Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2024-9287] venv activation scripts do not quote strings properly #124651

Closed
y5c4l3 opened this issue Sep 27, 2024 · 5 comments
Closed

[CVE-2024-9287] venv activation scripts do not quote strings properly #124651

y5c4l3 opened this issue Sep 27, 2024 · 5 comments
Labels
3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-venv Related to the venv module type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@y5c4l3
Copy link
Contributor

y5c4l3 commented Sep 27, 2024
edited by bedevere-app bot
Loading

Bug report

Bug description:

Crafted paths break the script templates:

envname='";uname -a;"'
mkdir "$envname"
cd "$envname"
python3 -m venv .
. ./bin/activate
Linux archlinux 6.10.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 17:02:39 +0000 x86_64 GNU/Linux

Like pypa/virtualenv#2768 the execution path itself is low-risk, but it enables many potential downstream attack vectors. Downstream projects that automatically initialize and activate venv at a controllable path (e.g. read from repo configuration file) could execute unexpected commands.

CPython versions tested on:

3.8, 3.9, 3.10, 3.11, 3.12, 3.13, CPython main branch

Operating systems tested on:

Linux

Linked PRs
@y5c4l3 y5c4l3 added the type-bug An unexpected behavior, bug, or error label Sep 27, 2024
@sethmlarson sethmlarson added the type-security A security issue label Sep 27, 2024
@sethmlarson
Copy link
Contributor

Hey @y5c4l3, thanks for reporting this. We're going to treat this as a low-risk security issue. You or anyone else can submit a fix normally. If you have questions about this, send an email to [email protected].

@bedevere-app bedevere-app bot mentioned this issue Sep 27, 2024
Merged
@y5c4l3
Copy link
Contributor Author

y5c4l3 commented Sep 27, 2024

@sethmlarson Thanks for the reply! Could you please help me with a code review for this PR as well as #124155? The code owner for venv seems to be unavailable recently.

vsajip pushed a commit that referenced this issue Oct 21, 2024
@y5c4l3
gh-124651: Quote template strings in venv activation scripts (GH-12…
d48cc82 
…4712)

This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 21, 2024
@y5c4l3 @miss-islington
pythongh-124651: Quote template strings in venv activation scripts (p…
6fdc7dd 
…ythonGH-124712)

This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.
(cherry picked from commit d48cc82)

Co-authored-by: Y5 <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Oct 21, 2024
Merged
vsajip pushed a commit that referenced this issue Oct 22, 2024
@miss-islington
[3.13] gh-124651: Quote template strings in venv activation scripts (
e52095a 
…GH-124712) (GH-125813)

(cherry picked from commit d48cc82)
@vsajip vsajip closed this as completed Oct 22, 2024
@gpshead
Copy link
Member

gpshead commented Oct 22, 2024

can we keep this open until all of the security branch backports are done?

@gpshead gpshead reopened this Oct 22, 2024
ajayk pushed a commit to ajayk/cpython that referenced this issue Oct 24, 2024
@y5c4l3 @ajayk
pythongh-124651: Quote template strings in venv activation scripts (p…
4072b98 
…ythonGH-124712)

This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.

(cherry picked from commit d48cc82)
@bedevere-app bedevere-app bot mentioned this issue Oct 24, 2024
Closed
vstinner pushed a commit to vstinner/cpython that referenced this issue Oct 30, 2024
@y5c4l3 @vstinner
pythongh-124651: Quote template strings in venv activation scripts (p…
1408cc9 
…ythonGH-124712)

This patch properly quotes template strings in `venv` activation
scripts. This mitigates potential command injection.

(cherry picked from commit d48cc82)
@bedevere-app bedevere-app bot mentioned this issue Oct 30, 2024
Merged
@picnixz picnixz added the topic-venv Related to the venv module label Oct 30, 2024
@picnixz
Copy link
Contributor

picnixz commented Oct 30, 2024
edited
Loading

We're going to treat this as a low-risk security issue

Do you want to backport it up to 3.9 as well? If so, don't forget to add the backport labels on the PR (for now, we only have 3.12+)

vsajip pushed a commit that referenced this issue Oct 31, 2024
@vstinner
[3.12] gh-124651: Quote template strings in venv activation scripts (
8450b24 
…GH-124712) (GH-126185)

(cherry picked from commit d48cc82)
@bedevere-app bedevere-app bot mentioned this issue Nov 1, 2024
Merged
@picnixz picnixz added 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Nov 1, 2024
pablogsal pushed a commit that referenced this issue Nov 1, 2024
@vstinner
[3.11] gh-124651: Quote template strings in venv activation scripts (
ae961ae 
…GH-124712) (GH-126185) (#126269)
This was referenced Nov 1, 2024
Merged
Merged
@ajayk ajayk mentioned this issue Nov 1, 2024
Merged
@ajayk ajayk mentioned this issue Nov 1, 2024
Merged
ajayk added a commit to wolfi-dev/os that referenced this issue Nov 1, 2024
@ajayk
python-3.11: cherry pick CVE-2024-9287 fixes (#33037)
802e703 
Cherry pick fixes for https://nvd.nist.gov/vuln/detail/CVE-2024-9287
from commits listed here python/cpython#124651
ajayk added a commit to wolfi-dev/os that referenced this issue Nov 1, 2024
@ajayk
python-3.12: cherry-pick CVE-2024-9287 mitigation (#33036)
3901444 
Cherry pick fixes for https://nvd.nist.gov/vuln/detail/CVE-2024-9287
from commits listed here python/cpython#124651
frenzymadness pushed a commit to frenzymadness/cpython that referenced this issue Nov 4, 2024
@vstinner @frenzymadness
00443: pythongh-124651: Quote template strings in venv activation s…
be673a0 
…cripts

(cherry picked from 3.9)
ambv pushed a commit that referenced this issue Nov 4, 2024
@vstinner
[3.10] gh-124651: Quote template strings in venv activation scripts (
9286ab3 
…GH-124712) (GH-126185) (GH-126269) (GH-126300)

(cherry picked from commit ae961ae)
ambv pushed a commit that referenced this issue Nov 4, 2024
@vstinner
[3.9] gh-124651: Quote template strings in venv activation scripts (G…
6335557 
…H-124712) (GH-126185) (GH-126269) (GH-126301)

(cherry picked from commit ae961ae)
@vstinner
Copy link
Member

vstinner commented Nov 4, 2024

I close the issue. The fix was applied to all branches.

@vstinner vstinner closed this as completed Nov 4, 2024
@Aditvil-Dev Aditvil-Dev mentioned this issue Nov 4, 2024
Merged
ajayk pushed a commit to wolfi-dev/os that referenced this issue Nov 4, 2024
@Aditvil-Dev
python-3.10: cherry pick CVE-2024-9287 fixes (#33212)
de99c8e 
Cherry pick fixes for https://nvd.nist.gov/vuln/detail/CVE-2024-9287
from commits listed here python/cpython#124651

Advisory for the package is here
wolfi-dev/advisories#8825

Signed-off-by: Aditvil-Dev <[email protected]>
frenzymadness pushed a commit to fedora-python/cpython that referenced this issue Nov 5, 2024
@vstinner @frenzymadness
00443: pythongh-124651: Quote template strings in venv activation s…
f20031e 
…cripts

(cherry picked from 3.9)
mcepl added a commit to openSUSE-Python/cpython that referenced this issue Nov 5, 2024
@mcepl @y5c4l3 @vstinner
[CVE-2024-9287] properly quote path names provided when creating a venv
c9571a5 
This patch properly quotes template strings in venv activation
scripts. This mitigates potential command injection.

Fixes: bsc#1232241 (CVE-2024-9287)
Fixes: gh#python#124651
Co-authored-by: y5c4l3 <[email protected]>
Co-authored-by: Victor Stinner <[email protected]>
From-PR: gh#python/cpython!124712
Patch: CVE-2024-9287-venv_path_unquoted.patch
@vstinner vstinner changed the title venv activation scripts do not quote strings properly [CVE-2024-9287] venv activation scripts do not quote strings properly Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.9 only security fixes 3.10 only security fixes 3.11 only security fixes 3.12 bugs and security fixes 3.13 bugs and security fixes 3.14 new features, bugs and security fixes topic-venv Related to the venv module type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gpshead @vsajip @vstinner @picnixz @sethmlarson @y5c4l3