CVE-2022-42919

一、漏洞信息
漏洞编号：CVE-2022-42919
漏洞归属组件：scipy
漏洞归属的版本：1.5.4,1.7.0,>= 1.5.4
CVSS V3.0分值：
BaseScore：7.8 High
Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞简述：
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
漏洞公开时间：2022-11-07 08:15:09
漏洞创建时间：2024-03-23 18:35:07
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2022-42919

更多参考(点击展开)

参考来源	参考链接	来源链接
cve.mitre.org	https://github.com/python/cpython/compare/v3.10.8...v3.10.9
cve.mitre.org	https://github.com/python/cpython/compare/v3.9.15...v3.9.16
cve.mitre.org	https://github.com/python/cpython/issues/97514
cve.mitre.org	https://github.com/python/cpython/issues/97514#issuecomment-1310277840
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/
cve.mitre.org	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/
cve.mitre.org	https://security.gentoo.org/glsa/202305-02
cve.mitre.org	https://security.netapp.com/advisory/ntap-20221209-0006/
suse_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2138705	https://bugzilla.suse.com/show_bug.cgi?id=1204886
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42919	https://bugzilla.suse.com/show_bug.cgi?id=1204886
redhat_bugzilla	https://github.com/python/cpython/issues/97514	https://bugzilla.redhat.com/show_bug.cgi?id=2138705
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2022:8492	https://bugzilla.redhat.com/show_bug.cgi?id=2138705
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2022:8493	https://bugzilla.redhat.com/show_bug.cgi?id=2138705
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://python-security.readthedocs.io/vuln/multiprocessing-abstract-socket.html	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://ubuntu.com/security/notices/USN-5713-1	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://ubuntu.com/security/notices/USN-5888-1	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2022-42919	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://launchpad.net/bugs/cve/CVE-2022-42919	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://security-tracker.debian.org/tracker/CVE-2022-42919	https://ubuntu.com/security/CVE-2022-42919
ubuntu	https://github.com/python/cpython/issues/97514	https://ubuntu.com/security/CVE-2022-42919
debian		https://security-tracker.debian.org/tracker/CVE-2022-42919
gentoo		https://security.gentoo.org/glsa/202305-02
anolis		https://anas.openanolis.cn/cves/detail/CVE-2022-42919
cve_search		https://github.com/python/cpython/issues/97514
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/
cve_search		https://security.netapp.com/advisory/ntap-20221209-0006/
cve_search		https://github.com/python/cpython/issues/97514#issuecomment-1310277840
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
cve_search		https://github.com/python/cpython/compare/v3.10.8...v3.10.9
cve_search		https://github.com/python/cpython/compare/v3.9.15...v3.9.16
cve_search		https://security.gentoo.org/glsa/202305-02
osv	https://security.gentoo.org/glsa/202305-02	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://security.netapp.com/advisory/ntap-20221209-0006/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://github.com/python/cpython/issues/97514	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://github.com/python/cpython/issues/97514#issuecomment-1310277840	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://github.com/python/cpython/compare/v3.10.8...v3.10.9	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://github.com/python/cpython/compare/v3.9.15...v3.9.16	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/	https://osv.dev/vulnerability/CVE-2022-42919
osv	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/	https://osv.dev/vulnerability/CVE-2022-42919
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2022-42919	https://explore.alas.aws.amazon.com/CVE-2022-42919.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919	https://explore.alas.aws.amazon.com/CVE-2022-42919.html
osv	https://access.redhat.com/errata/RHSA-2022:8493	https://osv.dev/vulnerability/ALSA-2022:8493
osv	https://access.redhat.com/security/cve/CVE-2022-42919	https://osv.dev/vulnerability/ALSA-2022:8493
osv	https://bugzilla.redhat.com/2138705	https://osv.dev/vulnerability/ALSA-2022:8493
osv	https://errata.almalinux.org/9/ALSA-2022-8493.html	https://osv.dev/vulnerability/ALSA-2022:8493
nvd	https://github.com/python/cpython/issues/97514
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/
nvd	https://security.netapp.com/advisory/ntap-20221209-0006/
nvd	https://github.com/python/cpython/issues/97514#issuecomment-1310277840
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
nvd	https://github.com/python/cpython/compare/v3.10.8...v3.10.9
nvd	https://github.com/python/cpython/compare/v3.9.15...v3.9.16
nvd	https://security.gentoo.org/glsa/202305-02
redhat	https://access.redhat.com/security/cve/CVE-2022-42919
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/
nvd	https://security.netapp.com/advisory/ntap-20221209-0006/
nvd	https://github.com/python/cpython/issues/97514#issuecomment-1310277840
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
nvd	https://github.com/python/cpython/compare/v3.10.8...v3.10.9
nvd	https://github.com/python/cpython/compare/v3.9.15...v3.9.16
nvd	https://github.com/python/cpython/issues/97514
debian	https://security-tracker.debian.org/tracker/CVE-2022-42919

漏洞分析指导链接：
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复补丁	来源
	https://github.com/python/cpython/compare/v3.10.8...v3.10.9	nvd
	https://github.com/python/cpython/compare/v3.9.15...v3.9.16	nvd
	https://github.com/python/cpython/issues/97514	nvd
	https://github.com/python/cpython/issues/97514#issuecomment-1310277840	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/	nvd
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/	nvd
	https://security.netapp.com/advisory/ntap-20221209-0006/	nvd
python2.7	https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2	ubuntu

二、漏洞分析结构反馈
影响性分析说明：

MindSpore评分：

受影响版本排查(受影响/不受影响)：
1.master:
2.v1.10:
3.v1.9.0:
4.v2.0.0:
5.v2.1.0:
6.v2.2.0:
7.v2.2.10:

@bryanbj ,@liuchao ,@huangbingjian ,@dairenjie ,@liyuxia ,@zyli2020 ,@emmmmtang ,@Henry Shi ,@fangzhou0329 ,@shenwei41 ,@jxl ,@chenhaozhe ,@zhanghaibo ,@yanghaoran ,@looop5 ,@kyang ,@chengang ,@mindspore_ding ,@ougongchang ,@zhunaipan ,@herryshi1 ,@Zenzenzense ,@zhaoting ,@徐永飞 ,@yxx ,@ZPaC ,@Greatpan ,@yefeng ,@fangzehua
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, MindSpore评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

MindSpore评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.master:
2.v1.10:
3.v1.9.0:
4.v2.0.0:
5.v2.1.0:
6.v2.2.0:
7.v2.2.10:

issue处理具体操作请参考:
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

Please assign maintainer to check this issue.
请为此issue分配处理人。
@mindspore-ci-bot

感谢您的提问，您可以评论//mindspore-assistant更快获取帮助：

如果您刚刚接触MindSpore，或许您可以在教程找到答案
如果您是资深Pytorch用户，您或许需要：

如果您遇到动态图问题，可以设置set_context(pynative_synchronize=True)查看报错栈协助定位
模型精度调优问题可参考官网调优指南
如果您反馈的是框架BUG，请确认您在ISSUE中提供了MindSpore版本、使用的后端类型（CPU、GPU、Ascend）、环境、训练的代码官方链接以及可以复现报错的代码的启动方式等必要的定位信息
如果您已经定位出问题根因，欢迎提交PR参与MindSpore开源社区，我们会尽快review

GVP MindSpore / mindspore

内容风险标识

评论 (3)

GVPMindSpore / mindspore

内容风险标识

CVE-2022-42919

评论 (3)

搜索帮助

GVP MindSpore / mindspore