Bug 1727276 (CVE-2019-18348)

Summary: CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, carl, cstratak, dmalcolm, extras-orphan, hhorak, jeffrey.ness, jorton, kevin, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, TicoTimo, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 20:21:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1765139, 1765138, 1765140, 1765141, 1765142, 1765143, 1765144, 1765145, 1765146, 1765147, 1765148, 1765149, 1765150, 1765151, 1765152, 1765153, 1882670    
Bug Blocks: 1727267    

Description Riccardo Schirone 2019-07-05 10:22:43 UTC 
An issue was discovered in urllib/urllib2 in Python. CRLF injection is possible if the attacker controls the host part of the url parameter passed to urlopen().

The fix for CVE-2019-9947 is ineffective if the glibc version used by python is still affected by CVE-2016-10739. The original fix for CVE-2019-9947 only checked the part of the URL after the port (e.g. in "http://server:7777/my/path?query" only "/my/path?query" was checked for invalid characters) so if an attacker can control the hostname part he is still able to inject HTTP headers. Due to CVE-2016-10739, getaddrinfo() resolves an invalid hostname as a valid one, so the URL can contain CLRF sequences and, at the same time, it can be resolved to a valid host.


Reference:
https://bugs.python.org/issue30458#msg347282
Comment 3 Riccardo Schirone 2019-10-24 08:13:15 UTC 
I have created a new and separate issue upstream to keep track of this CVE.
https://bugs.python.org/issue38576
Comment 4 Riccardo Schirone 2019-10-24 12:29:34 UTC 
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1765145]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1765146]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1765138]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1765139]
Affects: fedora-all [bug 1765140]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1765141]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1765142]
Affects: fedora-all [bug 1765143]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1765144]
Comment 7 Riccardo Schirone 2019-10-24 12:37:06 UTC 
This flaw can be exploited only when glibc flaw CVE-2016-10739 is not fixed, as it requires getaddrinfo() function to resolve an invalid hostname, containing control characters like the CRLF sequence, as a valid one.
Comment 8 Miro HronĨok 2019-12-20 10:05:40 UTC 
The new Python issue is https://bugs.python.org/issue38576
Comment 9 Fedora Update System 2020-07-04 01:12:22 UTC 
FEDORA-2020-8bdd3fd7a4 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2020-07-10 01:01:01 UTC 
FEDORA-2020-ea5bdbcc90 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2020-10-19 18:05:47 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
Comment 17 Product Security DevOps Team 2020-10-19 20:21:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18348
Comment 18 errata-xmlrpc 2020-10-20 16:00:43 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273
Comment 19 Riccardo Schirone 2021-03-04 14:35:43 UTC 
Statement:

This issue does not affect the versions of python and python3 as shipped with Red Hat Enterprise Linux 7.7 and above because glibc flaw CVE-2016-10739 was fixed in RHSA-2019:2118-03, which makes this bug not exploitable.

This issue does not affect the versions of python and python3 as shipped with Red Hat Enterprise Linux 8 because glibc is not vulnerable to CVE-2016-10739, making this bug not exploitable.