| |
@@ -0,0 +1,64 @@
|
| |
+ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
| |
+ From: "Miss Islington (bot)"
|
| |
+ <31488909+miss-islington@users.noreply.github.com>
|
| |
+ Date: Fri, 28 Oct 2022 03:08:30 -0700
|
| |
+ Subject: [PATCH] 00391: Don't use Linux abstract sockets for multiprocessing
|
| |
+
|
| |
+ Linux abstract sockets are insecure as they lack any form of filesystem
|
| |
+ permissions so their use allows anyone on the system to inject code into
|
| |
+ the process.
|
| |
+
|
| |
+ This removes the default preference for abstract sockets in
|
| |
+ multiprocessing introduced in Python 3.9+ via
|
| |
+ https://github.com/python/cpython/pull/18866 while fixing
|
| |
+ https://github.com/python/cpython/issues/84031.
|
| |
+
|
| |
+ Explicit use of an abstract socket by a user now generates a
|
| |
+ RuntimeWarning. If we choose to keep this warning, it should be
|
| |
+ backported to the 3.7 and 3.8 branches.
|
| |
+ (cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
|
| |
+
|
| |
+ Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| |
+ ---
|
| |
+ Lib/multiprocessing/connection.py | 5 -----
|
| |
+ .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
|
| |
+ 2 files changed, 15 insertions(+), 5 deletions(-)
|
| |
+ create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
| |
+
|
| |
+ diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
|
| |
+ index 510e4b5aba..8e2facf92a 100644
|
| |
+ --- a/Lib/multiprocessing/connection.py
|
| |
+ +++ b/Lib/multiprocessing/connection.py
|
| |
+ @@ -73,11 +73,6 @@ def arbitrary_address(family):
|
| |
+ if family == 'AF_INET':
|
| |
+ return ('localhost', 0)
|
| |
+ elif family == 'AF_UNIX':
|
| |
+ - # Prefer abstract sockets if possible to avoid problems with the address
|
| |
+ - # size. When coding portable applications, some implementations have
|
| |
+ - # sun_path as short as 92 bytes in the sockaddr_un struct.
|
| |
+ - if util.abstract_sockets_supported:
|
| |
+ - return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
|
| |
+ return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
|
| |
+ elif family == 'AF_PIPE':
|
| |
+ return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
|
| |
+ diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
| |
+ new file mode 100644
|
| |
+ index 0000000000..02d95b5705
|
| |
+ --- /dev/null
|
| |
+ +++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
| |
+ @@ -0,0 +1,15 @@
|
| |
+ +On Linux the :mod:`multiprocessing` module returns to using filesystem backed
|
| |
+ +unix domain sockets for communication with the *forkserver* process instead of
|
| |
+ +the Linux abstract socket namespace. Only code that chooses to use the
|
| |
+ +:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
|
| |
+ +
|
| |
+ +Abstract sockets have no permissions and could allow any user on the system in
|
| |
+ +the same `network namespace
|
| |
+ +<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
|
| |
+ +whole system) to inject code into the multiprocessing *forkserver* process.
|
| |
+ +This was a potential privilege escalation. Filesystem based socket permissions
|
| |
+ +restrict this to the *forkserver* process user as was the default in Python 3.8
|
| |
+ +and earlier.
|
| |
+ +
|
| |
+ +This prevents Linux `CVE-2022-42919
|
| |
+ +<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
|
| |
