Bug 1749839 (CVE-2019-16056)
| Summary: | CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Riccardo Schirone <rschiron> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | apmukher, carl, cstratak, dmalcolm, hhorak, jorton, kevin, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, TicoTimo, tomspur, torsava, vstinner |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python 3.7.5, python 2.7.17 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-06 12:51:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1750454, 1750455, 1750456, 1750457, 1750458, 1750459, 1750460, 1750461, 1750773, 1750774, 1750775, 1750776, 1750779, 1750780, 1750798, 1750812, 1750829, 1767892, 1829560, 1829561 | ||
| Bug Blocks: | 1748207 | ||
|
Description
Riccardo Schirone
2019-09-06 14:42:08 UTC
I've got automatically CCed to this bug as one of the Fedora's Python Maintainers yet I cannot see the blocked bz1748207. Is there a Fedora bug for this? In reply to comment #1: > I've got automatically CCed to this bug as one of the Fedora's Python > Maintainers yet I cannot see the blocked bz1748207. Is there a Fedora bug > for this? I will create one soon. Sadly, Python 2.7 didn't get a fix upstream yet. Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1750461] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1750456] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1750455] Affects: fedora-all [bug 1750457] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1750458] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1750454] Affects: fedora-all [bug 1750459] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1750460] BTW python37 is also packaged in Fedora. Functions get_domain() in Lib/email/_header_value_parser.py and Lib/email/_parseaddr.py do not correctly handle the case where the parameter contains more than one '@' character. They do not return any error value or raise any exception, thus making it impossible for the users of those functions to know if something was wrong. When an application uses the `email` python module to parse an email address, the wrong output of the vulnerable functions may be used to trick the application to use wrong values and impact the Confidentiality, Integrity and/or Availability of a system. In reply to comment #6: > BTW python37 is also packaged in Fedora. I see python37 only shipped in f28, which is not supported anymore. It is shipped in rawhide (Fedora 32). In reply to comment #9: > It is shipped in rawhide (Fedora 32). I think you can fix it there without a security tracker from us. If you do need one, though, I will create it. I know we can fix it there without a security tracker from you. I just wanted you to have all the information. If you could just open one Fedora "all the Pythons" bug instead of the current strom, it would work for us even better. Created python37 tracking bugs for this issue: Affects: fedora-rawhide [bug 1750798] In reply to comment #11: > I know we can fix it there without a security tracker from you. I just > wanted you to have all the information. If you could just open one Fedora > "all the Pythons" bug instead of the current strom, it would work for us > even better. I have create a tracker for fedora-rawhide/python37. We prefer to create separate trackers for each python version as they are separate packages and that way it is easier to track which versions are affected or not. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16056 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:3948 https://access.redhat.com/errata/RHSA-2019:3948 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1131 https://access.redhat.com/errata/RHSA-2020:1131 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1132 https://access.redhat.com/errata/RHSA-2020:1132 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1764 https://access.redhat.com/errata/RHSA-2020:1764 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:2520 https://access.redhat.com/errata/RHSA-2020:2520 |