Bug 1688543 (CVE-2019-9636)
| Summary: | CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | adeshpan, apmukher, bmcclain, carl, cperry, cstratak, dblechte, dfediuck, dmalcolm, eedri, hhorak, jorton, jpadman, kevin, kyoneyam, mcyprian, mgoldboi, mhroncok, michal.skrivanek, pviktori, python-maint, python-sig, rkuska, sbonazzo, security-response-team, shcherbina.iryna, sherold, TicoTimo, tomspur, torsava, twalsh, yozone, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python 3.5.7, python 3.7.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was discovered that python's functions urllib.parse.urlsplit and urllib.parse.urlparse do not properly handle URLs encoded with Punycode/Internationalizing Domain Names in Applications (IDNA), which may result in a wrong domain name (specifically the netloc component of URL - user@domain:port) being returned by those functions. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:50:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1688544, 1688545, 1688546, 1688547, 1688549, 1688550, 1688552, 1689316, 1689317, 1689318, 1689319, 1689320, 1689321, 1689322, 1689323, 1689324, 1689325, 1689326, 1689327, 1689328, 1693973, 1693974, 1693975, 1694514, 1694515, 1694516, 1694517, 1696755, 1716744, 1744471, 1744472 | ||
| Bug Blocks: | 1688554 | ||
|
Description
Laura Pardo
2019-03-13 23:14:41 UTC
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1688546] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1688552] Affects: fedora-all [bug 1688549] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1688550] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1688547] Affects: fedora-29 [bug 1688544] Created python37 tracking bugs for this issue: Affects: fedora-28 [bug 1688545] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0710 https://access.redhat.com/errata/RHSA-2019:0710 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:0765 https://access.redhat.com/errata/RHSA-2019:0765 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:0806 https://access.redhat.com/errata/RHSA-2019:0806 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:0902 https://access.redhat.com/errata/RHSA-2019:0902 The CVE fix we pushed unfortunately introduced a regression, fixed by https://bugs.python.org/issue36742 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0981 https://access.redhat.com/errata/RHSA-2019:0981 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0997 https://access.redhat.com/errata/RHSA-2019:0997 This flaw also affects the versions of python as shipped with Red Hat Enterprise Linux 5 and 6, which are, respectively, python 2.4 and 2.6. The flaw was reproduced both on python 2.4 shipped with Red Hat Enterprise Linux 5 and on python 2.6 shipped with Red Hat Enterprise Linux 6. This flaw affects applications that process untrusted URLs and store credentials, cookies or other kind of information based on the domain name of the URL, when encoded with Punycode/Internationalizing Domain Names in Applications (IDNA), more precisely the netloc component returned by urlparse()/urlsplit(). Assuming an application has cookies stored for the netloc "redhat.com", an attacker may construct a URL that, when encoded with IDNA and parsed through urlparse()/urlsplit() would indicate "redhat.com" as netloc, even though the connection would be made to the attacker-controlled host, possibly leaking the information that were associated with "redhat.com". External References: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html netloc is the part of a URL that includes <user>:<password>@<host>:<port>. See https://tools.ietf.org/html/rfc1808.html#section-2.1 for more information about netloc. In reply to comment #36: > The CVE fix we pushed unfortunately introduced a regression, fixed by > https://bugs.python.org/issue36742 The initial fix for this regression can be found at https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3. However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus it requires https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete. In reply to comment #50: > In reply to comment #36: > > The CVE fix we pushed unfortunately introduced a regression, fixed by > > https://bugs.python.org/issue36742 > > The initial fix for this regression can be found at > https://github.com/python/cpython/commit/ > d537ab0ff9767ef024f26246899728f0116b1ec3. > However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus > it requires > https://github.com/python/cpython/commit/ > 8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete. Reference: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html CVE-2019-10160 has been assigned to this security regression.In reply to comment #50: > In reply to comment #36: > > The CVE fix we pushed unfortunately introduced a regression, fixed by > > https://bugs.python.org/issue36742 > > The initial fix for this regression can be found at > https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3. > However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus > it requires https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete. CVE-2019-10160 has been assigned to the security regression introduced with https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1467 https://access.redhat.com/errata/RHSA-2019:1467 In reply to comment #55: > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 6 > > Via RHSA-2019:1467 https://access.redhat.com/errata/RHSA-2019:1467 CVE-2019-10160 was discovered by Red Hat during the development of the Red Hat Enterprise Linux 6 patch, thus RHSA-2019:1467 was directly shipped with the proper fix for CVE-2019-9636. The security regression CVE-2019-10160 was not introduced in RHEL 6. This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:2980 https://access.redhat.com/errata/RHSA-2019:2980 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2019:3170 https://access.redhat.com/errata/RHSA-2019:3170 |