Hi,

Python 3.6.12 includes a fix for this issue:
https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html

The commit in the 3.6 branch:
https://github.com/python/cpython/commit/46cbf6148a46883110883488d3e9febbe46ba861

Victor

On Thu, Jun 17, 2021 at 10:51 AM Prashanth Reddy
<reddy.prashanth...@gmail.com> wrote:
>
> Hi Victor,
>
> https://mail.python.org/archives/list/security-annou...@python.org/thread/C5RIXC2ZIML3NOEIOGFPA6ISGU5L2QXL/
>
>
> Short description:
>
> Python Invalid Search Path Vulnerability
>
>
> CVE-2020-15523 is an invalid search path in Python 3.6 and later on
> Windows. It occurs during Py_Initialize() when the runtime attempts to
> pre-load python3.dll. If Py_SetPath() has been called, the expected
> location is not set, and locations elsewhere on the user's system will
> be searched.
>
> This issue is not triggered when running python.exe. It only applies
> when CPython has been embedded in another application.
>
> Issue: https://bugs.python.org/issue29778 Patch:
> https://github.com/python/cpython/pull/21297
>
> The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source
> only), 3.6.12 (source only)
>
> Other than applying the patch, applications may mitigate the
> vulnerability by explicitly calling LoadLibrary() on their copy of
> python3.dll before calling Py_Initialize(). Even with the patch
> applied, applications should include a copy of python3.dll alongside
> their main Python DLL.
>
> Thanks to Eric Gantumur for detecting and reporting the issue to the
> Python Security Response Team.
>
> Questions to security-sig@python.org or secur...@python.org.
>
> Cheers, Steve Dower Python Security Response Team
>
>
>
>
>
>
>
>
>
> Python Invalid Search Path Vulnerability
>
>
> Python Invalid Search Path Vulnerability
>
> On Thu, Jun 17, 2021 at 3:29 AM Victor Stinner <vstin...@python.org> wrote:
> >
> > Hi,
> >
> > https://bugs.python.org/issue374252 is not a valid bug number. Which
> > one do you mean?
> >
> > Victor
> >
> > On Wed, Jun 16, 2021 at 6:10 PM Prashanth Reddy
> > <reddy.prashanth...@gmail.com> wrote:
> > >
> > > Hi Team,
> > >
> > > Can you help you how to resolve the issue.
> > >
> > > We are using python 3.6.5 version.
> > >
> > > Regards,
> > > Prashanth
> > > _______________________________________________
> > > Security-SIG mailing list -- security-sig@python.org
> > > To unsubscribe send an email to security-sig-le...@python.org
> > > https://mail.python.org/mailman3/lists/security-sig.python.org/
> > > Member address: vstin...@python.org
> >
> >
> >
> > --
> > Night gathers, and now my watch begins. It shall not end until my death.



-- 
Night gathers, and now my watch begins. It shall not end until my death.
_______________________________________________
Security-SIG mailing list -- security-sig@python.org
To unsubscribe send an email to security-sig-le...@python.org
https://mail.python.org/mailman3/lists/security-sig.python.org/
Member address: arch...@mail-archive.com

Reply via email to