[issue39401] Unsafe dll loading in getpathp.c on Win7

Change by STINNER Victor : -- nosy: +vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.py

[issue39401] Unsafe dll loading in getpathp.c on Win7

Eryk Sun added the comment: > For clarity, I'm removing 3.9 from the affected versions. This version > does not support Windows 7, and only Windows 7 is vulnerable to this > DLL hijack. I added 3.9 for the related issue to switch to using a static import, since Windows 7 isn't supported in 3

[issue39401] Unsafe dll loading in getpathp.c on Win7

Steve Dower added the comment: For clarity, I'm removing 3.9 from the affected versions. This version does not support Windows 7, and only Windows 7 is vulnerable to this DLL hijack. Also submitting the CVE request. -- versions: -Python 3.9 ___ P

[issue39401] Unsafe dll loading in getpathp.c on Win7

Change by Steve Dower : -- pull_requests: +17614 pull_request: https://github.com/python/cpython/pull/18234 ___ Python tracker ___ _

[issue39401] Unsafe dll loading in getpathp.c on Win7

Change by Steve Dower : -- pull_requests: +17613 pull_request: https://github.com/python/cpython/pull/18233 ___ Python tracker ___ _

[issue39401] Unsafe dll loading in getpathp.c on Win7

Change by Steve Dower : -- pull_requests: +17612 pull_request: https://github.com/python/cpython/pull/18232 ___ Python tracker ___ _

[issue39401] Unsafe dll loading in getpathp.c on Win7

Change by Steve Dower : -- keywords: +patch pull_requests: +17611 stage: needs patch -> patch review pull_request: https://github.com/python/cpython/pull/18231 ___ Python tracker _

[issue39401] Unsafe dll loading in getpathp.c on Win7

Change by Steve Dower : -- assignee: -> steve.dower ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://

[issue39401] Unsafe dll loading in getpathp.c on Win7

Change by Ned Deily : -- nosy: +ned.deily ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python

[issue39401] Unsafe dll loading in getpathp.c on Win7

Change by Ned Deily : -- priority: normal -> deferred blocker ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue39401] Unsafe dll loading in getpathp.c on Win7

Steve Dower added the comment: Agreed, we can just search System32 for this. Thanks for doing the patch! For future reference, and for anyone else reading this, we generally prefer unavoidable DLL hijacking bugs to come to the Python Security Response Team first (secur...@python.org). -

[issue39401] Unsafe dll loading in getpathp.c on Win7

Eryk Sun added the comment: > On Win7, running Python in the terminal will attempt to load the > "api-ms-win-core-path-l1-1-0.dll" from various paths outside of the > Python directory and the C:\Windows\System32 directories. "api-ms-win-core-path-l1-1-0.dll" is not assigned in the API set sc

[issue39401] Unsafe dll loading in getpathp.c on Win7

New submission from Anthony Wee : On Win7, running Python in the terminal will attempt to load the "api-ms-win-core-path-l1-1-0.dll" from various paths outside of the Python directory and the C:\Windows\System32 directories. This behavior can be verified using Process Monitor (see attachment)