Running `pydoc -p` allows other local users to extract arbitrary files. https://bugs.python.org/issue42988
Thanks for the alert & URL, Jani. That has at the end a whole series of what look like "Remove the pydoc getfile feature" commits [?] within a short time. Assigning to the Python group.
Assignee: bugsquad => python
thank you Jani for the update: src: - python3-3.8.9-1.mga8
Assignee: python => qa-bugsCC: (none) => mageia
Summary: CVE-2021-3426 python: information disclosure via pydoc => python3: information disclosure via pydoc (CVE-2021-3426)
Advisory: ======================== Updated python3 packages fixes security vulnerability: There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality (CVE-2021-3426). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426 https://bugs.python.org/issue42988 https://bugzilla.redhat.com/show_bug.cgi?id=1935913 ======================== Updated packages in core/updates_testing: ======================== python3-3.8.9-1.mga8 tkinter3-apps-3.8.9-1.mga8 libpython3.8-testsuite-3.8.9-1.mga8 python3-docs-3.8.9-1.mga8 libpython3.8-stdlib-3.8.9-1.mga8 tkinter3-3.8.9-1.mga8 libpython3-devel-3.8.9-1.mga8 libpython3.8-3.8.9-1.mga8 from python3-3.8.9-1.mga8.src.rpm
Pushed fixed python3 also to mga7 core/updates_testing. RPMS: python3-3.7.10-1.1.mga7 lib64python3.7-3.7.10-1.1.mga7 lib64python3.7-stdlib-3.7.10-1.1.mga7 lib64python3.7-testsuite-3.7.10-1.1.mga7 lib64python3-devel-3.7.10-1.1.mga7 python3-docs-3.7.10-1.1.mga7 tkinter3-3.7.10-1.1.mga7 tkinter3-apps-3.7.10-1.1.mga7 SRPMS: python3-3.7.10-1.1.mga7.src.rpm
Whiteboard: (none) => MGA7TOO
Trying this in mga8, x86_64 Before update: $ pydoc -p 0 Server ready at http://localhost:39031/ Server commands: [b]rowser, [q]uit server> Connected to the server in Firefox at http://localhost:39031/ which provided collections.html, the index page for the python documentation. That worked very well. The CVE-2021-3426 exploit at https://bugs.python.org/issue42988 proved to be unworkable. After logging in to a newly created user in another terminal: $ pydoc -p 39031 [Errno 98] Address already in use But maybe the port can be accessed from firefox. What I hoped was to be able to enter a URI like http://localhost:39031/getfile?key=/home/lcl/.ssh/id_rsa but that failed. $ firefox & [1] 3702412 $ Error: Access was denied while trying to open files in your profile directory. Looks like there is something about new users that I have missed. ~/.mozilla/firefox is empty.
CC: (none) => tarazed25
Figured out that it had to be a login shell. After that the test worked perfectly and displayed the other user's private key in the browser window. Stopped the server. Updated the eight packages. $ pydoc -p 39031 Server ready at http://localhost:39031/ Server commands: [b]rowser, [q]uit server> Reloaded the python docs page in firefox. Moved to the new user's terminal and launched firefox. Attempted to gain access to the other user's private key and raised an error: "bad pydoc url". Case closed. Explored the collections and used the module index. The latter finds local folders containing references to python such as ~/qa/python. Very comprehensive listings. This looks fine for release.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
mga7, x64 Before update: $ pydoc -p 0 pydoc server ready at http://localhost:33927/ Index page came up in the browser at the given address. Created another user. $ su -l lucy Password: $ firefox & Browser address = http://localhost:33927/home/lcl/.ssh/authorized_keys The response was "no Python documentation found for 'home/lcl/.ssh/authorized_keys'" which looks OK. Slightly different behaviour for the server - no server> prompt and ^C needed to close down. After updating: Restarted the http server and confirmed that the python docs were available on port 33927. Ran the other user test which produced the same error message as before. This indicates that the application was safe to use before and after the update. https://techpiezo.com/python/use-python-documentation-generator-pydoc/ $ pydoc3 -w math wrote math.html $ firefox file:///home/lcl/math.html Displays a list of all functions in the math module in the browser. pydoc3 -k math cmath math OpenGL_accelerate.buffers_formathandler OpenGL_accelerate.formathandler OpenGL_accelerate.nones_formathandler OpenGL_accelerate.numpy_formathandler PIL.ImageMath PIL._imagingmath matplotlib._mathtext_data - font data tables for truetype and afm computer modern fonts matplotlib.mathtext - :mod:`~matplotlib.mathtext` is a module for parsing a subset of the matplotlib.sphinxext.mathmpl matplotlib.tests.test_mathtext numpy.core._multiarray_umath numpy.core._umath_tests numpy.core.tests.test_scalarmath numpy.core.tests.test_umath numpy.core.tests.test_umath_complex numpy.core.umath - Create the numpy.core.umath namespace for backward compatibility. In v1.16 numpy.core.umath_tests - Shim for _umath_tests to allow a deprecation period for the new name. numpy.lib.scimath - Wrapper functions to more user-friendly calling of certain math functions numpy.linalg._umath_linalg OpenGL.arrays.formathandler - Base class for the various Python data-format storage type APIs $ pydoc3 math Help on module math: NAME math MODULE REFERENCE https://docs.python.org/3.7/library/math The following documentation is automatically generated from the Python source files. It may be incomplete, incorrect or include features that are considered implementation detail and may vary between Python implementations. When in doubt, consult the module reference at the location listed above. DESCRIPTION This module provides access to the mathematical functions defined by the C standard. FUNCTIONS acos(x, /) Return the arc cosine (measured in radians) of x. acosh(x, /) Return the inverse hyperbolic cosine of x. ....... This is OK for mga7. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Thanks Len !
CVE: (none) => CVE-2021-3426Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0193.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Fedora has issued an advisory for this on April 10: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/
This update also fixed CVE-2021-4189: https://www.debian.org/lts/security/2022/dla-2919 https://bugs.python.org/issue43285