Bug 1888007 (CVE-2019-1010083)

Summary: CVE-2019-1010083 python-flask: unexpected memory usage can lead to denial of service via crafted encoded JSON data
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, apevec, bbuckingham, bcl, bcourt, bdettelb, bkearney, bmontgom, bniver, btotty, danielmyoung, eparis, flucifre, gmeno, hhudgeon, hushan.jia, hvyas, ian, igor.raits, itamar, jburrell, jjoyce, jokerman, jschluet, jwboyer, karlthered, lhh, lpeer, lzap, mbenjamin, mburns, mhackett, mmccune, nmoumoul, nstielau, puiterwijk, python-sig, rchan, relrod, rjerrido, sclewis, slinaber, sokeeffe, sostapov, sponnaga, tflink, tomckay, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-flask-0.12.3, python-flask-1.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-flask. Unexpected memory usage can occur through specially crafted encoded JSON data. The highest threat from this vulnerability is to system availability. Note, this may overlap CVE-2018-1000656.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 17:56:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1623771, 1623772, 1888008, 1890714, 1891571, 1891572, 2254401    
Bug Blocks: 1888010    

Description Guilherme de Almeida Suckevicz 2020-10-13 19:37:38 UTC 
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.

Reference:
https://www.palletsprojects.com/blog/flask-1-0-released/
Comment 1 Guilherme de Almeida Suckevicz 2020-10-13 19:38:01 UTC 
Created python-flask tracking bugs for this issue:

Affects: epel-6 [bug 1888008]
Comment 2 Przemyslaw Roguski 2020-10-14 11:56:53 UTC 
External References:

https://palletsprojects.com/blog/flask-1-0-released/
https://snyk.io/vuln/SNYK-PYTHON-FLASK-451637
Comment 3 Przemyslaw Roguski 2020-10-14 12:02:27 UTC 
Upstream PR: https://github.com/pallets/flask/pull/2691
Upstream PR backport: https://github.com/pallets/flask/pull/2695
Comment 4 Jason Shepherd 2020-10-22 00:01:37 UTC 
Red Hat Quay is using Flask 1.1.1 which is not affected by this issue.
Comment 7 Brian Lane 2020-10-22 21:13:04 UTC 
Note that the version shipped in AppStream (python3-flask-0.12.2-4) contains the fix for this. It is the equivalent of upstream version 0.12.4, I didn't rebase because some of the upstream changes to their doc build system were incompatible with RHEL 8.
Comment 8 Summer Long 2020-10-25 23:06:31 UTC 
Statement:

Red Hat Satellite 6.5 ships an affected version of python-flask. However, the product is not vulnerable since the data component Crane receives from pulp_docker repository metadata with JSON uses UTF-8 encoding by default. Other supported versions of the Satellite are not affected by this vulnerability.

Note: CVE-2019-1010083 is a duplicate of the flaw in CVE-2018-1000656. However, the 2019 flaw identifies newer affected products.
Comment 11 Todd Cullum 2020-10-28 18:53:42 UTC 
I've marked python-flask unaffected for Red Hat Enterprise Linux 7 (RHEL7) and Red Hat Enterprise Linux 8 (RHEL8) because RHEL7's python-flask was already patched the first time this was reported in [1] and the new version info does not add a new affect that was different from BZ#1623131 in regards to rhel8.

1. https://access.redhat.com/errata/RHSA-2020:0870