[issue36506] An arbitrary execution vulnerability exists in the built-in function getattr
New submission from bigbigliang : Dear Python Community, We’ve found a bug in cpython Lib and already received a cve number (CVE-2019-10268).But to be honest, I'm not sure if it's a loophole. Please tell me what to do next. bigbigliang -- components: 2to3 (2.x to 3.x conversion tool) messages: 339337 nosy: 18z, bigbigliang, christian.heimes, krnick, serhiy.storchaka, vstinner, xtreak priority: normal severity: normal status: open title: An arbitrary execution vulnerability exists in the built-in function getattr type: security versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9 ___ Python tracker <https://bugs.python.org/issue36506> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr
bigbigliang added the comment:
Yes, as you said. I think this problem can be closed. My initial idea was
that if a user carefully constructs a vulnerability point, it may cause
some danger, such as 'getattr(os,"system")("/bin/sh")'. So I have some
ideas about whether it is necessary to filter it.
Thank you for your reply.
from:bigbigliang
Josh Rosenberg 于2019年4月3日周三 上午12:52写道:
>
> Josh Rosenberg added the comment:
>
> I'll note that, based on the title, I'm skeptical of the claim of a
> vulnerability. getattr is effectively *designed* to execute arbitrary code
> if called on an appropriate object (one where the class defines
> __getattribute__; defines __getattr__ without defining the name in
> question; defines the name in question as a property, not an instance
> attribute; or does something complicated with metaclasses that achieves a
> similar result looking up the attribute on the class).
>
> In all of those cases, the "vulnerability" only exists if:
>
> 1. The object in question defines a vulnerable handler for the attribute
> (that is, provides a code path for arbitrary execution that Python's
> attribute lookup machinery wasn't responsible for except insofar as it
> passed control to the unsafe handler in question)
> 2. Untrusted user input is passed as the name to look up on the vulnerable
> object
>
> If it's something more subtle than that (e.g. something where a "plain"
> instance with no special execution path supports arbitrary execution),
> that's an issue, but if it requires a Python developer to both create the
> vulnerability and open a path to trigger it explicitly, that doesn't really
> count.
>
> --
> keywords: +security_issue
> nosy: +josh.r
>
> ___
> Python tracker
> <https://bugs.python.org/issue36506>
> ___
>
--
___
Python tracker
<https://bugs.python.org/issue36506>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr
bigbigliang added the comment: > > Certainly. > > -- ___ Python tracker <https://bugs.python.org/issue36506> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue36506] [security] CVE-2019-10268: An arbitrary execution vulnerability exists in the built-in function getattr
bigbigliang added the comment: Thank you for your answer. I am a student and very interested in python. I want to continue digging for Python bugs, but I am not good at this area. I want to keep looking for loopholes. from:bigbigliang Christian Heimes 于2019年4月3日周三 下午5:33写道: > > Christian Heimes added the comment: > > Could you please do us a favor and contact MITRE to get the CVE number > revoked? Please CC secur...@python.org so we have a record of the emails. > > -- > > ___ > Python tracker > <https://bugs.python.org/issue36506> > ___ > -- ___ Python tracker <https://bugs.python.org/issue36506> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
