An issue was discovered in urllib/urllib2 in Python. CRLF injection is possible if the attacker controls the host part of the url parameter passed to urlopen().
The fix for CVE-2019-9947 is ineffective if the glibc version used by python is still affected by CVE-2016-10739. The original fix for CVE-2019-9947 only checked the part of the URL after the port (e.g. in "http://server:7777/my/path?query" only "/my/path?query" was checked for invalid characters) so if an attacker can control the hostname part he is still able to inject HTTP headers. Due to CVE-2016-10739, getaddrinfo() resolves an invalid hostname as a valid one, so the URL can contain CLRF sequences and, at the same time, it can be resolved to a valid host.
I have created a new and separate issue upstream to keep track of this CVE.
Created python2 tracking bugs for this issue:
Affects: fedora-all [bug 1765145]
Created python26 tracking bugs for this issue:
Affects: fedora-all [bug 1765146]
Created python3 tracking bugs for this issue:
Affects: fedora-all [bug 1765138]
Created python34 tracking bugs for this issue:
Affects: epel-all [bug 1765139]
Affects: fedora-all [bug 1765140]
Created python35 tracking bugs for this issue:
Affects: fedora-all [bug 1765141]
Created python36 tracking bugs for this issue:
Affects: epel-7 [bug 1765142]
Affects: fedora-all [bug 1765143]
Created python38 tracking bugs for this issue:
Affects: fedora-all [bug 1765144]
This issue affects the versions of python and python3 as shipped with Red Hat Enterprise Linux 7, however users running Red Hat Enterprise Linux 7.7 and above are not vulnerable because glibc flaw CVE-2016-10739 was fixed in RHSA-2019:2118-03, which makes this bug not exploitable.
This flaw can be exploited only when glibc flaw CVE-2016-10739 is not fixed, as it requires getaddrinfo() function to resolve an invalid hostname, containing control characters like the CRLF sequence, as a valid one.