CVE-2023-41105: 
NixOS vulnerability analysis and mitigation

CVE-2023-41105 is a vulnerability discovered in Python 3.11 through 3.11.4 affecting the os.path.normpath() function. The vulnerability was identified on June 29, 2023, and publicly disclosed on August 24, 2023. When a path containing null bytes ('\0') is passed to os.path.normpath(), the path is unexpectedly truncated at the first null byte, which differs from the behavior in Python 3.10.x and earlier versions (Python Security).

The vulnerability stems from a behavioral change in the path normalization function where paths containing null bytes are handled differently in Python 3.11.x compared to previous versions. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating high integrity impact with network vector access (NVD).

The vulnerability could lead to security bypass scenarios where an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x. If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation (Python Security).

Several mitigation options are available: upgrade to Python 3.12.0rc2 or 3.11.5, apply the security patches available for supported feature and security branches of Python, or perform all path normalization before making security-critical decisions like allowlisting to avoid truncation impact. Patches have been made available for the main branch (0cb0c238d520), 3.12 branch (256586ab8776), and 3.11 branch (75a875e0df05) (Python Security).