Source: restrictedpython X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for restrictedpython. CVE-2023-37271[0]: | RestrictedPython is a tool that helps to define a subset of the | Python language which allows users to provide a program input into a | trusted environment. RestrictedPython does not check access to stack | frames and their attributes. Stack frames are accessible within at | least generators and generator expressions, which are allowed inside | RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with | access to a RestrictedPython environment can write code that gets | the current stack frame in a generator and then walk the stack all | the way beyond the RestrictedPython invocation boundary, thus | breaking out of the restricted sandbox and potentially allowing | arbitrary code execution in the Python interpreter. All | RestrictedPython deployments that allow untrusted users to write | Python code in the RestrictedPython environment are at risk. In | terms of Zope and Plone, this would mean deployments where the | administrator allows untrusted users to create and/or edit objects | of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope | Page Template`. This is a non-default configuration and likely to be | extremely rare. The problem has been fixed in versions 6.1 and 5.3. https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-wqc8-x2pr-7jqh https://github.com/zopefoundation/RestrictedPython/commit/c8eca66ae49081f0016d2e1f094c3d72095ef531 (master) https://github.com/zopefoundation/RestrictedPython/commit/d8c5aa72c5d0ec8eceab635d93d6bc8321116002 (5.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-37271 https://www.cve.org/CVERecord?id=CVE-2023-37271 Please adjust the affected versions in the BTS as needed.
