Python Security
latest
  • Security vulnerabilities
    • CVE-2019-9636: urlsplit does not handle NFKC normalization
    • CVE-2019-5010: TALOS-2018-0758 SSL CRL distribution points Denial of Service
    • xml package does not obey ignore_environment
    • CVE-2018-20406: pickle.load denial of service
    • CVE-2018-14647: _elementree C accelerator doesn’t call XML_SetHashSalt()
    • CVE-2018-1000117: Buffer overflow vulnerability in os.symlink on Windows
      • Fixed In
      • Python issue
      • CVE-2018-1000117
      • Timeline
      • Links
    • CVE-2018-1060: difflib and poplib catastrophic backtracking
    • CVE-2018-1000030: Python 2.7 readahead is not thread safe
    • Expat 2.2.3
    • Environment variables injection in subprocess on Windows
    • CVE-2017-9233: Expat 2.2.1
    • CVE-2017-1000158: PyString_DecodeEscape integer overflow
    • bpo-30500: urllib connects to a wrong host
    • urllib FTP protocol stream injection
    • CVE-2016-0718: expat 2.2, bug #537
    • update zlib to 1.2.11
    • Issue #28563: gettext.c2py()
    • CVE-2016-2183: Sweet32 attack (DES, 3DES)
    • CVE-2016-1000110: HTTPoxy attack
    • CVE-2016-0772: smtplib TLS stripping
    • Issue #26657: HTTP directory traversal
    • Issue #26556: Expat 2.1.1
    • CVE-2016-5636: zipimporter overflow
    • CVE-2016-5699: HTTP header injection
    • CVE-2014-9365: Validate TLS certificate
    • CVE-2014-7185: buffer() integer overflows
    • CVE-2014-4616: JSONDecoder.raw_decode
    • CVE-2014-2667: os.makedirs() not thread-safe
    • CVE-2014-1912: socket.recvfrom_into() overflow
    • CVE-2013-7338: zipfile DoS using malformed file
    • Issue #19435: CGI directory traversal
    • CVE-2013-4238: ssl: NUL in subjectAltNames
    • CVE-2013-7440: ssl.match_hostname() IDNA issue
    • CVE-2013-2099: ssl.match_hostname() wildcard DoS
    • CVE-2013-1752: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline()
    • CVE-2013-1752: ftplib unlimited read
    • CVE-2013-1752: nntplib unlimited read
    • CVE-2013-1752: poplib unlimited read
    • CVE-2013-1752: smtplib unlimited read
    • CVE-2013-1753: xmlrpc gzip unlimited read
    • CVE-2013-7040: Hash not properly randomized
    • CVE-2012-2135: UTF-16 decoder
    • CVE-2012-0845: XML-RPC DoS
    • CVE-2011-3389: ssl CBC IV attack
    • CVE-2012-1150: Hash DoS
    • CVE-2011-4944: pypirc created insecurely
    • CVE-2011-1521: urllib redirect
    • CVE-2011-4940: SimpleHTTPServer UTF-7
    • CVE-2010-1634: audioop integer overflows
    • CVE-2010-2089: audioop input validation
    • CVE-2013-1752: httplib unlimited read
    • CVE-2010-3492: smtpd accept bug
    • CVE-2010-3493: smtpd race conditions
    • CVE-2008-2315: Multiple integer overflows (Apple)
    • CVE-2008-3143: Multiple integer overflows (Google)
    • CVE-2008-5031: expandtab() integer overflow
    • CVE-2011-1015: CGI directory traversal
    • CVE-2007-4965: rgbimg and imageop overflows
  • Packages and PyPI
  • Python SSL and TLS security
  • Python Security
  • TODO list
Python Security
  • Docs »
  • Security vulnerabilities »
  • CVE-2018-1000117: Buffer overflow vulnerability in os.symlink on Windows
  • Edit on GitHub

CVE-2018-1000117: Buffer overflow vulnerability in os.symlink on Windows¶

On February 27th, 2018, the Python Security Response team was notified of a buffer overflow issue in the os.symlink() method on Windows. The issue affects all versions of Python between 3.2 and 3.6.4, including the 3.7 beta releases. It has been patched for the next releases of 3.4, 3.5, 3.6 and 3.7.

