python3.9-3.9.14-1.el9.1

エラータID: AXSA:2022-4506:01

Release date: 
Monday, December 26, 2022 - 10:26
Subject: 
python3.9-3.9.14-1.el9.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Python is an interpreted, interactive, object-oriented programming language,
which includes modules, classes, exceptions, very high level dynamic data types
and dynamic typing. Python supports interfaces to many system calls and
libraries, as well as to various windowing systems.

Security Fix(es):

* python: local privilege escalation via the multiprocessing forkserver start
method (CVE-2022-42919)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2022-42919
Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege
escalation in a non-default configuration. The Python multiprocessing library,
when used with the forkserver start method on Linux, allows pickles to be
deserialized from any user in the same machine local network namespace, which in
many system configurations means any user on the same machine. Pickles can
execute arbitrary code. Thus, this allows for local user privilege escalation to
the user that any forkserver process is running as. Setting
multiprocessing.util.abstract_sockets_supported to False is a workaround. The
forkserver start method for multiprocessing is not the default start method.
This issue is Linux specific because only Linux supports abstract namespace
sockets. CPython before 3.9 does not make use of Linux abstract namespace
sockets by default. Support for users manually specifying an abstract namespace
socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make
specific uncommon API calls in order to do that in CPython before 3.9.

Solution: 

Update packages.

CVEs: 
CVE-2022-42919
Python 3.9.x and 3.10.x through 3.10.8 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
Additional Info: 

N/A

Download: 

SRPMS
  1. python3.9-3.9.14-1.el9.1.src.rpm
    MD5: 26aeb78a74028bc81ae1869d59f3ebaf
    SHA-256: b2eb648101b9230c36ef61791afd2652e2b413d58d15a91030df383f59efbd2c
    Size: 19.43 MB

Asianux Server 9 for x86_64
  1. python3-3.9.14-1.el9.1.x86_64.rpm
    MD5: 96c9ba2fbebc2c3e744107c4f1739085
    SHA-256: 85fd415296e235ac47a7c98a8a499611a7c7c2bc211ccad024109b1dacdf9e0f
    Size: 27.44 kB
  2. python3-debug-3.9.14-1.el9.1.x86_64.rpm
    MD5: 78d63c540f2aed57af8ab3ecface284a
    SHA-256: 7f16630957586d40cac392bcca3ad7a4dd9df8d98eabcdd7f195426908880d1b
    Size: 2.98 MB
  3. python3-devel-3.9.14-1.el9.1.x86_64.rpm
    MD5: 383fac6a051d3102389d820d68f62f3f
    SHA-256: 66658a69896f7a3f31d176693459a2897414cd9e43e66497a64448a118c2dbd1
    Size: 206.77 kB
  4. python3-idle-3.9.14-1.el9.1.x86_64.rpm
    MD5: 2fb38b5601ec23acff54de59821cf9bf
    SHA-256: 78eaeaaa1dde803a33775d161072af8e14a23798350bd53b5da991781599fa25
    Size: 771.99 kB
  5. python3-libs-3.9.14-1.el9.1.x86_64.rpm
    MD5: 61279568f4862215aea22cd3c574276a
    SHA-256: bba6c3bfcad4ba9cf9668ab66a0b858b69e81efef603438151a71c4a25abce5d
    Size: 7.28 MB
  6. python3-test-3.9.14-1.el9.1.x86_64.rpm
    MD5: 21edcab090fcf7ee84a6b60e548331f6
    SHA-256: 12b47c1b6a3ca04ba0b1bf39eba40f08bf7c54602f9819509517802cf084d741
    Size: 9.25 MB
  7. python3-tkinter-3.9.14-1.el9.1.x86_64.rpm
    MD5: 4231a0320cb2d4d59bdd1ae2e0c04133
    SHA-256: 15b9fd15a0e05c61b3c90ede798af3d443160db9cfd14ed75085f845ec40cd55
    Size: 310.54 kB
  8. python-unversioned-command-3.9.14-1.el9.1.noarch.rpm
    MD5: b6f232f66b7505fca8f6bad881a1f47b
    SHA-256: 24f7a9b0dd416235b40f9cac11bbbd9a1a7cd36f21ee9df7d2cf33896f6d00e6
    Size: 10.81 kB
  9. python3-3.9.14-1.el9.1.i686.rpm
    MD5: 2d7ea8f386ae10f967affa170e15c329
    SHA-256: 227ce2bdcc08adc6636838f519774324fbdf38f986fecd90c3b4cc48d062686e
    Size: 27.54 kB
  10. python3-debug-3.9.14-1.el9.1.i686.rpm
    MD5: 8fdd40f31091c32905a771042d8fd2e0
    SHA-256: 39f9f9b05554e671f38f30e0d84456c701a4c243621b1b9dd85bf565d61e9610
    Size: 2.82 MB
  11. python3-devel-3.9.14-1.el9.1.i686.rpm
    MD5: 06f22d1b2dd53196dfa0f546864a41df
    SHA-256: 3e3ca7f58284e41e930ddf568f91541238e299e4d07ab5e0c573f78f7d0e94fb
    Size: 206.78 kB
  12. python3-idle-3.9.14-1.el9.1.i686.rpm
    MD5: 8883a087609d39a16d2f9c6f84224cef
    SHA-256: fc1a3116d29d80fc0c3578f472826fcf08e599cd7c4877cdc593177b9250a31c
    Size: 771.96 kB
  13. python3-libs-3.9.14-1.el9.1.i686.rpm
    MD5: f3bebcc3488a74ea90681500c99e9beb
    SHA-256: 4c436f29e8cd1b7422d44391c5e0a2101c34420527ea02f609482b7b29963049
    Size: 7.36 MB
  14. python3-test-3.9.14-1.el9.1.i686.rpm
    MD5: 101bd6305bdb3ceaab9e03d310f0b600
    SHA-256: 577ced6dc3e63530a78fa78213482ef2a1482038c0110dd4799cb05b4f58ffc7
    Size: 9.26 MB
  15. python3-tkinter-3.9.14-1.el9.1.i686.rpm
    MD5: 26e5d51408e1bf444e2c8389c5410e06
    SHA-256: 416ba2484882e98e112208aff7768f07d1dc3066b5a3768bec2c8c5326a65526
    Size: 311.83 kB