Bug 1303699 (CVE-2016-5699)

Summary: CVE-2016-5699 python: http protocol steam injection attack
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anemec, ashankar, cbuissar, cheimes, codonell, cstratak, fweimer, jorton, katzj, kevin, mcyprian, mhroncok, mmaslano, mnewsome, pfrankli, pviktori, python-sig, sardella, security-response-team, slawomir, tomspur, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-18 20:55:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1331391, 1331392, 1331393, 1346354, 1346355, 1346356, 1346357, 1346358, 1346359, 1346360, 1346361, 1348982, 1351685, 1351687, 1351691, 1351692, 1351694    
Bug Blocks: 1303701    

Description Adam Mariš 2016-02-01 17:02:48 UTC 
A vulnerability in Python's http, ftp and url libraries was reported, allowing to inject additional HTTP headers and more.

* Upstream bug:
https://bugs.python.org/issue22928

* Upstream patches
Python 3.4 / 3.5 : revision 94952 : https://hg.python.org/cpython/rev/bf3e1c9b80e9
Python 2.7 : revision 94951 : https://hg.python.org/cpython/rev/1c45047c5102

Additional note : 
When used in combination with flaw described in BZ 1347549, an attacker could direct an HTTP connection to a malicious server, using the following combined issues:

* Python's httplib does not validate HTTP header values. A malicious 'Host' header with quoted new lines can inject additional headers and more
* glibc's getaddrinfo() ignores new lines and everything after a new line character when the first part looks like a IPv4 address

See the following blog post for additional information:
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
Comment 6 Martin Prpič 2016-04-28 12:37:16 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1331391]
Comment 7 Martin Prpič 2016-04-28 12:37:24 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1331390]
Comment 8 Martin Prpič 2016-04-28 12:37:30 UTC 
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1331393]
Comment 9 Martin Prpič 2016-04-28 12:37:37 UTC 
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1331392]
Comment 11 Cedric Buissart 2016-05-17 15:05:01 UTC 
For the moment, setting glibc as wontfix as per comment 4.
Comment 12 Cedric Buissart 2016-05-23 15:47:20 UTC 
Python upstream fix for branch 2.7 : 
https://hg.python.org/cpython/rev/1c45047c5102
Comment 18 Andrej Nemec 2016-06-17 06:49:11 UTC 
CVE assignment:

http://seclists.org/oss-sec/2016/q2/561

Mitre has assigned this CVE for the Python part of this vulnerability as noted in the CVE assignment post.
Comment 20 Cedric Buissart 2016-06-22 12:25:42 UTC 
Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1348973]
Comment 21 Cedric Buissart 2016-06-22 12:44:08 UTC 
Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1348982]
Comment 22 Miro Hrončok 2016-06-30 12:41:41 UTC 
Also affects pypy3 in Fedora
Comment 23 Cedric Buissart 2016-06-30 14:53:35 UTC 
Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 1351685]
Comment 24 Cedric Buissart 2016-06-30 14:53:53 UTC 
Created pypy3 tracking bugs for this issue:

Affects: fedora-all [bug 1351687]
Comment 25 Cedric Buissart 2016-06-30 15:02:44 UTC 
Created pypy tracking bugs for this issue:

Affects: epel-5 [bug 1351691]
Affects: epel-6 [bug 1351692]
Affects: epel-7 [bug 1351694]
Comment 26 Fedora Update System 2016-07-05 04:54:43 UTC 
pypy3-2.4.0-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2016-07-05 08:24:23 UTC 
python3-3.4.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2016-07-12 02:20:45 UTC 
pypy3-2.4.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2016-07-12 02:24:40 UTC 
pypy3-2.4.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2016-07-30 18:20:38 UTC 
python34-3.4.3-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 31 errata-xmlrpc 2016-08-18 18:04:23 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2016:1627 https://rhn.redhat.com/errata/RHSA-2016-1627.html
Comment 32 errata-xmlrpc 2016-08-18 18:40:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1626 https://rhn.redhat.com/errata/RHSA-2016-1626.html
Comment 33 errata-xmlrpc 2016-08-18 20:08:44 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1628 https://rhn.redhat.com/errata/RHSA-2016-1628.html
Comment 34 errata-xmlrpc 2016-08-18 20:29:40 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1630 https://rhn.redhat.com/errata/RHSA-2016-1630.html
Comment 35 errata-xmlrpc 2016-08-18 20:30:57 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1629 https://rhn.redhat.com/errata/RHSA-2016-1629.html