A serious security vulnerability affected the Python language that could potentially lead to remote code execution attacks. Together with this, the Python Software Foundation (PSF) has fixed one more bug with their latest updates.
Python Vulnerability Triggering RCE Attacks
Reportedly, two different security vulnerabilities affected the existing Python releases leading to serious consequences.
One of these, CVE-2021-3177, is a buffer overflow vulnerability that could technically lead to remote code execution in Python applications. According to the vulnerability description,
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
However, Python Software Foundation (PSF), in its blog post, states that this bug may not exactly trigger RCE in practical exploitation because successful exploitation requires fulfilling numerous other conditions. Yet, this could still lead to denial-of-service attacks.
Backing this observation, RedHat has also stated the same in their advisory.
Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability.
Alongside this one, a web cache poisoning vulnerability, CVE-2021-23336, also affected the language.
PSF Released The Fixes
PSF has recently addressed both the bugs with the release of Python 3.8.8 and 3.9.2. They had to expedite the release following the pressure from the users asking for a security fix to CVE-2021-3177.
This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime. It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place.
Anyhow, the users should now upgrade to the latest Python versions to get the security fixes.
As for future releases, PSF has confirmed that the final release of Python 3.8 will arrive in May 2021. Whereas, Python 3.9.3 will arrive in May 2021.