CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7

At Python startup, api-ms-win-core-path-l1-1-0.dll is loaded with LoadLibraryW() without LOAD_LIBRARY_SEARCH_xxx flags.

Python 3.5 and older are not affected.

Dates:

• Disclosure date: 2020-01-21 (Python issue bpo-39401 reported)

Fixed In

• Python 3.6.11 (2020-06-27) fixed by commit 51332c4 (branch 3.6) (2020-01-31)
• Python 3.7.7 (2020-03-10) fixed by commit 561c597 (branch 3.7) (2020-01-30)
• Python 3.8.2 (2020-02-24) fixed by commit ad4a20b (branch 3.8) (2020-01-30)
• Python 3.9.0 (2020-10-05) fixed by commit 6a65eba (branch 3.9) (2020-01-29)

Python issue

[CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7.

• Python issue: bpo-39401
• Creation date: 2020-01-21
• Reporter: Anthony Wee

CVE-2020-8315

In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker’s copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system’s copy. Windows 8 and later are unaffected.

• CVE ID: CVE-2020-8315
• Published: 2020-01-28
• CVSS Score: 4.3

Timeline

Timeline using the disclosure date 2020-01-21 as reference:

• 2020-01-21: Python issue bpo-39401 reported by Anthony Wee
• 2020-01-28 (+7 days): CVE-2020-8315 published
• 2020-01-29 (+8 days): commit 6a65eba (branch 3.9)
• 2020-01-30 (+9 days): commit 561c597 (branch 3.7)
• 2020-01-30 (+9 days): commit ad4a20b (branch 3.8)
• 2020-01-31 (+10 days): commit 51332c4 (branch 3.6)
• 2020-02-24 (+34 days): Python 3.8.2 released
• 2020-03-10 (+49 days): Python 3.7.7 released
• 2020-06-27 (+158 days): Python 3.6.11 released
• 2020-10-05: Python 3.9.0 released