Bug 2047376 (CVE-2022-0391)
| Summary: | CVE-2022-0391 python: urllib.parse does not sanitize URLs containing ASCII newline and tabs | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdettelb, carl, caswilli, cstratak, extras-orphan, fjansen, gkamathe, hhorak, jburrell, jcastran, jorton, jwong, kaycoth, lbalhar, manisandro, mhroncok, micjohns, psegedy, pviktori, python-maint, python-sig, rfreiman, saroy, sthirugn, thrnciar, TicoTimo, torsava, tsasak, vstinner |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python 3.10.0b1, python 3.9.5, python 3.8.11, python 3.7.11, python 3.6.14 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-11 03:46:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2047577, 2047578, 2047579, 2047580, 2047581, 2047582, 2047583, 2047584, 2047585, 2047587, 2048471, 2048472, 2048473, 2048474, 2048475, 2048476, 2048477, 2048479, 2048480, 2050109, 2050110, 2050625, 2050626, 2064447, 2064448, 2083677, 2126651, 2130869, 2292369 | ||
| Bug Blocks: | 2034739, 2047379 | ||
|
Description
Guilherme de Almeida Suckevicz
2022-01-27 18:02:53 UTC
*** Bug 2047377 has been marked as a duplicate of this bug. *** Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 2047578] Created python2.7 tracking bugs for this issue: Affects: fedora-all [bug 2047579] Created python3.10 tracking bugs for this issue: Affects: fedora-all [bug 2047585] Created python3.11 tracking bugs for this issue: Affects: fedora-all [bug 2047587] Created python3.5 tracking bugs for this issue: Affects: fedora-all [bug 2047580] Created python3.6 tracking bugs for this issue: Affects: fedora-all [bug 2047581] Created python3.7 tracking bugs for this issue: Affects: fedora-all [bug 2047582] Created python3.8 tracking bugs for this issue: Affects: fedora-all [bug 2047583] Created python3.9 tracking bugs for this issue: Affects: fedora-all [bug 2047584] Created python34 tracking bugs for this issue: Affects: epel-all [bug 2047577] Sandipan, I've actually collected the versions where this was fixed and ye we have received 6 pointless outdated reports for Fedora python3.6 to python3.11 nevertheless. What is exactly the purpose? If you need that for some kind fo tracking, could you report the bugzillas but close them immediatelly? Hello Miro, I will close those kinds of tracking bugs from now on. Thanks. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:1663 https://access.redhat.com/errata/RHSA-2022:1663 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1764 https://access.redhat.com/errata/RHSA-2022:1764 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0391 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6457 https://access.redhat.com/errata/RHSA-2022:6457 Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 2292369] @saroy could you please check the versions before creating new trackers? As pointed out in comment 3 here in the same bugzilla by Miro from January 2021, we have received pointless trackers for components where the vulnerability is not present because we ship newer versions. Now, you've created trackers for Python 3.9 in RHEL 9. The vulnerability is fixed in 3.9.5 (as you can see here for years now) and we have 3.9.19 in RHEL 9. The vulnerability was fixed by the update to 3.9.5 in May 2021. Do you need these trackers for something special? If so, could you please check the versions of the affected components and close the trackers immediately, or not create them at all? According to the CVE RHEL 9 is affected, and not fixed yet. https://access.redhat.com/security/cve/CVE-2022-0391 Products / Services Components State Red Hat Enterprise Linux 9 python3.9 Affected > The vulnerability is fixed in 3.9.5 (as you can see here for years now) and we have 3.9.19 in RHEL 9. The vulnerability was fixed by the update to 3.9.5 in May 2021. Are you saying that RHEL 9 was never vulnerable? (In reply to jcastran from comment #35) > According to the CVE RHEL 9 is affected, and not fixed yet. > > https://access.redhat.com/security/cve/CVE-2022-0391 > > Products / Services Components State > Red Hat Enterprise Linux 9 python3.9 Affected > > > The vulnerability is fixed in 3.9.5 (as you can see here for years now) and we have 3.9.19 in RHEL 9. The vulnerability was fixed by the update to 3.9.5 in May 2021. > > Are you saying that RHEL 9 was never vulnerable? Correct. RHEL 9 was never affected. We had Python 3.9.6 in RHEL 9.0.0 beta and version 3.9.10 in RHEL 9.0.0 GA. See https://errata.devel.redhat.com/advisory/81331/builds |