[security][CVE-2020-27619] Python testsuite calls eval() on content received via HTTP

[serhiy-storchaka]

BPO	41944
Nosy	@vstinner, @ned-deily, @zware, @serhiy-storchaka, @The-Compiler, @pablogsal, @miss-islington
PRs	bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests #22566 bpo-41944: No longer call eval() on content received via HTTP in the UnicodeNames tests #22575 [3.9] bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) #22576 [3.8] bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) #22577 [3.7] bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) #22578 [3.6] bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) #22579

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2020-10-20.04:47:52.035>
created_at = <Date 2020-10-05.14:40:52.277>
labels = ['type-security', '3.8', '3.9', '3.10', '3.7', 'tests']
title = '[security][CVE-2020-27619] Python testsuite calls eval() on content received via HTTP'
updated_at = <Date 2020-11-04.13:09:52.449>
user = 'https://github.com/serhiy-storchaka'

bugs.python.org fields:

activity = <Date 2020-11-04.13:09:52.449>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2020-10-20.04:47:52.035>
closer = 'ned.deily'
components = ['Tests']
creation = <Date 2020-10-05.14:40:52.277>
creator = 'serhiy.storchaka'
dependencies = []
files = []
hgrepos = []
issue_num = 41944
keywords = ['patch', 'security_issue']
message_count = 19.0
messages = ['378036', '378104', '378105', '378106', '378107', '378108', '378110', '378111', '378114', '378117', '378118', '378119', '378120', '378125', '379082', '379085', '379713', '380319', '380320']
nosy_count = 7.0
nosy_names = ['vstinner', 'ned.deily', 'zach.ware', 'serhiy.storchaka', 'The Compiler', 'pablogsal', 'miss-islington']
pr_nums = ['22566', '22575', '22576', '22577', '22578', '22579']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue41944'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

[serhiy-storchaka]

As was reported by Florian Bruhin, Python testsuite calls eval() on content received via HTTP (in Lib/test/multibytecodec_support.py).

[The-Compiler]

I wonder if I should request a CVE for this as well? Just to make sure the word gets out to distributions/organizations/etc. running the Python testsuite, given that we can't be sure it which contexts this happens (and as it could be exploited by e.g. spoofing a WiFi network or so).

[vstinner]

I don't think that a CVE is justified.

I don't know anyone running the Python test suite on production. Only developers of Python itself run Python.