At Python startup, api-ms-win-core-path-l1-1-0.dll is loaded with LoadLibraryW() without LOAD_LIBRARY_SEARCH_xxx flags.
Python 3.5 and older are not affected.
Dates:
Disclosure date: 2020-01-21 (Python issue bpo-39401 reported)
Python 3.6.11 (2020-06-27) fixed by commit 51332c4 (branch 3.6) (2020-01-31)
Python 3.7.7 (2020-03-10) fixed by commit 561c597 (branch 3.7) (2020-01-30)
Python 3.8.2 (2020-02-24) fixed by commit ad4a20b (branch 3.8) (2020-01-30)
Python 3.9.0 (2020-10-05) fixed by commit 6a65eba (branch 3.9) (2020-01-29)
[CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7.
Python issue: bpo-39401
Creation date: 2020-01-21
Reporter: Anthony Wee
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker’s copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system’s copy. Windows 8 and later are unaffected.
CVE ID: CVE-2020-8315
Published: 2020-01-28
CVSS Score: 4.3
Timeline using the disclosure date 2020-01-21 as reference:
2020-01-21: Python issue bpo-39401 reported by Anthony Wee
2020-01-28 (+7 days): CVE-2020-8315 published
2020-01-29 (+8 days): commit 6a65eba (branch 3.9)
2020-01-30 (+9 days): commit 561c597 (branch 3.7)
2020-01-30 (+9 days): commit ad4a20b (branch 3.8)
2020-01-31 (+10 days): commit 51332c4 (branch 3.6)
2020-02-24 (+34 days): Python 3.8.2 released
2020-03-10 (+49 days): Python 3.7.7 released
2020-06-27 (+158 days): Python 3.6.11 released
2020-10-05: Python 3.9.0 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4