Bug 1962856 (CVE-2021-3572)
| Summary: | CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | cstratak, hhorak, jorton, lbalhar, m.cyprian, metherid, mhayden, mhroncok, mrunge, ncoghlan, python-maint, python-sig, slavek.kabrda, smilner, tflink, TicoTimo, torsava |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-pip 21.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-24 15:35:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1962857, 1962858, 1965678, 1965679, 1965680, 1965681, 1965694, 1965695, 1965696, 1965699, 1965712, 1965713, 1969508, 1969509, 1969522 | ||
| Bug Blocks: | 1962859, 1966364 | ||
|
Description
Pedro Sampaio
2021-05-20 16:54:43 UTC
Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 1962857] Created python-virtualenv tracking bugs for this issue: Affects: fedora-all [bug 1962858] (In reply to Pedro Sampaio from comment #1) > Created python-virtualenv tracking bugs for this issue: > > Affects: fedora-all [bug 1962858] Why python-virtualenv? (In reply to Miro Hrončok from comment #2) > (In reply to Pedro Sampaio from comment #1) > > Created python-virtualenv tracking bugs for this issue: > > > > Affects: fedora-all [bug 1962858] > > Why python-virtualenv? Our package manifests flagged python-pip being embedded in python-virtualenv. Could you please update the package manifests? python-pip is not embedded in python-virtualenv since Fedora 31.
python-pip is however embedded in several other Fedora packages:
Fedora 32:
$ repoquery -q --repo={fedora,updates} --releasever 32 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source
pipenv-2018.11.26-13.fc32.src.rpm
python34-3.4.10-11.fc32.src.rpm
Fedora 33:
$ repoquery -q --repo={fedora,updates} --releasever 33 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source
jython-2.7.1-14.fc33.src.rpm
pipenv-2020.8.13-1.fc33.src.rpm
pypy-7.3.1-2.fc33.src.rpm
python2.7-2.7.18-8.fc33.src.rpm
python3.5-3.5.10-5.fc33.src.rpm
Fedora 34:
$ repoquery -q --repo={fedora,updates} --releasever 34 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source
jython-2.7.1-16.fc34.src.rpm
pipenv-2020.11.15-2.fc34.src.rpm
pypy-7.3.1-3.fc34.src.rpm
python2.7-2.7.18-9.fc34.src.rpm
python3.5-3.5.10-5.fc34.src.rpm
Fedora 35 (Rawhide):
$ repoquery -q --repo=rawhide --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source
pipenv-2020.11.15-2.fc35.src.rpm
pypy-7.3.1-3.fc34.src.rpm
python2.7-2.7.18-10.fc35.src.rpm
python3.5-3.5.10-5.fc35.src.rpm
Thanks.
Upstream PR: https://github.com/pypa/pip/pull/9827 Upstream commit: https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b After a deep investigation of this issue in older pip versions in SCL, I've discovered that the older pip versions are not vulnerable when used with Python 2. The reason is that the output from git commands like `git show-ref` is processed as bytes and therefore methods like `splitlines` ignore Unicode characters. See the different implementation of console_to_str for different Pythons: https://github.com/pypa/pip/blob/281eb61b09d87765d7c2b92f6982b3fe76ccb0af/pip/compat/__init__.py#L70-L90 For example, pip 8.1.2 in combination with Python 3.6 is vulnerable: $ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version Collecting git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version Cloning https://github.com/frenzymadness/CVE-2021-3572.git (to original_version) to /tmp/pip-docgjnth-build … ValueError: not enough values to unpack (expected 2, got 1) $ pip install git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version Collecting git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version Cloning https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git (to original_version) to /tmp/pip-u2t8sr1v-build … Successfully installed cve-2021-3572-9999.0 <- vulnerable version but when I use the same version of pip with Python 2: $ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version Collecting git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version Cloning https://github.com/frenzymadness/CVE-2021-3572.git (to original_version) to /tmp/pip-FdQt3Z-build Installing collected packages: cve-2021-3572 Running setup.py install for cve-2021-3572 ... done Successfully installed cve-2021-3572-1.0 <- correct version $ pip install git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version Collecting git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version Cloning https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git (to original_version) to /tmp/pip-BRA1UZ-build Installing collected packages: cve-2021-3572 Running setup.py install for cve-2021-3572 ... done Successfully installed cve-2021-3572-1.0 <- correct version The output of the git command where a unicode character is at the end of the line looks like this in Python 2 (the last line only): '78d66bca804c673ae8458fcd264dc9be6622ea6f refs/tags/original_version\xe2\x80\xa8\n' but the bytes are not there in Python 3: '78d66bca804c673ae8458fcd264dc9be6622ea6f refs/tags/original_version\n' The same applies to the tags with an unicode character in the middle of the tags' name. Python 2, where it's only one line: '4bf1a91683406ace8b3f5a6032932b2f5e575c71 refs/tags/original_version\xe2\x80\xa8a\xe2\x80\x80a/original_version\n' and Python 3, where the split happens and the result are two lines: '4bf1a91683406ace8b3f5a6032932b2f5e575c71 refs/tags/original_version\u2028a\u2000a/original_version\n' This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3572 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4455 https://access.redhat.com/errata/RHSA-2021:4455 |