Bug 1137629 - (CVE-2019-12760) VUL-0: CVE-2019-12760: python-parso: parsing leads to arbitrary code execution
VUL-0: CVE-2019-12760: python-parso: parsing leads to arbitrary code execution
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-06-07 11:25 UTC by Alexander Bergmann
Modified: 2021-05-04 09:22 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-06-07 11:25:34 UTC

A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution.

Upstream commit:

Comment 1 Alexander Bergmann 2019-06-07 11:27:27 UTC
The above commit link is not the fix it is the reproducer.
Comment 2 Marcus Meissner 2019-07-16 06:04:11 UTC
marketa, as you touched it last in opensuse and it has no maintainer, can you check it out?
Comment 3 Markéta Machová 2019-07-16 11:02:21 UTC
Well, there is an upstream disscussion: https://github.com/davidhalter/parso/issues/75. It is quite long and quite exhaustive.

In short: upstream agrees it is an issue, but does not consider it serious, they mostly think it appears in a case parso was never meant to be used. Nevertheless, they have "documented" it: https://github.com/davidhalter/parso/commit/19de3eb5ca1ae9e7994f8d72f83328d83538fd16 and opened an issue to replace pickles: https://github.com/davidhalter/parso/issues/79, but they claim it is not easy to fix it and it could take a long time.

Regarding this disscussion I think we can wait, because it is, as they say, unlikely to encounter in the wild.
Comment 4 Markéta Machová 2021-04-23 13:54:18 UTC

To cite upstream: "This is not a vulnerability".

So they are probably not going to fix it. I propose to close this bug as WONTFIX.

Security, what do you think?