Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python39 for openSUSE:Factory checked in at 2022-11-05 14:46:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python39 (Old) and /work/SRC/openSUSE:Factory/.python39.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python39" Sat Nov 5 14:46:31 2022 rev:36 rq:1033552 version:3.9.15 Changes: -------- --- /work/SRC/openSUSE:Factory/python39/python39.changes 2022-10-28 19:28:38.274362808 +0200 +++ /work/SRC/openSUSE:Factory/.python39.new.2275/python39.changes 2022-11-05 14:46:34.310524814 +0100 @@ -1,0 +2,8 @@ +Thu Nov 3 21:35:28 UTC 2022 - Matej Cepl <mc...@suse.com> + +- Add CVE-2022-42919-loc-priv-mulitproc-forksrv.patch to avoid + CVE-2022-42919 (bsc#1204886) avoiding Linux specific local + privilege escalation via the multiprocessing forkserver start + method. + +------------------------------------------------------------------- New: ---- CVE-2022-42919-loc-priv-mulitproc-forksrv.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python39.spec ++++++ --- /var/tmp/diff_new_pack.9oGhPr/_old 2022-11-05 14:46:35.170529830 +0100 +++ /var/tmp/diff_new_pack.9oGhPr/_new 2022-11-05 14:46:35.174529853 +0100 @@ -164,6 +164,9 @@ # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mc...@suse.com # this patch makes things totally awesome Patch37: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch +# PATCH-FIX-UPSTREAM CVE-2022-42919-loc-priv-mulitproc-forksrv.patch bsc#1204886 mc...@suse.com +# Avoid Linux specific local privilege escalation via the multiprocessing forkserver start method +Patch38: CVE-2022-42919-loc-priv-mulitproc-forksrv.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -424,6 +427,7 @@ %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2022-42919-loc-priv-mulitproc-forksrv.patch ++++++ >From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" <g...@krypto.org> Date: Thu, 20 Oct 2022 15:30:09 -0700 Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) Linux abstract sockets are insecure as they lack any form of filesystem permissions so their use allows anyone on the system to inject code into the process. This removes the default preference for abstract sockets in multiprocessing introduced in Python 3.9+ via https://github.com/python/cpython/pull/18866 while fixing https://github.com/python/cpython/issues/84031. Explicit use of an abstract socket by a user now generates a RuntimeWarning. If we choose to keep this warning, it should be backported to the 3.7 and 3.8 branches. (cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17) Co-authored-by: Gregory P. Smith <g...@krypto.org> --- Lib/multiprocessing/connection.py | 5 --- Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 ++++++++++ 2 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst --- a/Lib/multiprocessing/connection.py +++ b/Lib/multiprocessing/connection.py @@ -73,11 +73,6 @@ def arbitrary_address(family): if family == 'AF_INET': return ('localhost', 0) elif family == 'AF_UNIX': - # Prefer abstract sockets if possible to avoid problems with the address - # size. When coding portable applications, some implementations have - # sun_path as short as 92 bytes in the sockaddr_un struct. - if util.abstract_sockets_supported: - return f"\0listener-{os.getpid()}-{next(_mmap_counter)}" return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir()) elif family == 'AF_PIPE': return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' % --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst @@ -0,0 +1,15 @@ +On Linux the :mod:`multiprocessing` module returns to using filesystem backed +unix domain sockets for communication with the *forkserver* process instead of +the Linux abstract socket namespace. Only code that chooses to use the +:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected. + +Abstract sockets have no permissions and could allow any user on the system in +the same `network namespace +<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the +whole system) to inject code into the multiprocessing *forkserver* process. +This was a potential privilege escalation. Filesystem based socket permissions +restrict this to the *forkserver* process user as was the default in Python 3.8 +and earlier. + +This prevents Linux `CVE-2022-42919 +<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