Scripts may be vulnerable if they use os.symlink() on Windows and an attacker is able to influence the location where links are created. As os.symlink requires additional privileges, exploits using this vulnerability are more likely to result in escalation of privilege.

Besides applying the fix to CPython, scripts can also ensure that the length of each path argument is less than 260, and if the source is a relative path, that its combination with the destination is also shorter than 260 characters. That is:

assert (len(src) < 260 and
        len(dest) < 260 and
        len(os.path.join(os.path.dirname(dest), src)) < 260)
os.symlink(src, dest)

Scripts that explicitly pass the target_is_directory argument as True are not vulnerable. Scripts on Python 3.5 that use bytes for paths are not vulnerable, because of a combination of stack layout and added parameter validation, but will still not behave correctly for long paths.

This vulnerability has been registered as CVE-2018-1000117, and patched in the commits listed below. This patch prevents the buffer overflow, but does not raise any new errors or enable the use of long paths when creating symlinks.

Many thanks to Alexey Izbyshev for the report, and helping us work through developing the patch.

  • Disclosure date: 2018-03-05 (Python issue bpo-33001 reported)
  • Reported at: 2018-02-27 (email to the PSRT)
  • Reported by: Alexey Izbyshev

Fixed In¶

  • Python 3.4.9 (2018-08-02) fixed by commit 77c02cd (branch 3.4) (2018-05-14)
  • Python 3.5.6 (2018-08-02) fixed by commit f381cfe (branch 3.5) (2018-05-14)
  • Python 3.6.5 (2018-03-28) fixed by commit baa4507 (branch 3.6) (2018-03-05)
  • Python 3.7.0 (2018-06-28) fixed by commit 96fdbac (branch 3.7) (2018-03-05)

Python issue¶

Buffer overflow vulnerability in os.symlink on Windows (CVE-2018-1000117).

  • Python issue: bpo-33001
  • Creation date: 2018-03-05
  • Reporter: Steve Dower

CVE-2018-1000117¶

Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.

  • CVE ID: CVE-2018-1000117
  • Published: 2018-03-07

Timeline¶

Timeline using the disclosure date 2018-03-05 as reference:

  • 2018-02-27 (-6 days): Reported (email to the PSRT)
  • 2018-03-05: Python issue bpo-33001 reported by Steve Dower
  • 2018-03-05 (+0 days): commit 6921e73 (branch 3.8)
  • 2018-03-05 (+0 days): commit 96fdbac (branch 3.7)
  • 2018-03-05 (+0 days): commit baa4507 (branch 3.6)
  • 2018-03-07 (+2 days): CVE-2018-1000117 published
  • 2018-03-28 (+23 days): Python 3.6.5 released
  • 2018-05-14 (+70 days): commit 77c02cd (branch 3.4)
  • 2018-05-14 (+70 days): commit f381cfe (branch 3.5)
  • 2018-06-28: Python 3.7.0 released
  • 2018-08-02 (+150 days): Python 3.4.9 released
  • 2018-08-02 (+150 days): Python 3.5.6 released

Links¶

  • https://mail.python.org/mm3/archives/list/security-announce@python.org/thread/PVSURQ2YCNZODILA3QE7ZF3GCD25EVVT/
Next Previous

© Copyright 2017, Victor Stinner Revision 8175ecea.

Built with Sphinx using a theme provided by Read the Docs.
Read the Docs v: latest
Versions
latest
Downloads
pdf
html
epub
On Read the Docs
Project Home
Builds
Free document hosting provided by Read the Docs.