
    • audioop input validation
    • httplib unlimited read
    • smtpd accept bug and race condition
    • Multiple integer overflows (Apple)
    • Multiple integer overflows (Google)
    • expandtab() integer overflow
    • CGI directory traversal (is_cgi() function)
    • rgbimg and imageop overflows
  • Packages and PyPI
  • Python SSL and TLS security
  • Python Security
Python Security
  • Docs »
  • Python Security Vulnerabilities »
  • Buffer overflow vulnerability in os.symlink on Windows
  • Edit on GitHub

Buffer overflow vulnerability in os.symlink on Windows¶

On February 27th, 2018, the Python Security Response team was notified of a buffer overflow issue in the os.symlink() method on Windows. The issue affects all versions of Python between 3.2 and 3.6.4, including the 3.7 beta releases. It has been patched for the next releases of 3.4, 3.5, 3.6 and 3.7.

Scripts may be vulnerable if they use os.symlink() on Windows and an attacker is able to influence the location where links are created. As os.symlink requires additional privileges, exploits using this vulnerability are more likely to result in escalation of privilege.

Besides applying the fix to CPython, scripts can also ensure that the length of each path argument is less than 260, and if the source is a relative path, that its combination with the destination is also shorter than 260 characters. That is:

assert (len(src) < 260 and
        len(dest) < 260 and
        len(os.path.join(os.path.dirname(dest), src)) < 260)
os.symlink(src, dest)

Scripts that explicitly pass the target_is_directory argument as True are not vulnerable. Scripts on Python 3.5 that use bytes for paths are not vulnerable, because of a combination of stack layout and added parameter validation, but will still not behave correctly for long paths.

This vulnerability has been registered as CVE-2018-1000117, and patched in the commits listed below. This patch prevents the buffer overflow, but does not raise any new errors or enable the use of long paths when creating symlinks.

Many thanks to Alexey Izbyshev for the report, and helping us work through developing the patch.

  • Disclosure date: 2018-03-05 (Python issue bpo-33001 reported)
  • Reported at: 2018-02-27 (email to the PSRT)
  • Reported by: Alexey Izbyshev

Fixed In¶

  • Python 3.4.9 (2018-08-02) fixed by commit 77c02cd (branch 3.4) (2018-05-14)
  • Python 3.5.6 (2018-08-02) fixed by commit f381cfe (branch 3.5) (2018-05-14)
  • Python 3.6.5 (2018-03-28) fixed by commit baa4507 (branch 3.6) (2018-03-05)
  • Python 3.7.0 (2018-06-28) fixed by commit 96fdbac (branch 3.7) (2018-03-05)

Python issue¶

Buffer overflow vulnerability in os.symlink on Windows (CVE-2018-1000117).

  • Python issue: bpo-33001
  • Creation date: 2018-03-05
  • Reporter: Steve Dower

CVE-2018-1000117¶

Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.

  • CVE ID: CVE-2018-1000117
  • Published: 2018-03-07
  • CVSS Score: 7.2

Timeline¶

Timeline using the disclosure date 2018-03-05 as reference:

  • 2018-02-27 (-6 days): Reported (email to the PSRT)
  • 2018-03-05: Python issue bpo-33001 reported by Steve Dower
  • 2018-03-05 (+0 days): commit 96fdbac (branch 3.7)
  • 2018-03-05 (+0 days): commit baa4507 (branch 3.6)
  • 2018-03-07 (+2 days): CVE-2018-1000117 published
  • 2018-03-28 (+23 days): Python 3.6.5 released
  • 2018-05-14 (+70 days): commit 77c02cd (branch 3.4)
  • 2018-05-14 (+70 days): commit f381cfe (branch 3.5)
  • 2018-06-28: Python 3.7.0 released
  • 2018-08-02 (+150 days): Python 3.4.9 released
  • 2018-08-02 (+150 days): Python 3.5.6 released

Links¶

  • https://mail.python.org/mm3/archives/list/security-announce@python.org/thread/PVSURQ2YCNZODILA3QE7ZF3GCD25EVVT/
  • https://www.cvedetails.com/cve/CVE-2018-1000117/
Next Previous

© Copyright 2017, Victor Stinner Revision f561d58a.

Built with Sphinx using a theme provided by Read the Docs.
Read the Docs v: latest
Versions
latest
Downloads
pdf
html
epub
On Read the Docs
Project Home
Builds
Free document hosting provided by Read the Docs.