[issue33001] Buffer overflow vulnerability in os.symlink on Windows

Mon, 05 Mar 2018 10:05:19 -0800 

New submission from Steve Dower <steve.do...@python.org>:

On February 27th, 2018, the Python Security Response team was notified of a 
buffer overflow issue in the os.symlink() method on Windows. The issue affects 
all versions of Python between 3.2 and 3.6.4, including the 3.7 beta releases. 
It will be patched for the next releases of 3.4, 3.5, 3.6 and 3.7.

Scripts may be vulnerable if they use os.symlink() on Windows and an attacker 
is able to influence the location where links are created. As os.symlink 
requires administrative privileges on most versions of Windows, exploits using 
this vulnerability are likely to achieve escalation of privilege.

Besides applying the fix to CPython, scripts can also ensure that the length of 
each path argument is less than 260, and if the source is a relative path, that 
its combination with the destination is also shorter than 260 characters. That 
is:

    assert (len(src) < 260 and
            len(dest) < 260 and
            len(os.path.join(os.path.dirname(dest), src)) < 260)
    os.symlink(src, dest)

Scripts that explicitly pass the target_is_directory argument as True are not 
vulnerable. Also, scripts on Python 3.5 that use bytes for paths are not 
vulnerable, because of a combination of stack layout and added parameter 
validation.

I will be requesting a CVE for this once the patches are applied to maintenance 
branches, and then notifying the security-announce list. The patch has been 
reviewed by the PSRT and reporter, and while it prevents the buffer overflow, 
it does not raise any new errors or enable the use of long paths when creating 
symlinks.

Many thanks to Alexey Izbyshev for the report, and helping us work through 
developing the patch.

----------
assignee: steve.dower
components: Windows
keywords: security_issue
messages: 313275
nosy: izbyshev, paul.moore, steve.dower, tim.golden, zach.ware
priority: critical
severity: normal
status: open
title: Buffer overflow vulnerability in os.symlink on Windows
type: security
versions: Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue33001>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to