python-3.11 - cherry pick upstream patch for CVE-2023-27043 #13586
Conversation
|
Some background and links on CVE-2023-27043 in python.
The upstream fix in 4 adds a 'strict' parameter to getaddresses() and parseaddr() functions and enables it by default (which will break some users). Thus, cherry-picking the upstream change to 3.11 and 3.12 would break some users as described in issue 106669 The options we have are: Other responses are:
-- |
This one gets my vote (just consider it one vote though) |
I think either one of these two solutions would be acceptable. |
|
Debian codesearch for getaddress in python filetypes https://codesearch.debian.net/search?q=getaddress+filetype%3Apython&literal=1&perpkg=1 Gives me 45 packages. I can cross check by hand, how many of these are in any of our packages or images. Assuming the scope is small, and because our goal is to provide security to people, my preference is to
As the point of chainguard is to ship security updates without friction, meaning no opt-in needed. |
|
we need advisory text to say that new strict behaviour is by default; and that if one is broken by this change they are either being attacked or they rely on vulnerable behaviour. And rhel "fix" is not fixed, as one has to do something to actually get the fix. And this is forward compatible with future python releases. Why is this fix important? All of these representations are typically used to stage Password reset poisoning attacks. See for example these blogs that explain how "i'm just going to be using canonical representation of things" can go very wrong https://cendyne.dev/posts/2022-02-18-user-provided-primary-keys.html https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning When using chainguard images, one should be secure by default - without needed to opt-into security.... One already did the opt-into security by choosing chainguard. Maybe I should do a blog post about this update. |
|
Thanks @xnox. Your prompting made me read a bit more. the RHEL change opts into the new behavior by default and allows the user a code-change-free option to opt out. I like this approach, and think we should go with that. |
|
+1 to this, hardened by default. |
smoser
force-pushed
the
fix/python3.11-CVE-2023-27043
branch
from
c3183cb to
3e5cb3c
Compare
smoser
force-pushed
the
fix/python3.11-CVE-2023-27043
branch
2 times, most recently
from
3749dca to
5c92b5a
Compare
smoser
force-pushed
the
fix/python3.11-CVE-2023-27043
branch
from
5c92b5a to
16a20fe
Compare
|
I think this is ready to land, would appreciate a review. thanks. |
4 participants
The change here patches addresses CVE-2023-27043 by backporting a 'strict' keyword argument to the email.getaddresses and email.parseaddr function. The change may break some consumers as it does change the behavior.
After this change is landed, python 3.11 (and 3.12 via #13847) will behave like python master with regard to these two functions. Existing code for 3.11 or 3.12 will not pass the 'strict' argument and the default is None. The functions are modified to check for a None value and consult an environment variable for the desired behavior.
The environment variable PYTHON_EMAIL_STRICT_PARSING_DEFAULT will default will considered 'true' by default (unset or empty string). If you wish to enable the previous behavior, the the environment variable should be set to 'false'.
Please see comment below for background.