CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7¶
At Python startup, api-ms-win-core-path-l1-1-0.dll
is loaded with
LoadLibraryW() without LOAD_LIBRARY_SEARCH_xxx
flags.
Python 3.5 and older are not affected.
- Disclosure date: 2020-01-21 (Python issue bpo-39401 reported)
Fixed In¶
- Python 3.6.11 (2020-06-27) fixed by commit 51332c4 (branch 3.6) (2020-01-31)
- Python 3.7.7 (2020-03-10) fixed by commit 561c597 (branch 3.7) (2020-01-30)
- Python 3.8.2 (2020-02-24) fixed by commit ad4a20b (branch 3.8) (2020-01-30)
- Python 3.9.0 (2020-10-05) fixed by commit 6a65eba (branch 3.9) (2020-01-29)
Python issue¶
[CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7.
- Python issue: bpo-39401
- Creation date: 2020-01-21
- Reporter: Anthony Wee
CVE-2020-8315¶
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker’s copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system’s copy. Windows 8 and later are unaffected.
- CVE ID: CVE-2020-8315
- Published: 2020-01-28
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2020-01-21 as reference:
- 2020-01-21: Python issue bpo-39401 reported by Anthony Wee
- 2020-01-28 (+7 days): CVE-2020-8315 published
- 2020-01-29 (+8 days): commit 6a65eba (branch 3.9)
- 2020-01-30 (+9 days): commit 561c597 (branch 3.7)
- 2020-01-30 (+9 days): commit ad4a20b (branch 3.8)
- 2020-01-31 (+10 days): commit 51332c4 (branch 3.6)
- 2020-02-24 (+34 days): Python 3.8.2 released
- 2020-03-10 (+49 days): Python 3.7.7 released
- 2020-06-27 (+158 days): Python 3.6.11 released
- 2020-10-05: Python 3.9.0 released