The Python Software Foundation (PSF) has rushed out Python 3.9.2 and 3.8.8 to address two notable security flaws, including one that is remotely exploitable but in practical terms can only be used to knock a machine offline.
PSF is urging its legion of Python users to upgrade systems to Python 3.8.8 or 3.9.2, in particular to address the remote code execution (RCE) vulnerability that’s tracked as CVE-2021-3177.
The project expedited the release after receiving unexpected pressure from some users who were concerned over the security flaw.
“Since the announcement of the release candidates for 3.9.2 on 3.8.8, we received a number of inquiries from end users urging us to expedite the final releases due to the security content, especially CVE-2021-3177,” said the Python release team.
“This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime,” PSF said.
“It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place.”
Python 3.x through to 3.9.1 has a buffer overflow in PyCArg_repr in ctypes/callproc.c, which may lead to remote code execution.
It affects Python applications that “accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param.”
The bug occurs because “sprintf” is used unsafely. The impact is broad because Python is pre-installed with multiple Linux distributions and Windows 10.
Various Linux distributions, such as Debian, have been backporting the security patches to ensure the built-in versions of Python are shielded.
The vulnerability is a common memory flaw. Per RedHat, a stack-based buffer overflow in Python’s ctypes module improperly validated the input passed to it, “which would allow an attacker to overflow a buffer on the stack and crash the application.”
While a remote code execution vulnerability is bad news, RedHat notes that the “highest threat from this vulnerability is to system availability.” In other words, an attacker would likely only be able to pull off a denial of service attack.
“Our understanding is that while the CVE is listed as “remote code execution”, practical exploits of this vulnerability as such are very unlikely due the following conditions needing to be met for successful RCE,” said the PSF.
“To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today,” the organization added.
The other flaw is tracked as CVE-2021-23336 and concerns a web cache poisoning vulnerability by “defaulting the query args separator to &, and allowing the user to choose a custom separator.”