diff mbox series

[dunfell,v2] python3: fix CVE-2022-42919 local privilege escalation via the multiprocessing forkserver start method

Message ID 20221124122522.38829-1-vkumbhar@mvista.com
State New
Headers show
Series [dunfell,v2] python3: fix CVE-2022-42919 local privilege escalation via the multiprocessing forkserver start method | expand

Commit Message

Vivek Kumbhar Nov. 24, 2022, 12:25 p.m. UTC
From: Vivek Kumbhar <vkumbhar@mvista.com>

Upstream-Status: Backport from https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
 .../python/python3/CVE-2022-42919.patch       | 70 +++++++++++++++++++
 .../recipes-devtools/python/python3_3.10.7.bb |  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2022-42919.patch

Comments

Steve Sakoman Nov. 25, 2022, 4:56 p.m. UTC | #1
On Thu, Nov 24, 2022 at 2:25 AM vkumbhar <vkumbhar@mvista.com> wrote:
>
> From: Vivek Kumbhar <vkumbhar@mvista.com>
>
> Upstream-Status: Backport from https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2
>
> Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> ---
>  .../python/python3/CVE-2022-42919.patch       | 70 +++++++++++++++++++
>  .../recipes-devtools/python/python3_3.10.7.bb |  1 +

Dunfell python version is 3.8.14, so this patch will not apply. This
seems to be the same as the patch you sent for kirkstone.  Was this
sent in error?

Steve

>  2 files changed, 71 insertions(+)
>  create mode 100644 meta/recipes-devtools/python/python3/CVE-2022-42919.patch
>
> diff --git a/meta/recipes-devtools/python/python3/CVE-2022-42919.patch b/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
> new file mode 100644
> index 0000000000..6040724dae
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
> @@ -0,0 +1,70 @@
> +From 87ef80926ea0ec960a220af89d8ff4db99417b03 Mon Sep 17 00:00:00 2001
> +From: Vivek Kumbhar <vkumbhar@mvista.com>
> +Date: Thu, 24 Nov 2022 17:44:18 +0530
> +Subject: [PATCH] CVE-2022-42919
> +
> +Upstream-Status: Backport [https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2]
> +CVE: CVE-2022-42919
> +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> +
> +[3.10] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (GH-98503)
> +
> +Linux abstract sockets are insecure as they lack any form of filesystem
> +permissions so their use allows anyone on the system to inject code into
> +the process.
> +
> +This removes the default preference for abstract sockets in
> +multiprocessing introduced in Python 3.9+ via
> +https://github.com/python/cpython/pull/18866 while fixing
> +https://github.com/python/cpython/issues/84031.
> +
> +Explicit use of an abstract socket by a user now generates a
> +RuntimeWarning.  If we choose to keep this warning, it should be
> +backported to the 3.7 and 3.8 branches.
> +(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
> +---
> + Lib/multiprocessing/connection.py                 |  5 -----
> + .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
> + 2 files changed, 15 insertions(+), 5 deletions(-)
> + create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
> +
> +diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
> +index 510e4b5..8e2facf 100644
> +--- a/Lib/multiprocessing/connection.py
> ++++ b/Lib/multiprocessing/connection.py
> +@@ -73,11 +73,6 @@ def arbitrary_address(family):
> +     if family == 'AF_INET':
> +         return ('localhost', 0)
> +     elif family == 'AF_UNIX':
> +-        # Prefer abstract sockets if possible to avoid problems with the address
> +-        # size.  When coding portable applications, some implementations have
> +-        # sun_path as short as 92 bytes in the sockaddr_un struct.
> +-        if util.abstract_sockets_supported:
> +-            return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
> +         return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
> +     elif family == 'AF_PIPE':
> +         return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
> +diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
> +new file mode 100644
> +index 0000000..02d95b5
> +--- /dev/null
> ++++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
> +@@ -0,0 +1,15 @@
> ++On Linux the :mod:`multiprocessing` module returns to using filesystem backed
> ++unix domain sockets for communication with the *forkserver* process instead of
> ++the Linux abstract socket namespace.  Only code that chooses to use the
> ++:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
> ++
> ++Abstract sockets have no permissions and could allow any user on the system in
> ++the same `network namespace
> ++<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
> ++whole system) to inject code into the multiprocessing *forkserver* process.
> ++This was a potential privilege escalation. Filesystem based socket permissions
> ++restrict this to the *forkserver* process user as was the default in Python 3.8
> ++and earlier.
> ++
> ++This prevents Linux `CVE-2022-42919
> ++<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-devtools/python/python3_3.10.7.bb b/meta/recipes-devtools/python/python3_3.10.7.bb
> index 404a582135..2d230793ef 100644
> --- a/meta/recipes-devtools/python/python3_3.10.7.bb
> +++ b/meta/recipes-devtools/python/python3_3.10.7.bb
> @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
>             file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
>             file://deterministic_imports.patch \
>             file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
> +           file://CVE-2022-42919.patch \
>             "
>
>  SRC_URI:append:class-native = " \
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173744): https://lists.openembedded.org/g/openembedded-core/message/173744
> Mute This Topic: https://lists.openembedded.org/mt/95236618/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Vivek Kumbhar Nov. 25, 2022, 5:38 p.m. UTC | #2
Hi Steve,

