Bug 1695570 (CVE-2019-9948) - CVE-2019-9948 python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms
Summary: CVE-2019-9948 python: Undocumented local_file protocol allows remote attacker...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9948
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1704177 1698977 1698978 1698979 1698980 1698981 1698982 1700687 1700688 1704174 1704175 1704176 1709404 1714640 1714641 1714642 1714643
Blocks: 1695712
TreeView+ depends on / blocked
 
Reported: 2019-04-03 11:36 UTC by Dhananjay Arunesh
Modified: 2019-11-05 21:06 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:06:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2496 None None None 2019-08-19 08:09:08 UTC
Red Hat Product Errata RHSA-2019:1700 None None None 2019-07-08 14:32:42 UTC
Red Hat Product Errata RHSA-2019:2030 None None None 2019-08-06 12:04:54 UTC
Red Hat Product Errata RHSA-2019:3335 None None None 2019-11-05 20:38:03 UTC
Red Hat Product Errata RHSA-2019:3520 None None None 2019-11-05 21:06:44 UTC

Description Dhananjay Arunesh 2019-04-03 11:36:14 UTC
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes
it easier for remote attackers to bypass protection mechanisms that blacklist
file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.

Reference:
https://bugs.python.org/issue35907
https://github.com/python/cpython/pull/11842

Comment 1 Dhananjay Arunesh 2019-04-03 12:06:16 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1695599]

Comment 2 Dhananjay Arunesh 2019-04-03 12:06:48 UTC
Created python3-urllib3 tracking bugs for this issue:

Affects: epel-all [bug 1695600]

Comment 3 Dhananjay Arunesh 2019-04-11 14:24:31 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1698976]


Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 1698977]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1698978]

Comment 4 Dhananjay Arunesh 2019-04-11 14:25:04 UTC
Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1698979]

Comment 5 Dhananjay Arunesh 2019-04-11 14:25:57 UTC
Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1698980]

Comment 6 Dhananjay Arunesh 2019-04-11 14:26:30 UTC
Created python37 tracking bugs for this issue:

Affects: fedora-28 [bug 1698981]

Comment 7 Dhananjay Arunesh 2019-04-11 14:27:01 UTC
Created python36 tracking bugs for this issue:

Affects: fedora-29 [bug 1698982]

Comment 8 Petr Viktorin 2019-04-11 15:13:13 UTC
IMO this should get to Fedora via a upstream release; we should not backport this.
urlopen handles many URL schemes; blacklists are generally insecure.

Comment 9 Dhananjay Arunesh 2019-04-17 07:41:57 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1700688]

Comment 10 Riccardo Schirone 2019-04-29 09:21:54 UTC
Setting Attack Complexity (AC) to High as the attacker needs both an application that just blacklist the "file://" (but not "local_file://") protocol and he needs full control of the "url" paramater supplied to urlopen() function.

Comment 11 Riccardo Schirone 2019-04-29 09:23:23 UTC
local_file:// protocol is not documented anywhere, thus the problem with this flaw. An application may have been written to just blacklist "file://" protocol, without knowing that "local_file://" could achieve the same functions, allowing access to local files.

Comment 12 Riccardo Schirone 2019-04-29 09:25:44 UTC
Mitigation:

If your application uses a blacklist to prevent "file://" schema from being used, consider using a whitelist approach to just allow the schemas you want or add "local_file://" schema to your blacklist.

Comment 18 errata-xmlrpc 2019-07-08 14:32:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1700 https://access.redhat.com/errata/RHSA-2019:1700

Comment 19 Product Security DevOps Team 2019-07-12 13:06:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9948

Comment 20 errata-xmlrpc 2019-08-06 12:04:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030

Comment 21 errata-xmlrpc 2019-11-05 20:38:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335

Comment 22 errata-xmlrpc 2019-11-05 21:06:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3520 https://access.redhat.com/errata/RHSA-2019:3520


Note You need to log in before you can comment on or make changes to this bug.