Skip to content

Fix for CVE-2022-37460 - Removed "shell=True", made args a list, and revised to handle stdin in function #96014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix for CVE-2022-37460 - Removed "shell=True", made args a list, and revised to handle stdin in function #96014

wants to merge 1 commit into from

Conversation

calebshortt
Copy link
Contributor

Fixes a vulnerability (CVE-2022-37460) in the get-remote-certificate script that would allow for remote code execution given malicious host parameter.

NOTE: Issue reported to python security but no gh-#####.

@bedevere-bot
Copy link

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

@ghost
Copy link

ghost commented Aug 15, 2022
edited by ghost
Loading

All commit authors signed the Contributor License Agreement.
CLA signed

@gpshead
Copy link
Member

gpshead commented Aug 17, 2022

Please file an issue in this github repo related to this. adjust the PR title to refer to the gh-#####: issue number. PRs are already public. There is no reason not to file an issue once a PR exists.

(and no need to refer to the CVE as that is being withdrawn)

@gpshead gpshead added type-security A security issue needs backport to 3.7 needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Aug 17, 2022
@gpshead gpshead self-assigned this Aug 17, 2022
@vstinner vstinner mentioned this pull request Sep 28, 2022
Closed
vstinner
vstinner requested changes Sep 28, 2022
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change breaks the script. I'm not sure if you tested manually the script with your change.

To remove shell=True, you have to to split manually the r'openssl x509 (...)' shell command.

Anyway, I wrote PR #97613 which works and has a NEWS entry. I credited you in my PR.

@bedevere-bot
Copy link

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@kumaraditya303
Copy link
Contributor

Superseded by #97613. Thanks for the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vstinner vstinner vstinner requested changes

Assignees

@gpshead gpshead

Labels
awaiting changes needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@calebshortt @bedevere-bot @gpshead @kumaraditya303 @vstinner