Bug 1688169 (CVE-2019-9740)

Summary: CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, aurelien, bkabrda, carl, cstratak, dmalcolm, hhorak, hvyas, infra-sig, jeremy, jorton, kevin, mcyprian, meissner, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, TicoTimo, tomspur, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:50:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1688170, 1688657, 1692983, 1692984, 1703458, 1704362, 1704364, 1704365, 1704366, 1704367, 1704368, 1704369, 1704370, 1704371, 1704372, 1706849, 1706850, 1706851, 1706852, 1706853, 1706854, 1706855, 1709391, 1709407, 1802736, 1802737, 1802738, 1802739, 1802740, 1802741    
Bug Blocks: 1688174    

Description Dhananjay Arunesh 2019-03-13 10:20:06 UTC 
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command.

Reference:
https://bugs.python.org/issue36276
Comment 1 Dhananjay Arunesh 2019-03-13 10:20:35 UTC 
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1688170]
Comment 2 Hardik Vyas 2019-03-14 07:38:07 UTC 
[Deleted]
Comment 7 Riccardo Schirone 2019-04-05 15:19:45 UTC 
> Reference:
> https://bugs.python.org/issue36276

This has been marked as duplicate of https://bugs.python.org/issue30458
Comment 10 Hardik Vyas 2019-04-26 14:01:09 UTC 
Statement:

This issue affects:
* All current versions of Red Hat OpenStack Platform. However, version 8 is due to retire on the 20th of April 2019, there are no more planned releases prior to this date.
Comment 15 Riccardo Schirone 2019-05-06 11:57:43 UTC 
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1706851]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1706855]
Affects: fedora-all [bug 1706852]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1706853]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1706854]
Affects: fedora-29 [bug 1706850]


Created python37 tracking bugs for this issue:

Affects: fedora-28 [bug 1706849]
Comment 16 Riccardo Schirone 2019-05-06 12:00:11 UTC 
Upstream patch PR (merged upstream):
https://github.com/python/cpython/pull/12755
Comment 18 errata-xmlrpc 2019-05-22 12:01:51 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260
Comment 19 Riccardo Schirone 2019-07-05 07:50:52 UTC 
This flaw is about CLRF sequences that are not properly handled in python built-in modules urllib/urllib2 in the *query* part of the url parameter of urlopen() function.
Comment 20 Riccardo Schirone 2019-07-10 08:30:35 UTC 
Reference:
https://python-security.readthedocs.io/vuln/http-header-injection2.html

Upstream patch commits:
https://github.com/python/cpython/commit/c4e671eec20dfcb29b18596a89ef075f826c9f96 [master]
https://github.com/python/cpython/commit/b7378d77289c911ca6a0c0afaf513879002df7d5 [master]
https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 [python-2.7]
Comment 21 errata-xmlrpc 2019-08-06 12:04:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030
Comment 23 errata-xmlrpc 2019-11-05 20:37:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335
Comment 24 errata-xmlrpc 2019-11-05 21:06:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3520 https://access.redhat.com/errata/RHSA-2019:3520
Comment 25 errata-xmlrpc 2019-11-06 09:45:20 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725
Comment 27 errata-xmlrpc 2020-04-01 08:34:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1268 https://access.redhat.com/errata/RHSA-2020:1268
Comment 28 errata-xmlrpc 2020-04-07 09:33:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions

Via RHSA-2020:1346 https://access.redhat.com/errata/RHSA-2020:1346
Comment 29 errata-xmlrpc 2020-04-14 17:39:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1462 https://access.redhat.com/errata/RHSA-2020:1462