Bug 1749839 (CVE-2019-16056) - CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
Summary: CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16056
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1750812 1829560 1750454 1750455 1750456 1750457 1750458 1750459 1750460 1750461 1750773 1750774 1750775 1750776 1750779 1750780 1750798 1750829 1767892 1829561
Blocks: 1748207
TreeView+ depends on / blocked
 
Reported: 2019-09-06 14:42 UTC by Riccardo Schirone
Modified: 2020-05-04 08:04 UTC (History)
19 users (show)

Fixed In Version: python 3.7.5, python 2.7.17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-06 12:51:15 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3725 None None None 2019-11-06 09:45:34 UTC
Red Hat Product Errata RHSA-2019:3948 None None None 2019-11-25 09:24:01 UTC
Red Hat Product Errata RHSA-2020:1131 None None None 2020-03-31 19:25:48 UTC
Red Hat Product Errata RHSA-2020:1132 None None None 2020-03-31 19:25:55 UTC
Red Hat Product Errata RHSA-2020:1605 None None None 2020-04-28 15:29:32 UTC
Red Hat Product Errata RHSA-2020:1764 None None None 2020-04-28 15:50:35 UTC

Description Riccardo Schirone 2019-09-06 14:42:08 UTC
Python module `email` wrongly parses email addresses that contain multiple "@" character. An application that uses the `email` module and implements some kind of checks on the From/To headers of an email could be tricked into accepting an email address that should be denied.

Upstream issue:
https://bugs.python.org/issue34155

Upstream patches:
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 [master branch]
https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c [3.8]
https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8 [3.7]
https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9 [3.6]

Comment 1 Miro Hrončok 2019-09-09 09:03:02 UTC
I've got automatically CCed to this bug as one of the Fedora's Python Maintainers yet I cannot see the blocked bz1748207. Is there a Fedora bug for this?

Comment 2 Riccardo Schirone 2019-09-09 09:39:39 UTC
In reply to comment #1:
> I've got automatically CCed to this bug as one of the Fedora's Python
> Maintainers yet I cannot see the blocked bz1748207. Is there a Fedora bug
> for this?

I will create one soon.

Comment 3 Victor Stinner 2019-09-09 10:55:11 UTC
Sadly, Python 2.7 didn't get a fix upstream yet.

Comment 4 Riccardo Schirone 2019-09-09 15:57:46 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1750461]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1750456]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1750455]
Affects: fedora-all [bug 1750457]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1750458]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1750454]
Affects: fedora-all [bug 1750459]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1750460]

Comment 6 Miro Hrončok 2019-09-09 20:52:33 UTC
BTW python37 is also packaged in Fedora.

Comment 7 Riccardo Schirone 2019-09-10 08:50:58 UTC
Functions get_domain() in Lib/email/_header_value_parser.py and Lib/email/_parseaddr.py do not correctly handle the case where the parameter contains more than one '@' character. They do not return any error value or raise any exception, thus making it impossible for the users of those functions to know if something was wrong.

When an application uses the `email` python module to parse an email address, the wrong output of the vulnerable functions may be used to trick the application to use wrong values and impact the Confidentiality, Integrity and/or Availability of a system.

Comment 8 Riccardo Schirone 2019-09-10 08:58:21 UTC
In reply to comment #6:
> BTW python37 is also packaged in Fedora.

I see python37 only shipped in f28, which is not supported anymore.

Comment 9 Miro Hrončok 2019-09-10 09:05:08 UTC
It is shipped in rawhide (Fedora 32).

Comment 10 Riccardo Schirone 2019-09-10 09:39:57 UTC
In reply to comment #9:
> It is shipped in rawhide (Fedora 32).

I think you can fix it there without a security tracker from us. If you do need one, though, I will create it.

Comment 11 Miro Hrončok 2019-09-10 09:42:36 UTC
I know we can fix it there without a security tracker from you. I just wanted you to have all the information. If you could just open one Fedora "all the Pythons" bug instead of the current strom, it would work for us even better.

Comment 14 Riccardo Schirone 2019-09-10 13:45:08 UTC
Created python37 tracking bugs for this issue:

Affects: fedora-rawhide [bug 1750798]

Comment 15 Riccardo Schirone 2019-09-10 13:51:46 UTC
In reply to comment #11:
> I know we can fix it there without a security tracker from you. I just
> wanted you to have all the information. If you could just open one Fedora
> "all the Pythons" bug instead of the current strom, it would work for us
> even better.

I have create a tracker for fedora-rawhide/python37. We prefer to create separate trackers for each python version as they are separate packages and that way it is easier to track which versions are affected or not.

Comment 20 errata-xmlrpc 2019-11-06 09:45:32 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725

Comment 21 Product Security DevOps Team 2019-11-06 12:51:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16056

Comment 22 errata-xmlrpc 2019-11-25 09:24:00 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3948 https://access.redhat.com/errata/RHSA-2019:3948

Comment 23 errata-xmlrpc 2020-03-31 19:25:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1131 https://access.redhat.com/errata/RHSA-2020:1131

Comment 24 errata-xmlrpc 2020-03-31 19:25:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1132 https://access.redhat.com/errata/RHSA-2020:1132

Comment 25 errata-xmlrpc 2020-04-28 15:29:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605

Comment 26 errata-xmlrpc 2020-04-28 15:50:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1764 https://access.redhat.com/errata/RHSA-2020:1764


Note You need to log in before you can comment on or make changes to this bug.