An issue was discovered in urllib/urllib2 in Python. CRLF injection is possible if the attacker controls the host part of the url parameter passed to urlopen(). The fix for CVE-2019-9947 is ineffective if the glibc version used by python is still affected by CVE-2016-10739. The original fix for CVE-2019-9947 only checked the part of the URL after the port (e.g. in "http://server:7777/my/path?query" only "/my/path?query" was checked for invalid characters) so if an attacker can control the hostname part he is still able to inject HTTP headers. Due to CVE-2016-10739, getaddrinfo() resolves an invalid hostname as a valid one, so the URL can contain CLRF sequences and, at the same time, it can be resolved to a valid host. Reference: https://bugs.python.org/issue30458#msg347282
I have created a new and separate issue upstream to keep track of this CVE. https://bugs.python.org/issue38576
Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1765145] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1765146] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1765138] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1765139] Affects: fedora-all [bug 1765140] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1765141] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1765142] Affects: fedora-all [bug 1765143] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1765144]
This flaw can be exploited only when glibc flaw CVE-2016-10739 is not fixed, as it requires getaddrinfo() function to resolve an invalid hostname, containing control characters like the CRLF sequence, as a valid one.
The new Python issue is https://bugs.python.org/issue38576
FEDORA-2020-8bdd3fd7a4 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-ea5bdbcc90 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18348
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273
Statement: This issue does not affect the versions of python and python3 as shipped with Red Hat Enterprise Linux 7.7 and above because glibc flaw CVE-2016-10739 was fixed in RHSA-2019:2118-03, which makes this bug not exploitable. This issue does not affect the versions of python and python3 as shipped with Red Hat Enterprise Linux 8 because glibc is not vulnerable to CVE-2016-10739, making this bug not exploitable.