[CVE-2024-9287] venv activation scripts do not quote strings properly
#124651
Comments
|
Hey @y5c4l3, thanks for reporting this. We're going to treat this as a low-risk security issue. You or anyone else can submit a fix normally. If you have questions about this, send an email to [email protected]. |
|
@sethmlarson Thanks for the reply! Could you please help me with a code review for this PR as well as #124155? The code owner for |
…4712) This patch properly quotes template strings in `venv` activation scripts. This mitigates potential command injection.
…ythonGH-124712) This patch properly quotes template strings in `venv` activation scripts. This mitigates potential command injection. (cherry picked from commit d48cc82) Co-authored-by: Y5 <[email protected]>
…GH-124712) (GH-125813) (cherry picked from commit d48cc82)
|
can we keep this open until all of the security branch backports are done? |
…ythonGH-124712) This patch properly quotes template strings in `venv` activation scripts. This mitigates potential command injection. (cherry picked from commit d48cc82)
…ythonGH-124712) This patch properly quotes template strings in `venv` activation scripts. This mitigates potential command injection. (cherry picked from commit d48cc82)
Do you want to backport it up to 3.9 as well? If so, don't forget to add the backport labels on the PR (for now, we only have 3.12+) |
…GH-124712) (GH-126185) (cherry picked from commit d48cc82)
Cherry pick fixes for https://nvd.nist.gov/vuln/detail/CVE-2024-9287 from commits listed here python/cpython#124651
Cherry pick fixes for https://nvd.nist.gov/vuln/detail/CVE-2024-9287 from commits listed here python/cpython#124651
…cripts (cherry picked from 3.9)
…GH-124712) (GH-126185) (GH-126269) (GH-126300) (cherry picked from commit ae961ae)
|
I close the issue. The fix was applied to all branches. |
Cherry pick fixes for https://nvd.nist.gov/vuln/detail/CVE-2024-9287 from commits listed here python/cpython#124651 Advisory for the package is here wolfi-dev/advisories#8825 Signed-off-by: Aditvil-Dev <[email protected]>
…cripts (cherry picked from 3.9)
This patch properly quotes template strings in venv activation scripts. This mitigates potential command injection. Fixes: bsc#1232241 (CVE-2024-9287) Fixes: gh#python#124651 Co-authored-by: y5c4l3 <[email protected]> Co-authored-by: Victor Stinner <[email protected]> From-PR: gh#python/cpython!124712 Patch: CVE-2024-9287-venv_path_unquoted.patch
vstinner
changed the title
venv activation scripts do not quote strings properlyvenv activation scripts do not quote strings properly
[ commit 7bb292a2c2f9ed7e2db81d9823526957bf3a9475 ] - https://docs.python.org/release/3.12.8/whatsnew/changelog.html#python-3-12-8 - python/cpython#124651
|
Hello! I am part of a team that uses Github's cache to store virtual environments for our CI. Our routine was working fine but for the last 2 days, I have noticed that sometimes actions that use Python My problem is, the workflow that creates the cached virtual environment and other workflows that use that cache sometimes operate with different Python versions e.g. One of the solutions that I can think of is to enforce both workflows (the one that creates and the one that uses the venv) to use the exact same Python patch (for example 3.12.8), but I wanted to ask you if I am missing something? I would expect any venv created by the same minor Python version to be compatible with each other or I have never faced this issue before (I usually don't look at which Python patch I am using). Thanks for any help! |
|
Sadly, the Python version used to create the venv should match the Python version used to run the venv. Both versions should be in sync. |
@vstinner Thanks for the quick response! Was this always the case? For example, venv with 3.12.7 and 3.12.6, aren't they compatible? Because previously creating the venv with any 3.12 (whatever patch was chosen by Github runner) and activating it with any 3.12 was working. |
It's a new issue caused by the security fix. |
gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified. python/cpython#122792 CVE-2024-9287, gh-124651: Properly quote template strings in venv activation scripts. python/cpython#124651 Signed-off-by: Peter Korsgaard <[email protected]>
…ythonGH-124712) This patch properly quotes template strings in `venv` activation scripts. This mitigates potential command injection.
Bug report
Bug description:
Crafted paths break the script templates:
Like pypa/virtualenv#2768 the execution path itself is low-risk, but it enables many potential downstream attack vectors. Downstream projects that automatically initialize and activate
venvat a controllable path (e.g. read from repo configuration file) could execute unexpected commands.CPython versions tested on:
3.8, 3.9, 3.10, 3.11, 3.12, 3.13, CPython main branch
Operating systems tested on:
Linux
Linked PRs
venvactivation scripts #124712venvactivation scripts (GH-124712) #125813venvactivation scripts (GH-124712) #125947venvactivation scripts (GH-124712) #126185venvactivation scripts (GH-124712) (GH-126185) #126269venvactivation scripts (GH-124712) (GH-126185) (#126269) #126300venvactivation scripts (GH-124712) (GH-126185) (#126269) #126301The text was updated successfully, but these errors were encountered: