Bug 1749839 (CVE-2019-16056)

Summary: CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, carl, cstratak, dmalcolm, hhorak, jorton, kevin, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, TicoTimo, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 3.7.5, python 2.7.17 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 12:51:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1750812, 1750454, 1750455, 1750456, 1750457, 1750458, 1750459, 1750460, 1750461, 1750773, 1750774, 1750775, 1750776, 1750779, 1750780, 1750798, 1750829, 1767892, 1829560, 1829561    
Bug Blocks: 1748207    

Description Riccardo Schirone 2019-09-06 14:42:08 UTC
Python module `email` wrongly parses email addresses that contain multiple "@" character. An application that uses the `email` module and implements some kind of checks on the From/To headers of an email could be tricked into accepting an email address that should be denied.

Upstream issue:
https://bugs.python.org/issue34155

Upstream patches:
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 [master branch]
https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c [3.8]
https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8 [3.7]
https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9 [3.6]

Comment 1 Miro Hrončok 2019-09-09 09:03:02 UTC
I've got automatically CCed to this bug as one of the Fedora's Python Maintainers yet I cannot see the blocked bz1748207. Is there a Fedora bug for this?

Comment 2 Riccardo Schirone 2019-09-09 09:39:39 UTC
In reply to comment #1:
> I've got automatically CCed to this bug as one of the Fedora's Python
> Maintainers yet I cannot see the blocked bz1748207. Is there a Fedora bug
> for this?

I will create one soon.

Comment 3 Victor Stinner 2019-09-09 10:55:11 UTC
Sadly, Python 2.7 didn't get a fix upstream yet.

Comment 4 Riccardo Schirone 2019-09-09 15:57:46 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1750461]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1750456]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1750455]
Affects: fedora-all [bug 1750457]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1750458]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1750454]
Affects: fedora-all [bug 1750459]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1750460]

Comment 6 Miro Hrončok 2019-09-09 20:52:33 UTC
BTW python37 is also packaged in Fedora.

Comment 7 Riccardo Schirone 2019-09-10 08:50:58 UTC
Functions get_domain() in Lib/email/_header_value_parser.py and Lib/email/_parseaddr.py do not correctly handle the case where the parameter contains more than one '@' character. They do not return any error value or raise any exception, thus making it impossible for the users of those functions to know if something was wrong.

When an application uses the `email` python module to parse an email address, the wrong output of the vulnerable functions may be used to trick the application to use wrong values and impact the Confidentiality, Integrity and/or Availability of a system.

Comment 8 Riccardo Schirone 2019-09-10 08:58:21 UTC
In reply to comment #6:
> BTW python37 is also packaged in Fedora.

I see python37 only shipped in f28, which is not supported anymore.

Comment 9 Miro Hrončok 2019-09-10 09:05:08 UTC
It is shipped in rawhide (Fedora 32).

Comment 10 Riccardo Schirone 2019-09-10 09:39:57 UTC
In reply to comment #9:
> It is shipped in rawhide (Fedora 32).

I think you can fix it there without a security tracker from us. If you do need one, though, I will create it.

Comment 11 Miro Hrončok 2019-09-10 09:42:36 UTC
I know we can fix it there without a security tracker from you. I just wanted you to have all the information. If you could just open one Fedora "all the Pythons" bug instead of the current strom, it would work for us even better.

Comment 14 Riccardo Schirone 2019-09-10 13:45:08 UTC
Created python37 tracking bugs for this issue:

Affects: fedora-rawhide [bug 1750798]

Comment 15 Riccardo Schirone 2019-09-10 13:51:46 UTC
In reply to comment #11:
> I know we can fix it there without a security tracker from you. I just
> wanted you to have all the information. If you could just open one Fedora
> "all the Pythons" bug instead of the current strom, it would work for us
> even better.

I have create a tracker for fedora-rawhide/python37. We prefer to create separate trackers for each python version as they are separate packages and that way it is easier to track which versions are affected or not.

Comment 20 errata-xmlrpc 2019-11-06 09:45:32 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725

Comment 21 Product Security DevOps Team 2019-11-06 12:51:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16056

Comment 22 errata-xmlrpc 2019-11-25 09:24:00 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3948 https://access.redhat.com/errata/RHSA-2019:3948

Comment 23 errata-xmlrpc 2020-03-31 19:25:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1131 https://access.redhat.com/errata/RHSA-2020:1131

Comment 24 errata-xmlrpc 2020-03-31 19:25:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1132 https://access.redhat.com/errata/RHSA-2020:1132

Comment 25 errata-xmlrpc 2020-04-28 15:29:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605

Comment 26 errata-xmlrpc 2020-04-28 15:50:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1764 https://access.redhat.com/errata/RHSA-2020:1764

Comment 28 errata-xmlrpc 2020-06-11 01:33:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2520 https://access.redhat.com/errata/RHSA-2020:2520