A vulnerability was found in Python 2.7.x through 2.7.16 and 3.x through 3.7.2. An improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization could lead to an Information Disclosure (credentials, cookies, etc. that are cached against a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse components. A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. References: https://bugs.python.org/issue36216 https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html Uptream Patch: https://github.com/python/cpython/pull/12201
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1688546] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1688552] Affects: fedora-all [bug 1688549] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1688550] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1688547] Affects: fedora-29 [bug 1688544] Created python37 tracking bugs for this issue: Affects: fedora-28 [bug 1688545]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0710 https://access.redhat.com/errata/RHSA-2019:0710
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:0765 https://access.redhat.com/errata/RHSA-2019:0765
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:0806 https://access.redhat.com/errata/RHSA-2019:0806
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:0902 https://access.redhat.com/errata/RHSA-2019:0902
The CVE fix we pushed unfortunately introduced a regression, fixed by https://bugs.python.org/issue36742
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0981 https://access.redhat.com/errata/RHSA-2019:0981
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0997 https://access.redhat.com/errata/RHSA-2019:0997
This flaw also affects the versions of python as shipped with Red Hat Enterprise Linux 5 and 6, which are, respectively, python 2.4 and 2.6.
The flaw was reproduced both on python 2.4 shipped with Red Hat Enterprise Linux 5 and on python 2.6 shipped with Red Hat Enterprise Linux 6.
This flaw affects applications that process untrusted URLs and store credentials, cookies or other kind of information based on the domain name of the URL, when encoded with Punycode/Internationalizing Domain Names in Applications (IDNA), more precisely the netloc component returned by urlparse()/urlsplit(). Assuming an application has cookies stored for the netloc "redhat.com", an attacker may construct a URL that, when encoded with IDNA and parsed through urlparse()/urlsplit() would indicate "redhat.com" as netloc, even though the connection would be made to the attacker-controlled host, possibly leaking the information that were associated with "redhat.com".
External References: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
netloc is the part of a URL that includes <user>:<password>@<host>:<port>. See https://tools.ietf.org/html/rfc1808.html#section-2.1 for more information about netloc.
In reply to comment #36: > The CVE fix we pushed unfortunately introduced a regression, fixed by > https://bugs.python.org/issue36742 The initial fix for this regression can be found at https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3. However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus it requires https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete.
In reply to comment #50: > In reply to comment #36: > > The CVE fix we pushed unfortunately introduced a regression, fixed by > > https://bugs.python.org/issue36742 > > The initial fix for this regression can be found at > https://github.com/python/cpython/commit/ > d537ab0ff9767ef024f26246899728f0116b1ec3. > However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus > it requires > https://github.com/python/cpython/commit/ > 8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete. Reference: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html
CVE-2019-10160 has been assigned to this security regression.In reply to comment #50: > In reply to comment #36: > > The CVE fix we pushed unfortunately introduced a regression, fixed by > > https://bugs.python.org/issue36742 > > The initial fix for this regression can be found at > https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3. > However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus > it requires https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete. CVE-2019-10160 has been assigned to the security regression introduced with https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1467 https://access.redhat.com/errata/RHSA-2019:1467
In reply to comment #55: > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 6 > > Via RHSA-2019:1467 https://access.redhat.com/errata/RHSA-2019:1467 CVE-2019-10160 was discovered by Red Hat during the development of the Red Hat Enterprise Linux 6 patch, thus RHSA-2019:1467 was directly shipped with the proper fix for CVE-2019-9636. The security regression CVE-2019-10160 was not introduced in RHEL 6.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:2980 https://access.redhat.com/errata/RHSA-2019:2980
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2019:3170 https://access.redhat.com/errata/RHSA-2019:3170