The Python Software Foundation (PSF) has rapidly launched Python 3.9.2 and 3.8.8 to address two significant security breaches, including one that is exploited remotely but with active terms that can only be used to hack an offline machine.
The PSF urges its Python users legion to upgrade to Python 3.8.8 or 3.9.2 systems, mainly to deal with remote code (RCE) vulnerabilities followed as CVE-2021-3177.
The project expedited the release after receiving unexpected pressure from other users concerned about the security flaw.
“Since the announcement of the release of 3.9.2 to 3.8.8, we have received many questions from end users who urge us to speed up the final release due to security content, especially CVE-2021-3177,” Python said to release the group.
“This came as a surprise to us because we believed that the content of the security was selected by the lower distributors and the source in any way, and the release of the RC provides for those who are interested in development at the moment,” the PSF said.
“It turns out that the release option is not publicly visible and in most cases cannot be used due to improved processes that users use.”
Python 3.x to 3.9.1 has an overflowing buffer in PyCArg_repr at ctypes / callproc.c, which can lead to remote code usage.
It affects Python programs “that accept floating point numbers as unreliable inputs, as indicated by 1e300 dispute in c_double.from_param.”
The bug occurs because “sprintf” is used unsafely. The impact is vast because Python has been pre-installed while still distributing most of Linux and Windows 10.
Various Linux distributions, such as Debian, have been backed up with security clips to ensure that built-in Python versions are protected.
Vulnerability in python is a standard memory error. According to RedHat, the stack-based buffer overflows with Python’s ctypes module to improperly secure the transmission, “which would allow the attacker to overflow the stack and crash the system.”
While the risk of remote coding is terrible news, RedHat notes that “the highest threat to this system is access to the system.” In other words, the attacker will probably be able to pull off a denial of the app attack.
“Our understanding is that while the CVE is listed as a” remote control code, “the exploitation of this risk is not possible due to the following conditions that need to meet a successful RCE,” the PSF said.
“Certainly, the denial of services using harmful inputs is also a major problem. Therefore, to help members of the community who participated in the by-elections, we are releasing the final versions of 3.9.2 and 3.8.8 today,” the organization added.