Bug 1303699 (CVE-2016-5699) - CVE-2016-5699 python: http protocol steam injection attack
Summary: CVE-2016-5699 python: http protocol steam injection attack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5699
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1331391 1331392 1331393 1346354 1346355 1346356 1346357 1346358 1346359 1346360 1346361 1348982 1351685 1351687 1351691 1351692 1351694
Blocks: 1303701
TreeView+ depends on / blocked
 
Reported: 2016-02-01 17:02 UTC by Adam Mariš
Modified: 2019-09-29 13:43 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values.
Clone Of:
Environment:
Last Closed: 2016-08-18 20:55:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1626 0 normal SHIPPED_LIVE Moderate: python security update 2016-08-18 22:39:32 UTC
Red Hat Product Errata RHSA-2016:1627 0 normal SHIPPED_LIVE Moderate: rh-python35-python security update 2016-08-18 21:57:16 UTC
Red Hat Product Errata RHSA-2016:1628 0 normal SHIPPED_LIVE Moderate: python27-python security update 2016-08-19 00:07:06 UTC
Red Hat Product Errata RHSA-2016:1629 0 normal SHIPPED_LIVE Moderate: python33-python security update 2016-08-19 00:26:12 UTC
Red Hat Product Errata RHSA-2016:1630 0 normal SHIPPED_LIVE Moderate: rh-python34-python security update 2016-08-19 00:25:58 UTC

Description Adam Mariš 2016-02-01 17:02:48 UTC 
A vulnerability in Python's http, ftp and url libraries was reported, allowing to inject additional HTTP headers and more.

* Upstream bug:
https://bugs.python.org/issue22928

* Upstream patches
Python 3.4 / 3.5 : revision 94952 : https://hg.python.org/cpython/rev/bf3e1c9b80e9
Python 2.7 : revision 94951 : https://hg.python.org/cpython/rev/1c45047c5102

Additional note : 
When used in combination with flaw described in BZ 1347549, an attacker could direct an HTTP connection to a malicious server, using the following combined issues:

* Python's httplib does not validate HTTP header values. A malicious 'Host' header with quoted new lines can inject additional headers and more
* glibc's getaddrinfo() ignores new lines and everything after a new line character when the first part looks like a IPv4 address

See the following blog post for additional information:
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
Comment 6 Martin Prpič 2016-04-28 12:37:16 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1331391]
Comment 7 Martin Prpič 2016-04-28 12:37:24 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1331390]
Comment 8 Martin Prpič 2016-04-28 12:37:30 UTC 
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1331393]
Comment 9 Martin Prpič 2016-04-28 12:37:37 UTC 
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1331392]
Comment 11 Cedric Buissart 2016-05-17 15:05:01 UTC 
For the moment, setting glibc as wontfix as per comment 4.
Comment 12 Cedric Buissart 2016-05-23 15:47:20 UTC 
Python upstream fix for branch 2.7 : 
https://hg.python.org/cpython/rev/1c45047c5102
Comment 18 Andrej Nemec 2016-06-17 06:49:11 UTC 
CVE assignment:

http://seclists.org/oss-sec/2016/q2/561

Mitre has assigned this CVE for the Python part of this vulnerability as noted in the CVE assignment post.
Comment 20 Cedric Buissart 2016-06-22 12:25:42 UTC 
Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1348973]
Comment 21 Cedric Buissart 2016-06-22 12:44:08 UTC 
Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1348982]
Comment 22 Miro Hrončok 2016-06-30 12:41:41 UTC 
Also affects pypy3 in Fedora
Comment 23 Cedric Buissart 2016-06-30 14:53:35 UTC 
Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 1351685]
Comment 24 Cedric Buissart 2016-06-30 14:53:53 UTC 
Created pypy3 tracking bugs for this issue:

Affects: fedora-all [bug 1351687]
Comment 25 Cedric Buissart 2016-06-30 15:02:44 UTC 
Created pypy tracking bugs for this issue:

Affects: epel-5 [bug 1351691]
Affects: epel-6 [bug 1351692]
Affects: epel-7 [bug 1351694]
Comment 26 Fedora Update System 2016-07-05 04:54:43 UTC 
pypy3-2.4.0-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2016-07-05 08:24:23 UTC 
python3-3.4.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2016-07-12 02:20:45 UTC 
pypy3-2.4.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2016-07-12 02:24:40 UTC 
pypy3-2.4.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2016-07-30 18:20:38 UTC 
python34-3.4.3-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 31 errata-xmlrpc 2016-08-18 18:04:23 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2016:1627 https://rhn.redhat.com/errata/RHSA-2016-1627.html
Comment 32 errata-xmlrpc 2016-08-18 18:40:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1626 https://rhn.redhat.com/errata/RHSA-2016-1626.html
Comment 33 errata-xmlrpc 2016-08-18 20:08:44 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1628 https://rhn.redhat.com/errata/RHSA-2016-1628.html
Comment 34 errata-xmlrpc 2016-08-18 20:29:40 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1630 https://rhn.redhat.com/errata/RHSA-2016-1630.html
Comment 35 errata-xmlrpc 2016-08-18 20:30:57 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1629 https://rhn.redhat.com/errata/RHSA-2016-1629.html
Note You need to log in before you can comment on or make changes to this bug.