CVE-2022-42919: 
NixOS vulnerability analysis and mitigation

The Python multiprocessing library vulnerability (CVE-2022-42919) was discovered by Devin Jeanpierre of Google and affects Python versions 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux systems. The vulnerability exists when using the forkserver start method, which is not the default configuration. This Linux-specific issue was disclosed in September 2022 (Python Issue).

The vulnerability occurs when the Python multiprocessing library is used with the forkserver start method on Linux. The issue allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Since pickles can execute arbitrary code, this creates a security risk. The vulnerability has a CVSS score of 7.8 (High) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to local privilege escalation, allowing attackers to execute arbitrary code with the privileges of the user running the forkserver process. This could result in disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Security).

A workaround is available by setting multiprocessing.util.abstractsocketssupported to False before any multiprocessing usage. Alternatively, applications can switch from using the forkserver start method to using the 'spawn' start method. The permanent fix involves updating to Python versions 3.9.16, 3.10.9, or later which remove the default preference for abstract sockets (Python Issue).

Multiple Linux distributions and software vendors responded to this vulnerability by releasing security updates. Ubuntu, Fedora, and other distributions pushed security patches to address the issue. The vulnerability was considered significant enough to warrant immediate attention from major platform providers (Ubuntu Security).