Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:sentry-python
User: [email protected]
Usertags: pu
[ Reason ]
sentry-python is affected by CVE-2024-40647 (Bug#1083189).
The subprocess integration incorrectly treats an explicitly empty environment
(env={}) as if no environment had been provided. As a result, when Sentry
injects tracing environment variables into a subprocess call, it can copy the
parent process environment into the child process instead of preserving
the explicitly empty environment.
This issue is marked no-dsa in the security tracker so this update is intended
for the next bookworm point release rather than security.debian.org.
[ Impact ]
Applications using sentry-python's subprocess integration may expose the parent
process's environment variables to child processes when calling
subprocess.Popen() (or related helpers with env={}). Depending on the
application,
that environment may contain sensitive values such as tokens or credentials.
If this update is not approved, bookworm will remain affected by CVE-2024-40647.
[ Tests ]
The upstream regression test for this issue is included in the patch. It checks
that a subprocess started with env={} does not include any variables from the
parent process environment.
The package was rebuilt successfully in a clean bookworm environment. The
cherry-picked patch from upstream also includes a minimal test-suite for
the new behaviour.
[ Risks ]
The added patch is both small and targeted. It changes the fallback condition
from truthiness checking to an explicit None check:
dict(x or os.environ)
becomes:
dict(x if x is not None else os.environ)
This preserves the previous behaviour when no env argument is provided while
correctly allowing explicitly empty environments.
The regression risk is low. The changed code only affects subprocess
environment handling in the Sentry stdlib integration.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Backport upstream patch for CVE-2024-40647:
https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
- Preserve explicitly empty subprocess environments.
- Only fall back to os.environ when the env argument is None.
- Include the upstream regression test.
[ Other info ]
CVE-2024-40647 is marked no-dsa in the Debian security tracker.
diff -Nru sentry-python-1.9.10/debian/changelog
sentry-python-1.9.10/debian/changelog
--- sentry-python-1.9.10/debian/changelog 2022-12-02 17:19:30.000000000
+0000
+++ sentry-python-1.9.10/debian/changelog 2026-05-25 05:33:13.000000000
+0100
@@ -1,3 +1,10 @@
+sentry-python (1.9.10-2+deb12u1) bookworm; urgency=medium
+
+ * Team upload.
+ * d/patches: backport upstream fix for CVE-2024-40647 (Closes: #1083189)
+
+ -- Christopher Obbard <[email protected]> Mon, 25 May 2026 05:33:13 +0100
+
sentry-python (1.9.10-2) unstable; urgency=medium
* Team upload.
diff -Nru
sentry-python-1.9.10/debian/patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch
sentry-python-1.9.10/debian/patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch
---
sentry-python-1.9.10/debian/patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch
1970-01-01 01:00:00.000000000 +0100
+++
sentry-python-1.9.10/debian/patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch
2026-05-25 05:33:13.000000000 +0100
@@ -0,0 +1,68 @@
+From: Ivana Kellyer <[email protected]>
+Date: Mon, 8 Jul 2024 09:38:14 +0200
+Subject: fix(integrations): don't send full env to subprocess (#3251)
+
+During the arguments modification to `subprocess.Popen.__init__`,
+an explicitly empty environment of `{}` is incorrectly confused with a `None`
+environment. This causes sentry to pass the entire environment of the
+parent process instead of sending just the injected environment variables.
+
+Fix it by only replacing the environment with `os.environ` if the variable
+is None, and not just falsy.
+
+This fixes CVE-2024-40647.
+
+Co-authored-by: Kevin Michel <[email protected]>
+
+Origin: upstream,
https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
+Applied-Upstream: 2.8.0,
https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
+Bug-Debian: https://bugs.debian.org/1083189
+Reviewed-by: Christopher Obbard <[email protected]>
+Last-Update: 2026-05-25
+Signed-off-by: Christopher Obbard <[email protected]>
+---
+ sentry_sdk/integrations/stdlib.py | 6 +++++-
+ tests/integrations/stdlib/test_subprocess.py | 13 +++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/sentry_sdk/integrations/stdlib.py
b/sentry_sdk/integrations/stdlib.py
+index 9495d40..6a539b8 100644
+--- a/sentry_sdk/integrations/stdlib.py
++++ b/sentry_sdk/integrations/stdlib.py
+@@ -188,7 +188,11 @@ def _install_subprocess():
+ for k, v in hub.iter_trace_propagation_headers(span):
+ if env is None:
+ env = _init_argument(
+- a, kw, "env", 10, lambda x: dict(x or os.environ)
++ a,
++ kw,
++ "env",
++ 10,
++ lambda x: dict(x if x is not None else os.environ),
+ )
+ env["SUBPROCESS_" + k.upper().replace("-", "_")] = v
+
+diff --git a/tests/integrations/stdlib/test_subprocess.py
b/tests/integrations/stdlib/test_subprocess.py
+index 31da043..702f8b5 100644
+--- a/tests/integrations/stdlib/test_subprocess.py
++++ b/tests/integrations/stdlib/test_subprocess.py
+@@ -179,6 +179,19 @@ def test_subprocess_basic(
+ assert sys.executable + " -c" in subprocess_init_span["description"]
+
+
++def test_subprocess_empty_env(sentry_init, monkeypatch):
++ monkeypatch.setenv("TEST_MARKER", "should_not_be_seen")
++ sentry_init(integrations=[StdlibIntegration()], traces_sample_rate=1.0)
++ with start_transaction(name="foo"):
++ args = [
++ sys.executable,
++ "-c",
++ "import os; print(os.environ.get('TEST_MARKER', None))",
++ ]
++ output = subprocess.check_output(args, env={},
universal_newlines=True)
++ assert "should_not_be_seen" not in output
++
++
+ def test_subprocess_invalid_args(sentry_init):
+ sentry_init(integrations=[StdlibIntegration()])
+
diff -Nru sentry-python-1.9.10/debian/patches/series
sentry-python-1.9.10/debian/patches/series
--- sentry-python-1.9.10/debian/patches/series 2022-12-02 17:19:30.000000000
+0000
+++ sentry-python-1.9.10/debian/patches/series 2026-05-25 05:33:13.000000000
+0100
@@ -1 +1,2 @@
debian-hacks/docs-Use-local-inventory-for-Python3.patch
+CVE-2024-40647-dont-send-full-env-to-subprocess.patch
