CVE-2020-29651
📋 TL;DR
CVE-2020-29651 is a denial-of-service vulnerability in the py library's py.path.svnwc component. Attackers can cause excessive CPU consumption by supplying malicious input to the blame functionality, leading to service disruption. Users of applications that utilize the py library's Subversion working copy functionality are affected.
💻 Affected Systems
- py (python-py)
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Py by Pytest
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, potentially affecting multiple services if the vulnerable component is shared.
Likely Case
Temporary service degradation or crashes of applications using the vulnerable py library functionality.
If Mitigated
Minimal impact with proper input validation and resource limits in place.
🎯 Exploit Status
Exploitation requires access to supply input to the blame functionality, typically requiring some level of repository access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.0 and later
Vendor Advisory: https://github.com/pytest-dev/py/security/advisories/GHSA-5h46-5f2v-7q8q
Restart Required: Yes
Instructions:
1. Update py package: pip install --upgrade py>=1.10.0
2. Restart any services using the py library
3. Verify the update with: pip show py
🔧 Temporary Workarounds
Disable vulnerable functionality
allDisable or restrict access to the blame functionality in applications using py.path.svnwc
Implement input validation
allAdd input validation and sanitization for inputs to the blame functionality
🧯 If You Can't Patch
- Implement rate limiting on blame functionality to prevent repeated exploitation
- Monitor CPU usage and implement automatic restart thresholds for affected services
🔍 How to Verify
Check if Vulnerable:
Check py version: pip show py | grep Version
If version is 1.9.0 or earlier, system is vulnerable.Check Version:
pip show py | grep VersionVerify Fix Applied:
Verify py version is 1.10.0 or later: pip show py | grep Version
Test blame functionality with various inputs to ensure no excessive CPU usage.📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage patterns
- Application crashes related to py library
- Repeated blame operation failures
Network Indicators:
- Unusual patterns of Subversion repository access
SIEM Query:
source="application_logs" AND ("py.path.svnwc" OR "blame") AND (cpu_usage>90 OR "crash")🔗 References
- https://github.com/pytest-dev/py/issues/256
- https://github.com/pytest-dev/py/pull/257
- https://github.com/pytest-dev/py/pull/257/commits/4a9017dc6199d2a564b6e4b0aa39d6d8870e4144
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYWNYEV3FGDHPIHX4DDUDMFZ6NLCQRC4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/pytest-dev/py/issues/256
- https://github.com/pytest-dev/py/pull/257
- https://github.com/pytest-dev/py/pull/257/commits/4a9017dc6199d2a564b6e4b0aa39d6d8870e4144
- https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYWNYEV3FGDHPIHX4DDUDMFZ6NLCQRC4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHDTINIBJZ67T3W74QTBIY5LPKAXEOGR/
- https://www.oracle.com/security-alerts/cpujul2022.html
