Bug 1749839 (CVE-2019-16056) - CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
Summary: CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
Keywords:
Status: NEW
Alias: CVE-2019-16056
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1750456 1750458 1750459 1750461 1750773 1750774 1750775 1750776 1750779 1750780 1750798 1750812 1750829 1750454 1750455 1750457 1750460
Blocks: 1748207
TreeView+ depends on / blocked
 
Reported: 2019-09-06 14:42 UTC by Riccardo Schirone
Modified: 2019-10-08 14:37 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Riccardo Schirone 2019-09-06 14:42:08 UTC
Python module `email` wrongly parses email addresses that contain multiple "@" character. An application that uses the `email` module and implements some kind of checks on the From/To headers of an email could be tricked into accepting an email address that should be denied.

Upstream issue:
https://bugs.python.org/issue34155

Upstream patches:
https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 [master branch]
https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c [3.8]
https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8 [3.7]
https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9 [3.6]

Comment 1 Miro Hrončok 2019-09-09 09:03:02 UTC
I've got automatically CCed to this bug as one of the Fedora's Python Maintainers yet I cannot see the blocked bz1748207. Is there a Fedora bug for this?

Comment 2 Riccardo Schirone 2019-09-09 09:39:39 UTC
In reply to comment #1:
> I've got automatically CCed to this bug as one of the Fedora's Python
> Maintainers yet I cannot see the blocked bz1748207. Is there a Fedora bug
> for this?

I will create one soon.

Comment 3 Victor Stinner 2019-09-09 10:55:11 UTC
Sadly, Python 2.7 didn't get a fix upstream yet.

Comment 4 Riccardo Schirone 2019-09-09 15:57:46 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1750461]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1750456]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1750455]
Affects: fedora-all [bug 1750457]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1750458]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1750454]
Affects: fedora-all [bug 1750459]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1750460]

Comment 6 Miro Hrončok 2019-09-09 20:52:33 UTC
BTW python37 is also packaged in Fedora.

Comment 7 Riccardo Schirone 2019-09-10 08:50:58 UTC
Functions get_domain() in Lib/email/_header_value_parser.py and Lib/email/_parseaddr.py do not correctly handle the case where the parameter contains more than one '@' character. They do not return any error value or raise any exception, thus making it impossible for the users of those functions to know if something was wrong.

When an application uses the `email` python module to parse an email address, the wrong output of the vulnerable functions may be used to trick the application to use wrong values and impact the Confidentiality, Integrity and/or Availability of a system.

Comment 8 Riccardo Schirone 2019-09-10 08:58:21 UTC
In reply to comment #6:
> BTW python37 is also packaged in Fedora.

I see python37 only shipped in f28, which is not supported anymore.

Comment 9 Miro Hrončok 2019-09-10 09:05:08 UTC
It is shipped in rawhide (Fedora 32).

Comment 10 Riccardo Schirone 2019-09-10 09:39:57 UTC
In reply to comment #9:
> It is shipped in rawhide (Fedora 32).

I think you can fix it there without a security tracker from us. If you do need one, though, I will create it.

Comment 11 Miro Hrončok 2019-09-10 09:42:36 UTC
I know we can fix it there without a security tracker from you. I just wanted you to have all the information. If you could just open one Fedora "all the Pythons" bug instead of the current strom, it would work for us even better.

Comment 14 Riccardo Schirone 2019-09-10 13:45:08 UTC
Created python37 tracking bugs for this issue:

Affects: fedora-rawhide [bug 1750798]

Comment 15 Riccardo Schirone 2019-09-10 13:51:46 UTC
In reply to comment #11:
> I know we can fix it there without a security tracker from you. I just
> wanted you to have all the information. If you could just open one Fedora
> "all the Pythons" bug instead of the current strom, it would work for us
> even better.

I have create a tracker for fedora-rawhide/python37. We prefer to create separate trackers for each python version as they are separate packages and that way it is easier to track which versions are affected or not.


Note You need to log in before you can comment on or make changes to this bug.