Python update to tackle remote code vulnerability

The Python Software Foundation (PSF) has rushed out Python 3.9.2 and 3.8.8 to address two notable security flaws, including one that is remotely exploitable but in practical terms can only be used to knock a machine offline.

PSF is urging its legion of Python users to upgrade systems to Python 3.8.8 or 3.9.2, in particular to address the remote code execution (RCE) vulnerability that’s tracked as CVE-2021-3177.

The project expedited the release after receiving unexpected pressure from some users who were concerned over the security flaw.

Python 3.x through to 3.9.1 has a buffer overflow in PyCArg_repr in ctypes/callproc.c, which may lead to remote code execution.

It affects Python applications that “accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param.”

The bug occurs because “sprintf” is used unsafely. The impact is broad because Python is pre-installed with multiple Linux distributions and Windows 10.

Various Linux distributions, such as Debian, have been backporting the security patches to ensure the built-in versions of Python are shielded.

The vulnerability is a common memory flaw. Per RedHat, a stack-based buffer overflow in Python’s ctypes module improperly validated the input passed to it, “which would allow an attacker to overflow a buffer on the stack and crash the application.”

While a remote code execution vulnerability is bad news, RedHat notes that the “highest threat from this vulnerability is to system availability.” In other words, an attacker would likely only be able to pull off a denial of service attack.

References:

  1. https://blog.python.org/2021/02/python-392-and-388-are-now-available.html
  2. https://security-tracker.debian.org/tracker/CVE-2021-3177
  3. https://access.redhat.com/security/cve/cve-2021-3177
  4. https://www.zdnet.com/article/python-programming-language-hurries-out-update-to-tackle-remote-code-vulnerability/