Skip to content

gh-42400: Fix buffer overflow in _Py_wrealpath for long paths#141529

Merged
vstinner merged 8 commits intopython:mainfrom
ashm-dev:fix/cve-realpath
Nov 18, 2025
Merged

gh-42400: Fix buffer overflow in _Py_wrealpath for long paths#141529
vstinner merged 8 commits intopython:mainfrom
ashm-dev:fix/cve-realpath

Conversation

@ashm-dev
Copy link
Copy Markdown
Contributor

@ashm-dev ashm-dev commented Nov 13, 2025
edited by bedevere-app Bot
Loading

Fixes buffer overflow (CVE-2006-1542) in _Py_wrealpath() when handling paths longer than MAXPATHLEN (4096 bytes).

Changed realpath(path, buffer) to realpath(path, NULL) for dynamic allocation.

Closes #42400

@bedevere-app bedevere-app Bot mentioned this pull request Nov 13, 2025
Closed
@ashm-dev
fix
a12ee2d
@ashm-dev
Use os.samefile in realpath symlink test
238ff0e 
Allow platforms where realpath returns different canonical paths (e.g.
Android). Verify resolution with os.samefile and fall back to a length
check if samefile is unavailable.
@ashm-dev
Copy link
Copy Markdown
Contributor Author

ashm-dev commented Nov 13, 2025

I don't think the errors in the UBSAN test are related to this fix, as they occur for a completely different reason and generally in import tests.

@ashm-dev
Copy link
Copy Markdown
Contributor Author

ashm-dev commented Nov 14, 2025

@vstinner Could you please review this PR?

vstinner
vstinner reviewed Nov 14, 2025
View reviewed changes
Comment thread Misc/NEWS.d/next/Security/2025-11-13-22-31-56.gh-issue-42400.pqB5Kq.rst Outdated
Comment thread Lib/test/test_fileutils.py Outdated
@ashm-dev ashm-dev requested a review from vstinner November 14, 2025 11:08
@vstinner
Copy link
Copy Markdown
Member

vstinner commented Nov 14, 2025

I updated the PR to retrieve the fix for the UBSan CI.

@vstinner vstinner added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Nov 17, 2025
@bedevere-bot
Copy link
Copy Markdown

bedevere-bot commented Nov 17, 2025

🤖 New build scheduled with the buildbot fleet by @vstinner for commit f882e26 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F141529%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Nov 17, 2025
@vstinner
Copy link
Copy Markdown
Member

vstinner commented Nov 17, 2025

realpath(path, NULL) seems to be a recent feature. Let me check on buildbots if it's supported by all platforms supported by Python.

@vstinner vstinner merged commit daafacf into python:main Nov 18, 2025
112 of 118 checks passed
@vstinner
Copy link
Copy Markdown
Member

vstinner commented Nov 18, 2025

Change merged, thanks.

The change passed on our fleet of stable buildbots.

Even if the change was documented in the Security category, I don't think that it's worth it to backport it to stable branches (yet). I'm afraid of breaking the Python build on some weird platforms where realpath(path, NULL) is not supported. So I prefer to make the change only in the main branch for now.

@ashm-dev ashm-dev deleted the fix/cve-realpath branch November 18, 2025 17:35
StanFromIreland pushed a commit to StanFromIreland/cpython that referenced this pull request Dec 6, 2025
@ashm-dev @vstinner @StanFromIreland
pythongh-42400: Fix buffer overflow in _Py_wrealpath() for very long …
05021ff 
…paths (python#141529)

Co-authored-by: Victor Stinner <vstinner@python.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vstinner vstinner Awaiting requested review from vstinner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Avoid using unsafe realpath

3 participants

@ashm-dev @vstinner @bedevere-bot