python-security icon indicating copy to clipboard operation
python-security copied to clipboard
verified publisher icon vstinner

Added recently disclosed vulnerabilities to the cve directory

Open CharlieZhao95 opened this issue 3 years ago • 11 comments

I've been following Python Security Vulnerability for a long time, it's a very good channel to summarize Python vulnerabilities and solutions. I can find the vulnerability and affected version information in a very convenient way.

I would like to add some recently disclosed vulnerabilities to the cve directory:

  • CVE-2015-20107:Shell injection in mailcap module
  • CVE-2021-28861:Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.
  • CVE-2016-3189 :Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.
  • CVE-2018-25032 :zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

...

I'm not sure if Python-security will continue to maintained, or if there are other ways to aggregate and notify Python vulnerabilities (I noticed Security-announce, but it doesn't seem to log all vulnerabilities).

I'm glad to do some work for the maintainance of the vulnerability information if needed. @vstinner

CharlieZhao95 avatar Aug 27 '22 03:08 CharlieZhao95

I'm glad to do some work for the maintainance of the vulnerability information if needed. @vstinner

I'm maintaining https://python-security.readthedocs.io/ manually. Do you want to propose a PR to document these 4 vulnerabilities?

vstinner avatar Aug 31 '22 12:08 vstinner

Oh, python-security didn't support GitHub issues. I just added for that in commit 061bf84761170fa7ab722b7c043b5fc1b7808d29.

vstinner avatar Aug 31 '22 14:08 vstinner

I'm maintaining https://python-security.readthedocs.io/ manually. Do you want to propose a PR to document these 4 vulnerabilities?

Sure, I would like to learn the workflow of this project first and then try to propose a PR. It won't take long.

CharlieZhao95 avatar Aug 31 '22 15:08 CharlieZhao95

Sure, I would like to learn the workflow of this project first and then try to propose a PR. It won't take long.

Usually, I copy the template at the top of vulnerabilities.yaml and paste it at the end of vulnerabilities.yaml. You must fill the name, slug, bpo or gh issue number, and the description. If it's already fixed, you can add commit sha1 in the "fixed-at" field. There are other optional fields like cve and links.

The make update command requires a config.ini configuration file which looks like:

[config]
bpo_username = xxx
bpo_password = xxx
python_srcdir = /home/vstinner/python/main

Python migrated all issues to GitHub, so bpo_username and bpo_password are no longer needed: I will remove them later. Previously, it was required to access the XML-RPC API of Roundup to retrieve information about issues (title, author, date, etc.). Using the GitHub REST API, hopefully an anonymous access it enough to retrieve these information!

See also the README.rst file. Maybe I should explain in details how to add a new vulnerability.

vstinner avatar Sep 01 '22 08:09 vstinner

I have a general understanding of the workflow of this project. Maybe I need to update python_releases.txt first, it was last updated 10 months ago, otherwise it will cause an incorrect warning when executing make update.

WARNING: Ignore tag 3.x.x : not released yet

CharlieZhao95 avatar Sep 05 '22 12:09 CharlieZhao95

Maybe I need to update python_releases.txt first

So far, I was too late to automate updating this file. I updated it manually.

vstinner avatar Sep 08 '22 09:09 vstinner

So far, I was too late to automate updating this file. I updated it manually.

I also considered if there was a script to automatically update this file when I was learning the project workflow :) It seems that updating the file via the tag information of the CPython repository is a way to go. Maybe I can submit a PR later, it shouldn't be hard.

And I want to sort out some similar questions encountered in the process of work. This will provide convenience for others who want to contribute to this repo.

CharlieZhao95 avatar Sep 08 '22 10:09 CharlieZhao95

And I want to sort out some similar questions encountered in the process of work. This will provide convenience for others who want to contribute to this repo.

Please write your questions/notes here ;-)

vstinner avatar Sep 08 '22 10:09 vstinner

CVE-2023-33595 belong to cpython?

zhuofeng6 avatar Jun 08 '23 06:06 zhuofeng6

CVE-2023-33595 belong to cpython?

This CVE id points to a vulnerability that is awaiting analysis and I don't think it should be documented yet. BTW, the description of the CVE says it affects an alpha version.

CharlieZhao95 avatar Jun 08 '23 08:06 CharlieZhao95

CVE-2023-36632 This cve seems to be cpython in the description, but the community does not seem to mention it.

zhuofeng6 avatar Jun 30 '23 02:06 zhuofeng6