Bug 1727276 (CVE-2019-18348)

Summary: CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, carl, cstratak, dmalcolm, extras-orphan, hhorak, jeffrey.ness, jorton, kevin, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, TicoTimo, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1765139, 1765148, 1765149, 1765138, 1765140, 1765141, 1765142, 1765143, 1765144, 1765145, 1765146, 1765147, 1765150, 1765151, 1765152, 1765153    
Bug Blocks: 1727267    

Description Riccardo Schirone 2019-07-05 10:22:43 UTC
An issue was discovered in urllib/urllib2 in Python. CRLF injection is possible if the attacker controls the host part of the url parameter passed to urlopen().

The fix for CVE-2019-9947 is ineffective if the glibc version used by python is still affected by CVE-2016-10739. The original fix for CVE-2019-9947 only checked the part of the URL after the port (e.g. in "http://server:7777/my/path?query" only "/my/path?query" was checked for invalid characters) so if an attacker can control the hostname part he is still able to inject HTTP headers. Due to CVE-2016-10739, getaddrinfo() resolves an invalid hostname as a valid one, so the URL can contain CLRF sequences and, at the same time, it can be resolved to a valid host.


Reference:
https://bugs.python.org/issue30458#msg347282

Comment 3 Riccardo Schirone 2019-10-24 08:13:15 UTC
I have created a new and separate issue upstream to keep track of this CVE.
https://bugs.python.org/issue38576

Comment 4 Riccardo Schirone 2019-10-24 12:29:34 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1765145]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1765146]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1765138]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1765139]
Affects: fedora-all [bug 1765140]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1765141]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1765142]
Affects: fedora-all [bug 1765143]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1765144]

Comment 6 Riccardo Schirone 2019-10-24 12:35:53 UTC
Statement:

This issue affects the versions of python and python3 as shipped with Red Hat Enterprise Linux 7, however users running Red Hat Enterprise Linux 7.7 and above are not vulnerable because glibc flaw CVE-2016-10739 was fixed in RHSA-2019:2118-03, which makes this bug not exploitable.

Comment 7 Riccardo Schirone 2019-10-24 12:37:06 UTC
This flaw can be exploited only when glibc flaw CVE-2016-10739 is not fixed, as it requires getaddrinfo() function to resolve an invalid hostname, containing control characters like the CRLF sequence, as a valid one.

Comment 8 Miro HronĨok 2019-12-20 10:05:40 UTC
The new Python issue is https://bugs.python.org/issue38576

Comment 9 Fedora Update System 2020-07-04 01:12:22 UTC
FEDORA-2020-8bdd3fd7a4 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2020-07-10 01:01:01 UTC
FEDORA-2020-ea5bdbcc90 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.