Bug 1695572 (CVE-2019-9947) - CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()
Summary: CVE-2019-9947 python: CRLF injection via the path part of the url passed to u...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9947
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190323,repor...
Depends On: 1698979 1703531 1703533 1703537 1703539 1709394 1698976 1698977 1698978 1698980 1698981 1698982 1700684 1703530 1703532 1703534 1703535 1703536 1703538 1709403
Blocks: 1695712
TreeView+ depends on / blocked
 
Reported: 2019-04-03 11:41 UTC by Dhananjay Arunesh
Modified: 2019-08-06 12:04 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:53:03 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1260 None None None 2019-05-22 12:01:54 UTC
Python 30458 None None None 2019-04-10 12:40:27 UTC
Red Hat Product Errata RHSA-2019:2030 None None None 2019-08-06 12:04:54 UTC

Description Dhananjay Arunesh 2019-04-03 11:41:01 UTC
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in
Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the first argument to urllib.request.urlopen
with \r\n (specifically in the path component of a URL) followed by an HTTP
header or a Redis command. This is similar to CVE-2019-9740 query string issue.

Reference:
https://bugs.python.org/issue35906

Comment 1 Dhananjay Arunesh 2019-04-03 12:06:22 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1695599]

Comment 2 Dhananjay Arunesh 2019-04-03 12:06:55 UTC
Created python3-urllib3 tracking bugs for this issue:

Affects: epel-all [bug 1695600]

Comment 3 Victor Stinner 2019-04-10 12:40:28 UTC
The main Python issue became https://bugs.python.org/issue30458 which is a superseder of multiple issues. The issue is known somehow since 2011.

A first issue about HTTP Header Injection has been reported and then fixed in 2014, CVE-2016-5699 has been assigned to this issue:
https://bugs.python.org/issue22928

In 2017, a new issue has been reported because bpo-22928 https://bugs.python.org/issue22928 fix is incomplete, CVE-2019-9740 and CVE-2019-9947 have been assigned to this new issue:
https://bugs.python.org/issue30458

For more info about the history of this issue, see:
https://bugs.python.org/issue30458#msg339846

--

Vulnerable Python modules:

* urllib and/or urllib2 of Python 2
* urllib of Python 3
* urllib3

urllib3 is not part of Python standard library, it's hosted at https://github.com/urllib3/urllib3 and it is used inside the popular requests module.

The urllib3 issue is tracked at:
https://github.com/urllib3/urllib3/issues/1553

Comment 4 Dhananjay Arunesh 2019-04-11 14:24:39 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1698976]


Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 1698977]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1698978]

Comment 5 Dhananjay Arunesh 2019-04-11 14:25:11 UTC
Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1698979]

Comment 6 Dhananjay Arunesh 2019-04-11 14:26:03 UTC
Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1698980]

Comment 7 Dhananjay Arunesh 2019-04-11 14:26:36 UTC
Created python37 tracking bugs for this issue:

Affects: fedora-28 [bug 1698981]

Comment 8 Dhananjay Arunesh 2019-04-11 14:27:08 UTC
Created python36 tracking bugs for this issue:

Affects: fedora-29 [bug 1698982]

Comment 9 Dhananjay Arunesh 2019-04-17 07:39:38 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1700684]

Comment 10 Riccardo Schirone 2019-04-26 14:44:19 UTC
> Vulnerable Python modules:
> 
> * urllib and/or urllib2 of Python 2
> * urllib of Python 3
> * urllib3
> 
> urllib3 is not part of Python standard library, it's hosted at https://github.com/urllib3/urllib3 and it is used inside the popular requests module.
> 
> The urllib3 issue is tracked at:
> https://github.com/urllib3/urllib3/issues/1553

See CVE-2019-11236 (bug 1700824)

Comment 11 Riccardo Schirone 2019-04-26 14:45:46 UTC
With regard to the urllib module in python, there is still no fix accepted upstream.

Comment 15 Riccardo Schirone 2019-05-06 12:05:37 UTC
This flaw should be fixed by the same fix used for CVE-2019-9740.

Comment 16 errata-xmlrpc 2019-05-22 12:01:53 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260

Comment 17 Riccardo Schirone 2019-07-05 07:51:09 UTC
This flaw is about CLRF sequences that are not properly handled in python built-in modules urllib/urllib2 in the *path* part of the url parameter of urlopen() function.

Comment 18 Riccardo Schirone 2019-07-05 11:46:10 UTC
In reply to comment #15:
> This flaw should be fixed by the same fix used for CVE-2019-9740.

The fix for CVE-2019-9740 (https://github.com/python/cpython/pull/12755/files) does not correctly cover the case when the CRLF sequences are in the hostname part of the URL. However, when that is the case, glibc getaddrinfo() function should return an error when trying to resolve the invalid hostname, assuming glibc is not vulnerable to CVE-2016-10739. When glibc is still vulnerable to CVE-2016-10739, a proper fix in python is required to properly validate the hostname part of the URL and to prevent CRLF sequences injection.

Comment 20 Riccardo Schirone 2019-07-10 08:41:47 UTC
Reference:
https://python-security.readthedocs.io/vuln/http-header-injection2.html

Comment 21 errata-xmlrpc 2019-08-06 12:04:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030


Note You need to log in before you can comment on or make changes to this bug.