[CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath¶
CVE-2020-15523 is an invalid search path in Python 3.6 and later on Windows. It occurs during Py_Initialize() when the runtime attempts to pre-load python3.dll. If Py_SetPath() has been called, the expected location is not set, and locations elsewhere on the user’s system will be searched.
This issue is not triggered when running python.exe. It only applies when CPython has been embedded in another application.
The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only), 3.6.12 (source only).
Other than applying the patch, applications may mitigate the vulnerability by explicitly calling LoadLibrary() on their copy of python3.dll before calling Py_Initialize(). Even with the patch applied, applications should include a copy of python3.dll alongside their main Python DLL.
Thanks to Eric Gantumur for detecting and reporting the issue to the Python Security Response Team.
The https://bugs.python.org/issue41304 issue fixed a regression in this vulnerability fix.
The original discovery credit goes to Eran Shimony and Ido Hoorvitch from CyberArk.
- Disclosure date: 2017-03-10 (Python issue bpo-29778 reported)
- Reported at: 2020-06-24 (email to PSRT)
- Reported by: Erdenebat (Eric) Gantumur
- Python 3.6 (need release)
- Python 3.7 (need release)
[CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath.
- Python issue: bpo-29778
- Creation date: 2017-03-10
- Reporter: Tibor Csonka
In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.
Timeline using the disclosure date 2017-03-10 as reference:
- 2017-03-10: Python issue bpo-29778 reported by Tibor Csonka
- 2020-06-24 (+1202 days): Reported (email to PSRT)
- 2020-07-04 (+1212 days): CVE-2020-15523 published
- 2020-07-06 (+1214 days): commit 110dd15 (branch 3.7)
- 2020-07-06 (+1214 days): commit 46cbf61 (branch 3.6)
- 2020-07-06 (+1214 days): commit 4981fe3 (branch 3.9)
- 2020-07-06 (+1214 days): commit aa7f775 (branch 3.8)
- 2020-07-06 (+1214 days): commit dcbaa1b (branch 3.1)
- 2020-07-13 (+1221 days): Python 3.8.4 released
- 2020-08-04 (+1243 days): commit f205f10 (branch 3.5)
- 2020-09-05 (+1275 days): Python 3.5.10 released