1137629 – (CVE-2019-12760) VUL-0: CVE-2019-12760: python-parso: parsing leads to arbitrary code execution

Bug 1137629 (CVE-2019-12760) - VUL-0: CVE-2019-12760: python-parso: parsing leads to arbitrary code execution

Summary: VUL-0: CVE-2019-12760: python-parso: parsing leads to arbitrary code execution

Status:	RESOLVED WONTFIX

Alias:	CVE-2019-12760

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/234500/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-06-07 11:25 UTC by Alexander Bergmann
Modified:	2024-05-06 13:18 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2019-06-07 11:25:34 UTC

rh#1718212

A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution.

Upstream commit:
https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1718212
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12760
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12760
https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7

Comment 1 Alexander Bergmann 2019-06-07 11:27:27 UTC

The above commit link is not the fix it is the reproducer.

Comment 2 Marcus Meissner 2019-07-16 06:04:11 UTC

marketa, as you touched it last in opensuse and it has no maintainer, can you check it out?

Comment 3 Markéta Machová 2019-07-16 11:02:21 UTC

Well, there is an upstream disscussion: https://github.com/davidhalter/parso/issues/75. It is quite long and quite exhaustive.

In short: upstream agrees it is an issue, but does not consider it serious, they mostly think it appears in a case parso was never meant to be used. Nevertheless, they have "documented" it: https://github.com/davidhalter/parso/commit/19de3eb5ca1ae9e7994f8d72f83328d83538fd16 and opened an issue to replace pickles: https://github.com/davidhalter/parso/issues/79, but they claim it is not easy to fix it and it could take a long time.

Regarding this disscussion I think we can wait, because it is, as they say, unlikely to encounter in the wild.

Comment 4 Markéta Machová 2021-04-23 13:54:18 UTC

https://github.com/davidhalter/parso/issues/172

To cite upstream: "This is not a vulnerability".

So they are probably not going to fix it. I propose to close this bug as WONTFIX.

Security, what do you think?

Comment 5 Thomas Leroy 2024-05-06 13:18:20 UTC

I agree with upstream that this is a not vulnerability. Upstream doesn't plan to fix at all, and the CVE is officially disputed. Let's close this as WONTFIX