CVE-2022-42919

一、漏洞信息
漏洞编号：CVE-2022-42919
漏洞归属组件：python2
漏洞归属的版本：2.7.18
CVSS V3.0分值：
BaseScore：7.8 High
Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞简述：
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
漏洞公开时间：2022-11-07 08:15:09
漏洞创建时间：2025-01-08 18:16:28
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2022-42919

更多参考(点击展开)

参考来源	参考链接	来源链接
cve.mitre.org	https://github.com/python/cpython/compare/v3.10.8...v3.10.9
cve.mitre.org	https://github.com/python/cpython/compare/v3.9.15...v3.9.16
cve.mitre.org	https://github.com/python/cpython/issues/97514
cve.mitre.org	https://github.com/python/cpython/issues/97514#issuecomment-1310277840
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/
cve.mitre.org	https://security.gentoo.org/glsa/202305-02
cve.mitre.org	https://security.netapp.com/advisory/ntap-20221209-0006/
suse_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2138705	https://bugzilla.suse.com/show_bug.cgi?id=1204886
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42919	https://bugzilla.suse.com/show_bug.cgi?id=1204886
redhat_bugzilla	https://github.com/python/cpython/issues/97514	https://bugzilla.redhat.com/show_bug.cgi?id=2138705
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2022:8492	https://bugzilla.redhat.com/show_bug.cgi?id=2138705
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2022:8493	https://bugzilla.redhat.com/show_bug.cgi?id=2138705
redhat_bugzilla	https://access.redhat.com/security/cve/cve-2022-42919	https://bugzilla.redhat.com/show_bug.cgi?id=2138705
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://python-security.readthedocs.io/vuln/multiprocessing-abstract-socket.html	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://ubuntu.com/security/notices/USN-5713-1	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://ubuntu.com/security/notices/USN-5888-1	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2022-42919	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://launchpad.net/bugs/cve/CVE-2022-42919	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://security-tracker.debian.org/tracker/CVE-2022-42919	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://github.com/python/cpython/issues/97514	https://ubuntu.com/security/CVE-2022-42919
debian		https://security-tracker.debian.org/tracker/CVE-2022-42919
gentoo		https://security.gentoo.org/glsa/202305-02
anolis		https://anas.openanolis.cn/cves/detail/CVE-2022-42919
cve_search		https://github.com/python/cpython/issues/97514
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/
cve_search		https://security.netapp.com/advisory/ntap-20221209-0006/
cve_search		https://github.com/python/cpython/issues/97514#issuecomment-1310277840
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
cve_search		https://github.com/python/cpython/compare/v3.10.8...v3.10.9
cve_search		https://github.com/python/cpython/compare/v3.9.15...v3.9.16
cve_search		https://security.gentoo.org/glsa/202305-02
osv	https://security.gentoo.org/glsa/202305-02	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://security.netapp.com/advisory/ntap-20221209-0006/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://github.com/python/cpython/issues/97514	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://github.com/python/cpython/issues/97514#issuecomment-1310277840	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://github.com/python/cpython/compare/v3.10.8...v3.10.9	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://github.com/python/cpython/compare/v3.9.15...v3.9.16	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/	https://osv.dev/vulnerability/CVE-2022-42919
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2022-42919	https://explore.alas.aws.amazon.com/CVE-2022-42919.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919	https://explore.alas.aws.amazon.com/CVE-2022-42919.html

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复补丁	来源
	https://github.com/python/cpython/compare/v3.10.8...v3.10.9	nvd
	https://github.com/python/cpython/compare/v3.9.15...v3.9.16	nvd
	https://github.com/python/cpython/issues/97514	nvd
	https://github.com/python/cpython/issues/97514#issuecomment-1310277840	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/	nvd
	https://security.netapp.com/advisory/ntap-20221209-0006/	nvd
python2.7	https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2	ubuntu

二、漏洞分析结构反馈
影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：
1.master(2.7.18):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP1:
4.openEuler-22.03-LTS-SP3:
5.openEuler-22.03-LTS-SP4:
6.openEuler-24.03-LTS:
7.openEuler-24.03-LTS-Next:
8.openEuler-24.03-LTS-SP1:

修复是否涉及abi变化(是/否)：
1.master(2.7.18):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP1:
4.openEuler-22.03-LTS-SP3:
5.openEuler-22.03-LTS-SP4:
6.openEuler-24.03-LTS:
7.openEuler-24.03-LTS-Next:
8.openEuler-24.03-LTS-SP1:

原因说明：
1.master(2.7.18):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP1:
4.openEuler-22.03-LTS-SP3:
5.openEuler-22.03-LTS-SP4:
6.openEuler-24.03-LTS:
7.openEuler-24.03-LTS-Next:
8.openEuler-24.03-LTS-SP1:

@dillon_chen ,@Charlie_li ,@gwei3 ,@xiexiuqi ,@shinwell_hu ,@biannm ,@yeqinglong01 ,@cellfaint ,@georgecao ,@wu_fengguang ,@myeuler ,@stonefly128 ,@jianminw ,@hjimmy ,@pengryan ,@pangbanme ,@relue0z ,@solarhu ,@vonhust 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否), 原因说明)不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(2.7.18):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP1:
4.openEuler-22.03-LTS-SP3:
5.openEuler-22.03-LTS-SP4:
6.openEuler-24.03-LTS:
7.openEuler-24.03-LTS-Next:
8.openEuler-24.03-LTS-SP1:

修复是否涉及abi变化(是/否)：
1.master(2.7.18):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP1:
4.openEuler-22.03-LTS-SP3:
5.openEuler-22.03-LTS-SP4:
6.openEuler-24.03-LTS:
7.openEuler-24.03-LTS-Next:
8.openEuler-24.03-LTS-SP1:

原因说明：
1.master(2.7.18):
2.openEuler-20.03-LTS-SP4:
3.openEuler-22.03-LTS-SP1:
4.openEuler-22.03-LTS-SP3:
5.openEuler-22.03-LTS-SP4:
6.openEuler-24.03-LTS:
7.openEuler-24.03-LTS-Next:
8.openEuler-24.03-LTS-SP1:

issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

src-openEuler/python2

内容风险标识

评论 (2)

src-openEuler/python2 .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2022-42919

评论 (2)

搜索帮助

src-openEuler/python2