[ Reason ]
sentry-python is affected by CVE-2024-40647 (Bug#1083189).
The subprocess integration incorrectly treats an explicitly empty environment
(env={}) as if no environment had been provided. As a result, when Sentry
injects tracing environment variables into a subprocess call, it can copy the
parent process environment into the child process instead of preserving
the explicitly empty environment.
This issue is marked no-dsa in the security tracker so this update is intended
for the next bookworm point release rather than security.debian.org.
[ Impact ]
Applications using sentry-python's subprocess integration may expose the parent
process's environment variables to child processes when calling
subprocess.Popen() (or related helpers with env={}). Depending on the application,
that environment may contain sensitive values such as tokens or credentials.
If this update is not approved, bookworm will remain affected by CVE-2024-40647.
[ Tests ]
The upstream regression test for this issue is included in the patch. It checks
that a subprocess started with env={} does not include any variables from the
parent process environment.
The package was rebuilt successfully in a clean bookworm environment. The
cherry-picked patch from upstream also includes a minimal test-suite for
the new behaviour.
[ Risks ]
The added patch is both small and targeted. It changes the fallback condition
from truthiness checking to an explicit None check:
dict(x or os.environ)
becomes:
dict(x if x is not None else os.environ)
This preserves the previous behaviour when no env argument is provided while
correctly allowing explicitly empty environments.
The regression risk is low. The changed code only affects subprocess
environment handling in the Sentry stdlib integration.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Backport upstream patch for CVE-2024-40647: https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
- Preserve explicitly empty subprocess environments.
- Only fall back to os.environ when the env argument is None.
- Include the upstream regression test.
[ Other info ]
CVE-2024-40647 is marked no-dsa in the Debian security tracker.