[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-30 Thread Ned Deily 


Change by Ned Deily :


--
priority: deferred blocker -> 
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-30 Thread Ned Deily 


Ned Deily  added the comment:


New changeset 51332c467ed2e07a191f903d554d0c54248e4d88 by Steve Dower in branch 
'3.6':
[3.6] bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier (GH-18231) 
(GH-18233)
https://github.com/python/cpython/commit/51332c467ed2e07a191f903d554d0c54248e4d88


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-30 Thread Anthony Wee 


Anthony Wee  added the comment:

> Thanks Anthony for the report! I included your name as the reporter, though I 
> don't see it on any of the pages.

No problem! Thanks Steve, Eryk, and Victor for jumping on this!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-30 Thread STINNER Victor 


STINNER Victor  added the comment:

>> I added 
>> https://python-security.readthedocs.io/vuln/unsafe-dll-load-windows-7.html 
>> to track fixes in all branches.

> Thanks, Victor! Python 2.7 and 3.5 are not vulnerable. The issue was added in 
> 3.6 when I added support for installing Python into a long path name on 
> up-to-date OS, which required dynamically loading an OS function. That 
> dynamic load was the problem.

Oh ok, I updated the page to reflect that. I also added 3.7 & 3.8 commits.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-29 Thread miss-islington 


miss-islington  added the comment:


New changeset ad4a20b87d79a619ffbdea3f26848780899494e5 by Steve Dower in branch 
'3.8':
[3.8] bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier (GH-18231) 
(GH-18234)
https://github.com/python/cpython/commit/ad4a20b87d79a619ffbdea3f26848780899494e5


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-29 Thread miss-islington 


miss-islington  added the comment:


New changeset 561c59777c8426fde0ef48b57cf02eddaeb2a5b8 by Steve Dower in branch 
'3.7':
[3.7] bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier (GH-18231) 
(GH-18232)
https://github.com/python/cpython/commit/561c59777c8426fde0ef48b57cf02eddaeb2a5b8


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-29 Thread Steve Dower 


Steve Dower  added the comment:

> I added 
> https://python-security.readthedocs.io/vuln/unsafe-dll-load-windows-7.html to 
> track fixes in all branches.

Thanks, Victor!

Python 2.7 and 3.5 are not vulnerable. The issue was added in 3.6 when I added 
support for installing Python into a long path name on up-to-date OS, which 
required dynamically loading an OS function. That dynamic load was the problem.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-29 Thread Steve Dower 


Steve Dower  added the comment:

Both of those buildbots should be retired (or repurposed for versions of Python 
that still support Windows 7) :)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-29 Thread Eryk Sun 


Eryk Sun  added the comment:

> this PR has caused failures of 2 buildbots

The master branch should no longer get built on Windows 7 machines. The initial 
build succeeds, but running "_freeze_importlib[_d].exe" fails with 
STATUS_DLL_NOT_FOUND (0xC135, i.e. -1073741515) since 
"api-ms-win-core-path-l1-1-0.dll" (linked from pathcch.lib) is not a Windows 7 
API set.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-29 Thread Jeremy Kloth 


Jeremy Kloth  added the comment:

As noted on the PR landing page, this PR has caused failures of 2 buildbots:

https://buildbot.python.org/all/#builders/81/builds/272

https://buildbot.python.org/all/#builders/150/builds/227

(both are Windows 7)

--
nosy: +jkloth

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-29 Thread STINNER Victor 


STINNER Victor  added the comment:

I added 
https://python-security.readthedocs.io/vuln/unsafe-dll-load-windows-7.html to 
track fixes in all branches.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-28 Thread Steve Dower 


Steve Dower  added the comment:


New changeset 6a65eba44bfd82ccc8bed4b5c6dd6637549955d5 by Steve Dower in branch 
'master':
bpo-39401: Avoid unsafe DLL load on Windows 7 and earlier (GH-18231)
https://github.com/python/cpython/commit/6a65eba44bfd82ccc8bed4b5c6dd6637549955d5


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] [CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7

2020-01-28 Thread Steve Dower 


Steve Dower  added the comment:

This is now assigned CVE-2020-8315 
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8315 
https://nvd.nist.gov/vuln/detail/CVE-2020-8315)

Thanks Anthony for the report! I included your name as the reporter, though I 
don't see it on any of the pages.

--
title: Unsafe dll loading in getpathp.c on Win7 -> [CVE-2020-8315] Unsafe dll 
loading in getpathp.c on Win7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com