urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. Reference: https://bugs.python.org/issue35907 https://github.com/python/cpython/pull/11842
Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 1695599]
Created python3-urllib3 tracking bugs for this issue: Affects: epel-all [bug 1695600]
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1698976] Created python34 tracking bugs for this issue: Affects: fedora-all [bug 1698977] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1698978]
Created python34 tracking bugs for this issue: Affects: epel-all [bug 1698979]
Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1698980]
Created python37 tracking bugs for this issue: Affects: fedora-28 [bug 1698981]
Created python36 tracking bugs for this issue: Affects: fedora-29 [bug 1698982]
IMO this should get to Fedora via a upstream release; we should not backport this. urlopen handles many URL schemes; blacklists are generally insecure.
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1700688]
Setting Attack Complexity (AC) to High as the attacker needs both an application that just blacklist the "file://" (but not "local_file://") protocol and he needs full control of the "url" paramater supplied to urlopen() function.
local_file:// protocol is not documented anywhere, thus the problem with this flaw. An application may have been written to just blacklist "file://" protocol, without knowing that "local_file://" could achieve the same functions, allowing access to local files.
Mitigation: If your application uses a blacklist to prevent "file://" schema from being used, consider using a whitelist approach to just allow the schemas you want or add "local_file://" schema to your blacklist.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1700 https://access.redhat.com/errata/RHSA-2019:1700
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9948
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3520 https://access.redhat.com/errata/RHSA-2019:3520
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:1268 https://access.redhat.com/errata/RHSA-2020:1268
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Telco Extended Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Via RHSA-2020:1346 https://access.redhat.com/errata/RHSA-2020:1346
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:1462 https://access.redhat.com/errata/RHSA-2020:1462