Bug 1695570 (CVE-2019-9948)
| Summary: | CVE-2019-9948 python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aurelien, bkabrda, carl, cstratak, dmalcolm, hhorak, infra-sig, jeremy, jorton, kevin, mcyprian, mhroncok, orion, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, TicoTimo, tomspur, torsava |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-12 13:06:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1698977, 1698978, 1698979, 1698980, 1698981, 1698982, 1700687, 1700688, 1704174, 1704175, 1704176, 1704177, 1709404, 1714640, 1714641, 1714642, 1714643, 1802745, 1802746, 1802747 | ||
| Bug Blocks: | 1695712 | ||
Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 1695599] Created python3-urllib3 tracking bugs for this issue: Affects: epel-all [bug 1695600] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1698976] Created python34 tracking bugs for this issue: Affects: fedora-all [bug 1698977] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1698978] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1698979] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1698980] Created python37 tracking bugs for this issue: Affects: fedora-28 [bug 1698981] Created python36 tracking bugs for this issue: Affects: fedora-29 [bug 1698982] IMO this should get to Fedora via a upstream release; we should not backport this. urlopen handles many URL schemes; blacklists are generally insecure. Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1700688] Setting Attack Complexity (AC) to High as the attacker needs both an application that just blacklist the "file://" (but not "local_file://") protocol and he needs full control of the "url" paramater supplied to urlopen() function. local_file:// protocol is not documented anywhere, thus the problem with this flaw. An application may have been written to just blacklist "file://" protocol, without knowing that "local_file://" could achieve the same functions, allowing access to local files. Mitigation: If your application uses a blacklist to prevent "file://" schema from being used, consider using a whitelist approach to just allow the schemas you want or add "local_file://" schema to your blacklist. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1700 https://access.redhat.com/errata/RHSA-2019:1700 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9948 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3520 https://access.redhat.com/errata/RHSA-2019:3520 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:1268 https://access.redhat.com/errata/RHSA-2020:1268 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Telco Extended Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Via RHSA-2020:1346 https://access.redhat.com/errata/RHSA-2020:1346 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:1462 https://access.redhat.com/errata/RHSA-2020:1462 |
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. Reference: https://bugs.python.org/issue35907 https://github.com/python/cpython/pull/11842