Bug 1688169 (CVE-2019-9740) - CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()
Summary: CVE-2019-9740 python: CRLF injection via the query part of the url passed to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9740
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190313,repor...
Depends On: 1704365 1704367 1704369 1704371 1706853 1706855 1709391 1688170 1688657 1692983 1692984 1703458 1704362 1704364 1704366 1704368 1704370 1704372 1706849 1706850 1706851 1706852 1706854 1709407
Blocks: 1688174
TreeView+ depends on / blocked
 
Reported: 2019-03-13 10:20 UTC by Dhananjay Arunesh
Modified: 2019-08-13 12:49 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:50:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1260 None None None 2019-05-22 12:01:52 UTC
Red Hat Product Errata RHSA-2019:2030 None None None 2019-08-06 12:04:51 UTC

Description Dhananjay Arunesh 2019-03-13 10:20:06 UTC
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command.

Reference:
https://bugs.python.org/issue36276

Comment 1 Dhananjay Arunesh 2019-03-13 10:20:35 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1688170]

Comment 2 Hardik Vyas 2019-03-14 07:38:07 UTC
[Deleted]

Comment 7 Riccardo Schirone 2019-04-05 15:19:45 UTC
> Reference:
> https://bugs.python.org/issue36276

This has been marked as duplicate of https://bugs.python.org/issue30458

Comment 10 Hardik Vyas 2019-04-26 14:01:09 UTC
Statement:

This issue affects:
* All current versions of Red Hat OpenStack Platform. However, version 8 is due to retire on the 20th of April 2019, there are no more planned releases prior to this date.

Comment 15 Riccardo Schirone 2019-05-06 11:57:43 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1706851]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1706855]
Affects: fedora-all [bug 1706852]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1706853]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1706854]
Affects: fedora-29 [bug 1706850]


Created python37 tracking bugs for this issue:

Affects: fedora-28 [bug 1706849]

Comment 16 Riccardo Schirone 2019-05-06 12:00:11 UTC
Upstream patch PR (merged upstream):
https://github.com/python/cpython/pull/12755

Comment 18 errata-xmlrpc 2019-05-22 12:01:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260

Comment 19 Riccardo Schirone 2019-07-05 07:50:52 UTC
This flaw is about CLRF sequences that are not properly handled in python built-in modules urllib/urllib2 in the *query* part of the url parameter of urlopen() function.

Comment 21 errata-xmlrpc 2019-08-06 12:04:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030


Note You need to log in before you can comment on or make changes to this bug.