PSF-2023-9
See a problem?- Import Source
- https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2023-9.json
- JSON Data
- https://api.osv.dev/v1/vulns/PSF-2023-9
- Aliases
- Published
- 2023-08-24T00:00:00Z
- Modified
- 2025-10-09T01:02:46.784792Z
- Summary
- os.path.normpath() truncates on null bytes
- Details
-
Passing a path with null bytes to the
os.path.normpath()function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes.If allowlisting is applied before a call to
os.path.normpath()is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation. - References
- Credits
-
-
- Noriko Totsuka of JPCERT/CC - FINDER
-
- Masashi Yamane of LAC Co., Ltd - FINDER
-
- Delta Regeer - REPORTER
-
- Finn Womack - REMEDIATION_DEVELOPER
-
- Steve Dower - REMEDIATION_REVIEWER
-
- Seth Michael Larson - COORDINATOR
-
Affected packages
Git / github.com/python/cpython
Affected versions
v3.*
v3.11.0
v3.11.0a1
v3.11.0a2
v3.11.0a3
v3.11.0a4
v3.11.0a5
v3.11.0a6
v3.11.0a7
v3.11.0b1
v3.11.0b2
v3.11.0b3
v3.11.0b4
v3.11.0b5
v3.11.0rc1
v3.11.0rc2
v3.11.1
v3.11.2
v3.11.3
v3.11.4
v3.12.0a1
v3.12.0a2
v3.12.0a3
v3.12.0a4
v3.12.0a5
v3.12.0a6
v3.12.0a7
v3.12.0b1
v3.12.0b2
v3.12.0b3
v3.12.0b4
v3.12.0rc1
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b",
"signature_type": "Function",
"target": {
"function": "_Py_normpath",
"file": "Python/fileutils.c"
},
"deprecated": false,
"digest": {
"length": 2129.0,
"function_hash": "123869515671459921177400607799595033940"
},
"id": "PSF-2023-9-076090bb"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b",
"signature_type": "Line",
"target": {
"file": "Include/internal/pycore_fileutils.h"
},
"deprecated": false,
"digest": {
"line_hashes": [
"94589339907483270990756216343485520979",
"239109364274517535556801654897340762288",
"25259274544635127037191737442793627850",
"41994846448406476700968065517759066304"
],
"threshold": 0.9
},
"id": "PSF-2023-9-1ffc221e"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b",
"signature_type": "Line",
"target": {
"file": "Python/fileutils.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"515148417458665457263374257619273447",
"19371280750229506485107378446168952474",
"63046692906348131046675442347003957626",
"215753089571476627995870181355635484982",
"304450275394942061861108559626134933924",
"8994475785571641351648437497467682971",
"16995322741479286873233816074794672088",
"284756091124989970253967435267330108934",
"311231984123438375197142000931147675769",
"79186272173981669835304626424176279522",
"46738853502514971466229884153816193017",
"214665895075825148011242466416260095251",
"206247705876744498795309970312716893550",
"192794633737789964149579070490101002084",
"253887757769686010130602909114392587154",
"30531456649813298176674000064815646378",
"257435601088827868772632734188655791174",
"232426917140610754871480411384048317868",
"123408376135115101231458896114255239547",
"244261517653655836966656979418506454210",
"82139791554894907472576626429009198875",
"305916699876573468835897660132915006530",
"69986712519756540737872952414501548491",
"114310545570999918044504109639108240161",
"146165712154041847941819600485087497720",
"294447358412442358039172598311523341683"
],
"threshold": 0.9
},
"id": "PSF-2023-9-36e7260f"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b",
"signature_type": "Function",
"target": {
"function": "_Py_normpath",
"file": "Python/fileutils.c"
},
"deprecated": false,
"digest": {
"length": 2129.0,
"function_hash": "123869515671459921177400607799595033940"
},
"id": "PSF-2023-9-4c6e336c"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48",
"signature_type": "Function",
"target": {
"function": "_Py_normpath",
"file": "Python/fileutils.c"
},
"deprecated": false,
"digest": {
"length": 2129.0,
"function_hash": "123869515671459921177400607799595033940"
},
"id": "PSF-2023-9-721fe33b"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48",
"signature_type": "Line",
"target": {
"file": "Python/fileutils.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"515148417458665457263374257619273447",
"19371280750229506485107378446168952474",
"63046692906348131046675442347003957626",
"215753089571476627995870181355635484982",
"304450275394942061861108559626134933924",
"8994475785571641351648437497467682971",
"16995322741479286873233816074794672088",
"284756091124989970253967435267330108934",
"311231984123438375197142000931147675769",
"79186272173981669835304626424176279522",
"46738853502514971466229884153816193017",
"214665895075825148011242466416260095251",
"206247705876744498795309970312716893550",
"192794633737789964149579070490101002084",
"253887757769686010130602909114392587154",
"30531456649813298176674000064815646378",
"257435601088827868772632734188655791174",
"232426917140610754871480411384048317868",
"123408376135115101231458896114255239547",
"244261517653655836966656979418506454210",
"82139791554894907472576626429009198875",
"305916699876573468835897660132915006530",
"69986712519756540737872952414501548491",
"114310545570999918044504109639108240161",
"146165712154041847941819600485087497720",
"294447358412442358039172598311523341683"
],
"threshold": 0.9
},
"id": "PSF-2023-9-7a3a5678"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b",
"signature_type": "Line",
"target": {
"file": "Modules/posixmodule.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"98606404312462299377254141299941899187",
"38855887028671729556643722732300986147",
"46259203773174362429382359868322128138",
"47872892090071878361921810286731350536"
],
"threshold": 0.9
},
"id": "PSF-2023-9-8eb0884a"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b",
"signature_type": "Line",
"target": {
"file": "Include/internal/pycore_fileutils.h"
},
"deprecated": false,
"digest": {
"line_hashes": [
"94589339907483270990756216343485520979",
"292599872198470183948840414699213225775",
"219743046610614162110260262734717863543",
"17152971081213676352576152769838112481"
],
"threshold": 0.9
},
"id": "PSF-2023-9-9943d75f"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b",
"signature_type": "Line",
"target": {
"file": "Python/fileutils.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"515148417458665457263374257619273447",
"19371280750229506485107378446168952474",
"63046692906348131046675442347003957626",
"215753089571476627995870181355635484982",
"304450275394942061861108559626134933924",
"8994475785571641351648437497467682971",
"16995322741479286873233816074794672088",
"284756091124989970253967435267330108934",
"311231984123438375197142000931147675769",
"79186272173981669835304626424176279522",
"46738853502514971466229884153816193017",
"214665895075825148011242466416260095251",
"206247705876744498795309970312716893550",
"192794633737789964149579070490101002084",
"253887757769686010130602909114392587154",
"30531456649813298176674000064815646378",
"257435601088827868772632734188655791174",
"232426917140610754871480411384048317868",
"123408376135115101231458896114255239547",
"244261517653655836966656979418506454210",
"82139791554894907472576626429009198875",
"305916699876573468835897660132915006530",
"69986712519756540737872952414501548491",
"114310545570999918044504109639108240161",
"146165712154041847941819600485087497720",
"294447358412442358039172598311523341683"
],
"threshold": 0.9
},
"id": "PSF-2023-9-a7fb5367"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b",
"signature_type": "Function",
"target": {
"function": "os__path_normpath_impl",
"file": "Modules/posixmodule.c"
},
"deprecated": false,
"digest": {
"length": 379.0,
"function_hash": "29533358781224774915024736303119647952"
},
"id": "PSF-2023-9-c6c907c0"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48",
"signature_type": "Line",
"target": {
"file": "Include/internal/pycore_fileutils.h"
},
"deprecated": false,
"digest": {
"line_hashes": [
"94589339907483270990756216343485520979",
"292599872198470183948840414699213225775",
"219743046610614162110260262734717863543",
"17152971081213676352576152769838112481"
],
"threshold": 0.9
},
"id": "PSF-2023-9-c74a7516"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48",
"signature_type": "Function",
"target": {
"function": "os__path_normpath_impl",
"file": "Modules/posixmodule.c"
},
"deprecated": false,
"digest": {
"length": 379.0,
"function_hash": "29533358781224774915024736303119647952"
},
"id": "PSF-2023-9-c93bc77f"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48",
"signature_type": "Line",
"target": {
"file": "Modules/posixmodule.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"98606404312462299377254141299941899187",
"38855887028671729556643722732300986147",
"46259203773174362429382359868322128138",
"47872892090071878361921810286731350536"
],
"threshold": 0.9
},
"id": "PSF-2023-9-e4d7cc37"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b",
"signature_type": "Function",
"target": {
"function": "os__path_normpath_impl",
"file": "Modules/posixmodule.c"
},
"deprecated": false,
"digest": {
"length": 379.0,
"function_hash": "29533358781224774915024736303119647952"
},
"id": "PSF-2023-9-e989f9e3"
},
{
"signature_version": "v1",
"source": "https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b",
"signature_type": "Line",
"target": {
"file": "Modules/posixmodule.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"98606404312462299377254141299941899187",
"38855887028671729556643722732300986147",
"46259203773174362429382359868322128138",
"47872892090071878361921810286731350536"
],
"threshold": 0.9
},
"id": "PSF-2023-9-e9dfdb0d"
}
]
}