From: JinWang An Date: Mon, 26 Apr 2021 05:19:00 +0000 (+0900) Subject: [CVE-2020-8315]Avoid unsafe DLL load on Windows 7 and earlier X-Git-Tag: submit/tizen_6.0_base/20210521.062029~8 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=18c63f94fdadfba79a860a50567a25a2ab12c95e;p=platform%2Fupstream%2Fpython3.git [CVE-2020-8315]Avoid unsafe DLL load on Windows 7 and earlier In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected. Change-Id: I18d6f2a1e6181232bd349041d26fb34b3070fa8f Signed-off-by: JinWang An --- diff --git a/PC/getpathp.c b/PC/getpathp.c index 1b553d53..0a1560c7 100644 --- a/PC/getpathp.c +++ b/PC/getpathp.c @@ -89,6 +89,7 @@ #endif #include +#include #include #ifdef HAVE_SYS_TYPES_H @@ -235,68 +236,22 @@ ismodule(wchar_t *filename, int update_filename) stuff as fits will be appended. */ -static int _PathCchCombineEx_Initialized = 0; -typedef HRESULT(__stdcall *PPathCchCombineEx) (PWSTR pszPathOut, size_t cchPathOut, - PCWSTR pszPathIn, PCWSTR pszMore, - unsigned long dwFlags); -static PPathCchCombineEx _PathCchCombineEx; - static void join(wchar_t *buffer, const wchar_t *stuff) { - if (_PathCchCombineEx_Initialized == 0) { - HMODULE pathapi = LoadLibraryW(L"api-ms-win-core-path-l1-1-0.dll"); - if (pathapi) { - _PathCchCombineEx = (PPathCchCombineEx)GetProcAddress(pathapi, "PathCchCombineEx"); - } - else { - _PathCchCombineEx = NULL; - } - _PathCchCombineEx_Initialized = 1; - } - - if (_PathCchCombineEx) { - if (FAILED(_PathCchCombineEx(buffer, MAXPATHLEN+1, buffer, stuff, 0))) { - Py_FatalError("buffer overflow in getpathp.c's join()"); - } - } else { - if (!PathCombineW(buffer, buffer, stuff)) { - Py_FatalError("buffer overflow in getpathp.c's join()"); - } + if (FAILED(PathCchCombineEx(buffer, MAXPATHLEN+1, buffer, stuff, 0))) { + Py_FatalError("buffer overflow in getpathp.c's join()"); } } -static int _PathCchCanonicalizeEx_Initialized = 0; -typedef HRESULT(__stdcall *PPathCchCanonicalizeEx) (PWSTR pszPathOut, size_t cchPathOut, - PCWSTR pszPathIn, unsigned long dwFlags); -static PPathCchCanonicalizeEx _PathCchCanonicalizeEx; - static _PyInitError canonicalize(wchar_t *buffer, const wchar_t *path) { if (buffer == NULL) { return _Py_INIT_NO_MEMORY(); } - if (_PathCchCanonicalizeEx_Initialized == 0) { - HMODULE pathapi = LoadLibraryW(L"api-ms-win-core-path-l1-1-0.dll"); - if (pathapi) { - _PathCchCanonicalizeEx = (PPathCchCanonicalizeEx)GetProcAddress(pathapi, "PathCchCanonicalizeEx"); - } - else { - _PathCchCanonicalizeEx = NULL; - } - _PathCchCanonicalizeEx_Initialized = 1; - } - - if (_PathCchCanonicalizeEx) { - if (FAILED(_PathCchCanonicalizeEx(buffer, MAXPATHLEN + 1, path, 0))) { - return _Py_INIT_ERR("buffer overflow in getpathp.c's canonicalize()"); - } - } - else { - if (!PathCanonicalizeW(buffer, path)) { - return _Py_INIT_ERR("buffer overflow in getpathp.c's canonicalize()"); - } + if (FAILED(PathCchCanonicalizeEx(buffer, MAXPATHLEN + 1, path, 0))) { + return INIT_ERR_BUFFER_OVERFLOW(); } return _Py_INIT_OK(); } diff --git a/PCbuild/pythoncore.vcxproj b/PCbuild/pythoncore.vcxproj index e9947473..35995268 100644 --- a/PCbuild/pythoncore.vcxproj +++ b/PCbuild/pythoncore.vcxproj @@ -74,7 +74,7 @@ _Py_HAVE_ZLIB;%(PreprocessorDefinitions) - version.lib;shlwapi.lib;ws2_32.lib;%(AdditionalDependencies) + version.lib;shlwapi.lib;ws2_32.lib;pathcch.lib;%(AdditionalDependencies)