Headline
CVE-2023-6507: gh-112334: Restore subprocess's use of `vfork()` & fix `extra_groups=[]` behavior by gpshead · Pull Request #112617 · python/cpython
An issue was found in CPython 3.12.0 subprocess module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.
When using the extra_groups= parameter with an empty list as a value (ie extra_groups=[]) the logic regressed to not call setgroups(0, NULL) before calling exec(), thus not dropping the original processes’ groups before starting the new process. There is no issue when the parameter isn’t used or when any value is used besides an empty list.
This issue only impacts CPython processes run with sufficient privilege to make the setgroups system call (typically root).
Fixed a performance regression in 3.12’s subprocess on Linux where it would no longer use the fast-path vfork() system call when it could have due to a logic bug, instead falling back to the safe but slower fork().
Also fixed a second 3.12.0 potential security bug. If a value of extra_groups=[] was passed to subprocess.Popen or related APIs, the underlying setgroups(0, NULL) system call to clear the groups list would not be made in the child process prior to exec().
The security issue was identified via code inspection in the process of fixing the first bug. Thanks to @vain for the detailed report and analysis in the initial bug on Github.
- A regression test regarding vfork usage is desirable. I’m pondering a test that runs when strace is available and permitted which and confirms use of vfork() vs clone()…
- A test that will catch setgroup() not being called is included in this PR. It must be run as root on Linux. I believe one of our buildbots is configured to run that way.
- Discuss with Python Security Response team if this is also a noteworthy security fix. It could manifest when a root uid=0 process wants to drop other group memberships while executing a subprocess. Probably security relevant if the user= and group= parameters are also being used to drop privs…
Fixes #112334.
- Issue: subprocess.Popen: Performance regression on Linux since 124af17b6e #112334
Related news
Ubuntu Security Notice 6891-1 - It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 18.04 LTS. It was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS.