Anolis OS update for python39:3.9 module

Published: 2022-11-18 | Updated: 2025-03-28

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2022-42919
CWE-ID	CWE-502
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Anolis OS Operating systems & Components / Operating system python39-rpm-macros Operating systems & Components / Operating system package or component python39-numpy-doc Operating systems & Components / Operating system package or component python39-tkinter Operating systems & Components / Operating system package or component python39-test Operating systems & Components / Operating system package or component python39-numpy-f2py Operating systems & Components / Operating system package or component python39-numpy Operating systems & Components / Operating system package or component python39-libs Operating systems & Components / Operating system package or component python39-idle Operating systems & Components / Operating system package or component python39-devel Operating systems & Components / Operating system package or component python39 Operating systems & Components / Operating system package or component python39-wheel-wheel Operating systems & Components / Operating system package or component python39-wheel Operating systems & Components / Operating system package or component python39-wcwidth Operating systems & Components / Operating system package or component python39-urllib3 Operating systems & Components / Operating system package or component python39-toml Operating systems & Components / Operating system package or component python39-six Operating systems & Components / Operating system package or component python39-setuptools-wheel Operating systems & Components / Operating system package or component python39-setuptools Operating systems & Components / Operating system package or component python39-requests Operating systems & Components / Operating system package or component python39-pytest Operating systems & Components / Operating system package or component python39-pysocks Operating systems & Components / Operating system package or component python39-pyparsing Operating systems & Components / Operating system package or component python39-pycparser Operating systems & Components / Operating system package or component python39-py Operating systems & Components / Operating system package or component python39-ply Operating systems & Components / Operating system package or component python39-pluggy Operating systems & Components / Operating system package or component python39-pip-wheel Operating systems & Components / Operating system package or component python39-pip Operating systems & Components / Operating system package or component python39-packaging Operating systems & Components / Operating system package or component python39-more-itertools Operating systems & Components / Operating system package or component python39-iniconfig Operating systems & Components / Operating system package or component python39-idna Operating systems & Components / Operating system package or component python39-chardet Operating systems & Components / Operating system package or component python39-attrs Operating systems & Components / Operating system package or component python39-PyMySQL Operating systems & Components / Operating system package or component python39-scipy Operating systems & Components / Operating system package or component python39-pyyaml Operating systems & Components / Operating system package or component python39-pybind11-devel Operating systems & Components / Operating system package or component python39-pybind11 Operating systems & Components / Operating system package or component python39-psycopg2-tests Operating systems & Components / Operating system package or component python39-psycopg2-doc Operating systems & Components / Operating system package or component python39-psycopg2 Operating systems & Components / Operating system package or component python39-psutil Operating systems & Components / Operating system package or component python39-mod_wsgi Operating systems & Components / Operating system package or component python39-lxml Operating systems & Components / Operating system package or component python39-cryptography Operating systems & Components / Operating system package or component python39-cffi Operating systems & Components / Operating system package or component python39-Cython Operating systems & Components / Operating system package or component
Vendor	OpenAnolis

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Deserialization of Untrusted Data

EUVDB-ID: #VU69391

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-42919

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to Python multiprocessing library, when used with the forkserver start method on Linux allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine.A local user can execute arbitrary code with privileges of the user running the any forkserver process.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python39-rpm-macros: before 3.9.7-2.0.1

python39-numpy-doc: before 1.19.4-3.0.1

python39-tkinter: before 3.9.7-2.0.1

python39-test: before 3.9.7-2.0.1

python39-numpy-f2py: before 1.19.4-3.0.1

python39-numpy: before 1.19.4-3.0.1

python39-libs: before 3.9.7-2.0.1

python39-idle: before 3.9.7-2.0.1

python39-devel: before 3.9.7-2.0.1

python39: before 3.9.7-2.0.1

python39-wheel-wheel: before 0.35.1-4

python39-wheel: before 0.35.1-4

python39-wcwidth: before 0.2.5-3

python39-urllib3: before 1.25.10-4

python39-toml: before 0.10.1-5

python39-six: before 1.15.0-3

python39-setuptools-wheel: before 50.3.2-4

python39-setuptools: before 50.3.2-4

python39-requests: before 2.25.0-2

python39-pytest: before 6.0.2-2

python39-pysocks: before 1.7.1-4

python39-pyparsing: before 2.4.7-5

python39-pycparser: before 2.20-3

python39-py: before 1.10.0-1

python39-ply: before 3.11-10

python39-pluggy: before 0.13.1-3

python39-pip-wheel: before 20.2.4-7

python39-pip: before 20.2.4-7

python39-packaging: before 20.4-4

python39-more-itertools: before 8.5.0-2

python39-iniconfig: before 1.1.1-2

python39-idna: before 2.10-3

python39-chardet: before 3.0.4-19

python39-attrs: before 20.3.0-2

python39-PyMySQL: before 0.10.1-2

python39-scipy: before 1.5.4-3

python39-pyyaml: before 5.4.1-1

python39-pybind11-devel: before 2.7.1-1

python39-pybind11: before 2.7.1-1

python39-psycopg2-tests: before 2.8.6-2.0.1

python39-psycopg2-doc: before 2.8.6-2.0.1

python39-psycopg2: before 2.8.6-2.0.1

python39-psutil: before 5.8.0-4.0.1

python39-mod_wsgi: before 4.7.1-4

python39-lxml: before 4.6.5-1

python39-cryptography: before 3.3.1-2

python39-cffi: before 1.14.3-2

python39-Cython: before 0.29.21-5

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0810

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.