Bug 1824446 (CVE-2019-17514)

Summary: CVE-2019-17514 python: potentially misleading information about whether sorting in library/glob.html
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carl, cstratak, dmalcolm, hhorak, jorton, kevin, m.cyprian, mhroncok, mplch, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, steve.traylen, TicoTimo, tomspur, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-20 15:26:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1824447, 1824448, 1824450, 1824451, 1824452, 1824453, 1824454, 1824455    
Bug Blocks: 1824456    

Description Dhananjay Arunesh 2020-04-16 09:15:42 UTC 
A vulnerability was found in library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

Reference:
https://bugs.python.org/issue33275
https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380
https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405
https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216
https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip
https://security.netapp.com/advisory/ntap-20191107-0005/
https://twitter.com/chris_bloke/status/1181997278136958976
https://twitter.com/LucasCMoore/status/1181615421922824192
https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html
https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html
https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html
https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html
https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies
Comment 1 Dhananjay Arunesh 2020-04-16 09:17:18 UTC 
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1824450]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1824454]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1824448]
Affects: fedora-all [bug 1824453]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1824451]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1824447]
Affects: fedora-all [bug 1824452]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1824455]
Comment 2 Miro HronĨok 2020-04-16 09:28:49 UTC 
Dhananjay, what can I do to stop more EPEL python36 security bugzillas? The package has been retired in EPEL 6 months ago.
Comment 3 Riccardo Schirone 2020-04-16 12:03:48 UTC 
This does not seem to me like a real flaw. It was not even a bug actually, but just a slightly misleading documentation. I don't think this is a good use of a CVE, but rather a CVE should be assigned to particular programs that wrongly assume the sorting of that function. Victor, what do you think?
Comment 4 Dhananjay Arunesh 2020-04-20 11:36:39 UTC 
In reply to comment #2:
> Dhananjay, what can I do to stop more EPEL python36 security bugzillas? The
> package has been retired in EPEL 6 months ago.

removed python36 for epel and updated my manifest file.
Comment 5 Victor Stinner 2020-04-20 14:59:37 UTC 
CVE-2019-17514 should be rejected: the behavior is intentional, it is not a vulnerability. os.listdir() and glob.glob() are not sorted on purpose.

See this discussion for more details:
https://discuss.python.org/t/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies/2583

The "fix" was to ensure that the intentional behavior is properly documented:

https://docs.python.org/dev/library/os.html#os.listdir
"The list is in arbitrary order"

https://docs.python.org/dev/library/glob.html#glob.glob
"Whether or not the results are sorted depends on the file system."

Python issues:

* https://bugs.python.org/issue21748 closed as "not a bug"
* https://bugs.python.org/issue30461 closed as "rejected"
* https://bugs.python.org/issue33275 fixed by documenting the behavior
Comment 6 Riccardo Schirone 2020-04-20 15:26:06 UTC 
Closing as NOTABUG according to comment 3 and comment 5.