This patch was sent in error to dunfell, Please consider the patch sent for
Kirkstone.

Kind regards,
Vivek

On Fri, 25 Nov 2022 at 10:26 PM, Steve Sakoman <steve@sakoman.com> wrote:

> On Thu, Nov 24, 2022 at 2:25 AM vkumbhar <vkumbhar@mvista.com> wrote:
> >
> > From: Vivek Kumbhar <vkumbhar@mvista.com>
> >
> > Upstream-Status: Backport from
> https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2
> >
> > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > ---
> >  .../python/python3/CVE-2022-42919.patch       | 70 +++++++++++++++++++
> >  .../recipes-devtools/python/python3_3.10.7.bb |  1 +
>
> Dunfell python version is 3.8.14, so this patch will not apply. This
> seems to be the same as the patch you sent for kirkstone.  Was this
> sent in error?
>
> Steve
>
> >  2 files changed, 71 insertions(+)
> >  create mode 100644
> meta/recipes-devtools/python/python3/CVE-2022-42919.patch
> >
> > diff --git a/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
> b/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
> > new file mode 100644
> > index 0000000000..6040724dae
> > --- /dev/null
> > +++ b/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
> > @@ -0,0 +1,70 @@
> > +From 87ef80926ea0ec960a220af89d8ff4db99417b03 Mon Sep 17 00:00:00 2001
> > +From: Vivek Kumbhar <vkumbhar@mvista.com>
> > +Date: Thu, 24 Nov 2022 17:44:18 +0530
> > +Subject: [PATCH] CVE-2022-42919
> > +
> > +Upstream-Status: Backport [
> https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2
> ]
> > +CVE: CVE-2022-42919
> > +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
> > +
> > +[3.10] gh-97514: Don't use Linux abstract sockets for multiprocessing
> (GH-98501) (GH-98503)
> > +
> > +Linux abstract sockets are insecure as they lack any form of filesystem
> > +permissions so their use allows anyone on the system to inject code into
> > +the process.
> > +
> > +This removes the default preference for abstract sockets in
> > +multiprocessing introduced in Python 3.9+ via
> > +https://github.com/python/cpython/pull/18866 while fixing
> > +https://github.com/python/cpython/issues/84031.
> > +
> > +Explicit use of an abstract socket by a user now generates a
> > +RuntimeWarning.  If we choose to keep this warning, it should be
> > +backported to the 3.7 and 3.8 branches.
> > +(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
> > +---
> > + Lib/multiprocessing/connection.py                 |  5 -----
> > + .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
> > + 2 files changed, 15 insertions(+), 5 deletions(-)
> > + create mode 100644
> Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
> > +
> > +diff --git a/Lib/multiprocessing/connection.py
> b/Lib/multiprocessing/connection.py
> > +index 510e4b5..8e2facf 100644
> > +--- a/Lib/multiprocessing/connection.py
> > ++++ b/Lib/multiprocessing/connection.py
> > +@@ -73,11 +73,6 @@ def arbitrary_address(family):
> > +     if family == 'AF_INET':
> > +         return ('localhost', 0)
> > +     elif family == 'AF_UNIX':
> > +-        # Prefer abstract sockets if possible to avoid problems with
> the address
> > +-        # size.  When coding portable applications, some
> implementations have
> > +-        # sun_path as short as 92 bytes in the sockaddr_un struct.
> > +-        if util.abstract_sockets_supported:
> > +-            return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
> > +         return tempfile.mktemp(prefix='listener-',
> dir=util.get_temp_dir())
> > +     elif family == 'AF_PIPE':
> > +         return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
> > +diff --git
> a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
> b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
> > +new file mode 100644
> > +index 0000000..02d95b5
> > +--- /dev/null
> > ++++
> b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
> > +@@ -0,0 +1,15 @@
> > ++On Linux the :mod:`multiprocessing` module returns to using filesystem
> backed
> > ++unix domain sockets for communication with the *forkserver* process
> instead of
> > ++the Linux abstract socket namespace.  Only code that chooses to use the
> > ++:ref:`"forkserver" start method <multiprocessing-start-methods>` is
> affected.
> > ++
> > ++Abstract sockets have no permissions and could allow any user on the
> system in
> > ++the same `network namespace
> > ++<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_
> (often the
> > ++whole system) to inject code into the multiprocessing *forkserver*
> process.
> > ++This was a potential privilege escalation. Filesystem based socket
> permissions
> > ++restrict this to the *forkserver* process user as was the default in
> Python 3.8
> > ++and earlier.
> > ++
> > ++This prevents Linux `CVE-2022-42919
> > ++<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
> > +--
> > +2.25.1
> > +
> > diff --git a/meta/recipes-devtools/python/python3_3.10.7.bb
> b/meta/recipes-devtools/python/python3_3.10.7.bb
> > index 404a582135..2d230793ef 100644
> > --- a/meta/recipes-devtools/python/python3_3.10.7.bb
> > +++ b/meta/recipes-devtools/python/python3_3.10.7.bb
> > @@ -35,6 +35,7 @@ SRC_URI = "
> http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
> >
>  file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
> >             file://deterministic_imports.patch \
> >             file://0001-Avoid-shebang-overflow-on-python-config.py.patch
> \
> > +           file://CVE-2022-42919.patch \
> >             "
> >
> >  SRC_URI:append:class-native = " \
> > --
> > 2.25.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#173744):
> https://lists.openembedded.org/g/openembedded-core/message/173744
> > Mute This Topic: https://lists.openembedded.org/mt/95236618/3620601
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> steve@sakoman.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
diff mbox series

