Bug 28729 - python3: information disclosure via pydoc (CVE-2021-3426)
Summary: python3: information disclosure via pydoc (CVE-2021-3426)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://bugs.python.org/issue42988
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-04-05 19:53 CEST by Jani Välimaa
Modified: 2021-04-15 17:44 CEST (History)
4 users (show)

See Also:
Source RPM: python3-3.8.8-1.mga8.src.rpm
CVE: CVE-2021-3426
Status comment:


Attachments

Description Jani Välimaa 2021-04-05 19:53:36 CEST
Running `pydoc -p` allows other local users to extract arbitrary files.

https://bugs.python.org/issue42988
Comment 1 Lewis Smith 2021-04-05 22:07:37 CEST
Thanks for the alert & URL, Jani.
That has at the end a whole series of what look like "Remove the pydoc getfile feature" commits [?] within a short time.

Assigning to the Python group.

Assignee: bugsquad => python

Comment 2 Nicolas Lécureuil 2021-04-05 23:36:32 CEST
thank you Jani for the update:


src:
    - python3-3.8.9-1.mga8

CC: (none) => mageia
Assignee: python => qa-bugs

David Walser 2021-04-06 01:09:21 CEST

Summary: CVE-2021-3426 python: information disclosure via pydoc => python3: information disclosure via pydoc (CVE-2021-3426)

Comment 3 David Walser 2021-04-06 19:42:26 CEST
Advisory:
========================

Updated python3 packages fixes security vulnerability:

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers
or is able to convince another local or adjacent user to start a pydoc server
could access the server and use it to disclose sensitive information belonging
to the other user that they would not normally be able to access. The highest
risk of this flaw is to data confidentiality (CVE-2021-3426).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426
https://bugs.python.org/issue42988
https://bugzilla.redhat.com/show_bug.cgi?id=1935913
========================

Updated packages in core/updates_testing:
========================
python3-3.8.9-1.mga8
tkinter3-apps-3.8.9-1.mga8
libpython3.8-testsuite-3.8.9-1.mga8
python3-docs-3.8.9-1.mga8
libpython3.8-stdlib-3.8.9-1.mga8
tkinter3-3.8.9-1.mga8
libpython3-devel-3.8.9-1.mga8
libpython3.8-3.8.9-1.mga8

from python3-3.8.9-1.mga8.src.rpm
Comment 4 Jani Välimaa 2021-04-08 20:30:48 CEST
Pushed fixed python3 also to mga7 core/updates_testing.

RPMS:
python3-3.7.10-1.1.mga7
lib64python3.7-3.7.10-1.1.mga7
lib64python3.7-stdlib-3.7.10-1.1.mga7
lib64python3.7-testsuite-3.7.10-1.1.mga7
lib64python3-devel-3.7.10-1.1.mga7
python3-docs-3.7.10-1.1.mga7
tkinter3-3.7.10-1.1.mga7
tkinter3-apps-3.7.10-1.1.mga7

SRPMS:
python3-3.7.10-1.1.mga7.src.rpm
David Walser 2021-04-10 01:17:21 CEST

Whiteboard: (none) => MGA7TOO

Comment 5 Len Lawrence 2021-04-15 12:01:10 CEST
Trying this in mga8, x86_64

Before update:
$ pydoc -p 0
Server ready at http://localhost:39031/
Server commands: [b]rowser, [q]uit
server> 

Connected to the server in Firefox at http://localhost:39031/ which provided collections.html, the index page for the python documentation.  That worked very well.

The CVE-2021-3426 exploit at https://bugs.python.org/issue42988 proved to be unworkable.
After logging in to a newly created user in another terminal:
$ pydoc -p 39031
[Errno 98] Address already in use

But maybe the port can be accessed from firefox.  What I hoped was to be able to enter a URI like http://localhost:39031/getfile?key=/home/lcl/.ssh/id_rsa but that failed.
$ firefox &
[1] 3702412
$ Error: Access was denied while trying to open files in your profile directory.

Looks like there is something about new users that I have missed.
~/.mozilla/firefox is empty.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-04-15 15:53:26 CEST
Figured out that it had to be a login shell.  After that the test worked perfectly and displayed the other user's private key in the browser window.

Stopped the server.
Updated the eight packages.

$ pydoc -p 39031
Server ready at http://localhost:39031/
Server commands: [b]rowser, [q]uit
server> 

Reloaded the python docs page in firefox.

Moved to the new user's terminal and launched firefox.  Attempted to gain access to the other user's private key and raised an error: "bad pydoc url".
Case closed.

Explored the collections and used the module index.  The latter finds local folders containing references to python such as ~/qa/python.  Very comprehensive listings.

This looks fine for release.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 7 Len Lawrence 2021-04-15 17:13:31 CEST
mga7, x64

Before update:
$ pydoc -p 0
pydoc server ready at http://localhost:33927/

Index page came up in the browser at the given address.
Created another user.
$ su -l lucy
Password: 
$ firefox &
Browser address = http://localhost:33927/home/lcl/.ssh/authorized_keys
The response was "no Python documentation found for 'home/lcl/.ssh/authorized_keys'" which looks OK.

Slightly different behaviour for the server - no server> prompt and ^C needed to close down.

After updating:
Restarted the http server and confirmed that the python docs were available on port 33927.
Ran the other user test which produced the same error message as before.  This indicates that the application was safe to use before and after the update.

https://techpiezo.com/python/use-python-documentation-generator-pydoc/
$ pydoc3 -w math
wrote math.html
$ firefox file:///home/lcl/math.html 
Displays a list of all functions in the math module in the browser.

 pydoc3 -k math
cmath 
math 
OpenGL_accelerate.buffers_formathandler 
OpenGL_accelerate.formathandler 
OpenGL_accelerate.nones_formathandler 
OpenGL_accelerate.numpy_formathandler 
PIL.ImageMath 
PIL._imagingmath 
matplotlib._mathtext_data - font data tables for truetype and afm computer modern fonts
matplotlib.mathtext - :mod:`~matplotlib.mathtext` is a module for parsing a subset of the
matplotlib.sphinxext.mathmpl 
matplotlib.tests.test_mathtext 
numpy.core._multiarray_umath 
numpy.core._umath_tests 
numpy.core.tests.test_scalarmath 
numpy.core.tests.test_umath 
numpy.core.tests.test_umath_complex 
numpy.core.umath - Create the numpy.core.umath namespace for backward compatibility. In v1.16
numpy.core.umath_tests - Shim for _umath_tests to allow a deprecation period for the new name.
numpy.lib.scimath - Wrapper functions to more user-friendly calling of certain math functions
numpy.linalg._umath_linalg 
OpenGL.arrays.formathandler - Base class for the various Python data-format storage type APIs

$ pydoc3 math
Help on module math:

NAME
    math

MODULE REFERENCE
    https://docs.python.org/3.7/library/math
    
    The following documentation is automatically generated from the Python
    source files.  It may be incomplete, incorrect or include features that
    are considered implementation detail and may vary between Python
    implementations.  When in doubt, consult the module reference at the
    location listed above.

DESCRIPTION
    This module provides access to the mathematical functions
    defined by the C standard.

FUNCTIONS
    acos(x, /)
        Return the arc cosine (measured in radians) of x.
    
    acosh(x, /)
        Return the inverse hyperbolic cosine of x.
.......

This is OK for mga7.  Validating.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Aurelien Oudelet 2021-04-15 17:44:01 CEST
Thanks Len !

CC: (none) => ouaurelien
CVE: (none) => CVE-2021-3426
Keywords: (none) => advisory


Note You need to log in before you can comment on or make changes to this bug.