Bug 835496 (CVE-2012-2639)

Summary: CVE-2012-2639 python (SimpleHTTPServer): XSS attacks against Internet Explorer 7 via UTF-7 encoding
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amcnabb, bkabrda, derks, dmalcolm, ivazqueznet, jeffrey.ness, jonathansteffan, katzj, tomspur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-26 12:35:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 835499    

Description Jan Lieskovsky 2012-06-26 11:06:11 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-2639 to the following vulnerability:

The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.

References:
[1] http://bugs.python.org/issue11442
[2] http://jvn.jp/en/jp/JVN51176027/index.html
[3] http://jvndb.jvn.jp/jvndb/JVNDB-2012-000063

Relevant upstream patch:
[4] http://hg.python.org/cpython/rev/e9724d7abbc2
Comment 1 Jan Lieskovsky 2012-06-26 11:09:17 UTC 
This issue did NOT affect the version of the python package, as shipped
with Red Hat Enterprise Linux 5.

--

This issue did NOT affect the version of the python package, as shipped
with Red Hat Enterprise Linux 6.

--

This issue did NOT affect the versions of the python package, as shipped
with Fedora release of 16 and 17.

This issue did NOT affect the version of the python26 package, as shipped
with Fedora EPEL 5.

This issue did NOT affect the versions of the python3 package, as shipped
with Fedora release of 16 and 17.
Comment 2 Thomas Spura 2012-06-26 11:32:20 UTC 
This is a dublicate of CVE-2011-4940, described in bug #803500 and seems to be addressed already:
https://rhn.redhat.com/errata/RHSA-2012-0744.html

(I cannot access the possible rhel6 security bug, which this depends on.)
Comment 3 Jan Lieskovsky 2012-06-26 12:31:35 UTC 
(In reply to comment #2)
> This is a dublicate of CVE-2011-4940, described in bug #803500

Thanks Thomas, you are right (I have had an impression I have seen this somewhere already). Will request CVE-2012-2639 id rejection then.

> and seems to
> be addressed already:
> https://rhn.redhat.com/errata/RHSA-2012-0744.html
> 
> (I cannot access the possible rhel6 security bug, which this depends on.)

And due the corrected RHEL-6 packages, you were correct too. I have checked python-2.6.5-3.el6_0.2 before, which doesn't contain the fix yet, but obviously those from RHSA-2012-0744 (python-2.6.6-29.el6_2.2) contain it already.
Comment 4 Jan Lieskovsky 2012-06-26 12:35:12 UTC 

*** This bug has been marked as a duplicate of bug 803500 ***