Patch

diff --git a/meta/recipes-devtools/python/python3/CVE-2022-42919.patch b/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
new file mode 100644
index 0000000000..6040724dae
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2022-42919.patch
@@ -0,0 +1,70 @@ 
+From 87ef80926ea0ec960a220af89d8ff4db99417b03 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Thu, 24 Nov 2022 17:44:18 +0530
+Subject: [PATCH] CVE-2022-42919
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2]
+CVE: CVE-2022-42919
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+[3.10] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (GH-98503)
+
+Linux abstract sockets are insecure as they lack any form of filesystem
+permissions so their use allows anyone on the system to inject code into
+the process.
+
+This removes the default preference for abstract sockets in
+multiprocessing introduced in Python 3.9+ via
+https://github.com/python/cpython/pull/18866 while fixing
+https://github.com/python/cpython/issues/84031.
+
+Explicit use of an abstract socket by a user now generates a
+RuntimeWarning.  If we choose to keep this warning, it should be
+backported to the 3.7 and 3.8 branches.
+(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
+---
+ Lib/multiprocessing/connection.py                 |  5 -----
+ .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
+
+diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
+index 510e4b5..8e2facf 100644
+--- a/Lib/multiprocessing/connection.py
++++ b/Lib/multiprocessing/connection.py
+@@ -73,11 +73,6 @@ def arbitrary_address(family):
+     if family == 'AF_INET':
+         return ('localhost', 0)
+     elif family == 'AF_UNIX':
+-        # Prefer abstract sockets if possible to avoid problems with the address
+-        # size.  When coding portable applications, some implementations have
+-        # sun_path as short as 92 bytes in the sockaddr_un struct.
+-        if util.abstract_sockets_supported:
+-            return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
+         return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
+     elif family == 'AF_PIPE':
+         return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
+diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
+new file mode 100644
+index 0000000..02d95b5
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
+@@ -0,0 +1,15 @@
++On Linux the :mod:`multiprocessing` module returns to using filesystem backed
++unix domain sockets for communication with the *forkserver* process instead of
++the Linux abstract socket namespace.  Only code that chooses to use the
++:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
++
++Abstract sockets have no permissions and could allow any user on the system in
++the same `network namespace
++<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
++whole system) to inject code into the multiprocessing *forkserver* process.
++This was a potential privilege escalation. Filesystem based socket permissions
++restrict this to the *forkserver* process user as was the default in Python 3.8
++and earlier.
++
++This prevents Linux `CVE-2022-42919
++<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/python/python3_3.10.7.bb b/meta/recipes-devtools/python/python3_3.10.7.bb
index 404a582135..2d230793ef 100644
--- a/meta/recipes-devtools/python/python3_3.10.7.bb
+++ b/meta/recipes-devtools/python/python3_3.10.7.bb
@@ -35,6 +35,7 @@  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
            file://deterministic_imports.patch \
            file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
+           file://CVE-2022-42919.patch \
            "
 
 SRC_URI:append:class-native = " \