PSF-2023-9

See a problem?
Import Source
https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2023-9.json
JSON Data
https://api.osv.dev/v1/vulns/PSF-2023-9
Aliases
Published
2023-08-24T00:00:00Z
Modified
2023-12-06T00:48:09.813408Z
Summary
os.path.normpath() truncates on null bytes
Details

Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes.

If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation.

References
Credits
    • Noriko Totsuka of JPCERT/CC - FINDER
    • Masashi Yamane of LAC Co., Ltd - FINDER
    • Delta Regeer - REPORTER
    • Finn Womack - REMEDIATION_DEVELOPER
    • Steve Dower - REMEDIATION_REVIEWER
    • Seth Michael Larson - COORDINATOR

Affected packages

Git / github.com/python/cpython

Affected versions

v3.*

v3.11.0
v3.11.0a1
v3.11.0a2
v3.11.0a3
v3.11.0a4
v3.11.0a5
v3.11.0a6
v3.11.0a7
v3.11.0b1
v3.11.0b2
v3.11.0b3
v3.11.0b4
v3.11.0b5
v3.11.0rc1
v3.11.0rc2
v3.11.1
v3.11.2
v3.11.3
v3.11.4
v3.12.0a1
v3.12.0a2
v3.12.0a3
v3.12.0a4
v3.12.0a5
v3.12.0a6
v3.12.0a7
v3.12.0b1
v3.12.0b2
v3.12.0b3
v3.12.0b4
v3.12.0rc1