CVE-2024-3219 Information

Description

There is a MEDIUM severity vulnerability affecting CPython.

The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user which leaves the server socket vulnerable to a connection race from a malicious local peer.

Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.

Reference

https://github.com/python/cpython/pull/122134 https://github.com/python/cpython/issues/122133 https://mail.python.org/archives/list/security-announce@python.org/thread/WYKDQWIERRE2ICIYMSVRZJO33GSCWU2B/ http://www.openwall.com/lists/oss-security/2024/07/29/3 https://github.com/python/cpython/commit/06fa244666ec6335a3b9bf2367e31b42b9a89b20 https://github.com/python/cpython/commit/0b65c8bf5367625673eafb92f85046a1b31259f2 https://github.com/python/cpython/commit/220e31adeaaa8436c9ff234cba1398bc49e2bb6c https://github.com/python/cpython/commit/5f90abaa786f994db3907fc31e2ee00ea2cf0929 https://github.com/python/cpython/commit/b252317956b7fc035bb3774ef6a177e227f9fc54