Bug 1478916

Summary: [security] Backport ftplib.FTP.putline() fix to reject newlines
Product: [Fedora] Fedora Reporter: Victor Stinner <vstinner>
Component: python3Assignee: Charalampos Stratakis <cstratak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: bkabrda, cstratak, ishcherb, mcyprian, mhroncok, pviktori, python-sig, rkuska, tomspur, torsava
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python3-3.6.2-4.fc26, python3-3.6.2-6.fc27 python3-3.6.2-5.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1478955 (view as bug list) Environment:
Last Closed: 2017-08-20 18:28:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Victor Stinner 2017-08-07 13:37:51 UTC 
The ftplib module of Python 3.6.2 doesn't reject newline characters in arguments and so can be abused indirectly in the urllib module to inject arbitrary FTP commands. See https://bugs.python.org/issue30119

I suggest to backport the following fix to Python 3.6 of Fedora 26:
https://github.com/python/cpython/commit/8c2d4cf092c5f0335e7982392a33927579c4d512

Information about the vulnerability:
http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html
Comment 1 Miro HronĨok 2017-08-07 13:41:05 UTC 
Python 3.6 of Fedora 26 is different package. However, python36 would probably benefit form such backport as well.
Comment 2 Fedora Update System 2017-08-08 09:04:06 UTC 
python3-3.6.2-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-203f6f4a61
Comment 3 Fedora Update System 2017-08-13 04:02:45 UTC 
python3-3.6.2-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-203f6f4a61
Comment 4 Fedora Update System 2017-08-15 11:38:56 UTC 
python-setuptools-36.2.0-2.fc26 python3-3.6.2-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-be5c1b152f
Comment 5 Fedora Update System 2017-08-16 00:53:50 UTC 
python-setuptools-36.2.0-2.fc26, python3-3.6.2-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-be5c1b152f
Comment 6 Fedora Update System 2017-08-20 18:28:15 UTC 
python-setuptools-36.2.0-2.fc26, python3-3.6.2-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.