Bug 1962856 (CVE-2021-3572) - CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references
Summary: CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git ref...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3572
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1962857 1962858 1965678 1965679 1965680 1965681 1965694 1965695 1965696 1965699 1965712 1965713 1969508 1969509 1969522
Blocks: 1962859 1966364
TreeView+ depends on / blocked
 
Reported: 2021-05-20 16:54 UTC by Pedro Sampaio
Modified: 2021-11-09 18:51 UTC (History)
17 users (show)

Fixed In Version: python-pip 21.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity.
Clone Of:
Environment:
Last Closed: 2021-08-24 15:35:19 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3254 0 None None None 2021-08-24 08:09:18 UTC
Red Hat Product Errata RHSA-2021:4160 0 None None None 2021-11-09 17:27:18 UTC
Red Hat Product Errata RHSA-2021:4162 0 None None None 2021-11-09 17:28:27 UTC
Red Hat Product Errata RHSA-2021:4455 0 None None None 2021-11-09 18:51:11 UTC

Description Pedro Sampaio 2021-05-20 16:54:43 UTC
It was discovered that pip incorrectly handled unicode separators in git
references. A remote attacker could possibly use this issue to install a
different revision on a repository.

References:

https://packetstormsecurity.com/files/162712/USN-4961-1.txt

Comment 1 Pedro Sampaio 2021-05-20 16:55:18 UTC
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 1962857]


Created python-virtualenv tracking bugs for this issue:

Affects: fedora-all [bug 1962858]

Comment 2 Miro Hrončok 2021-05-20 18:49:02 UTC
(In reply to Pedro Sampaio from comment #1)
> Created python-virtualenv tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1962858]

Why python-virtualenv?

Comment 3 Pedro Sampaio 2021-05-20 19:35:46 UTC
(In reply to Miro Hrončok from comment #2)
> (In reply to Pedro Sampaio from comment #1)
> > Created python-virtualenv tracking bugs for this issue:
> > 
> > Affects: fedora-all [bug 1962858]
> 
> Why python-virtualenv?

Our package manifests flagged python-pip being embedded in python-virtualenv.

Comment 4 Miro Hrončok 2021-05-21 00:27:33 UTC
Could you please update the package manifests? python-pip is not embedded in python-virtualenv since Fedora 31.

python-pip is however embedded in several other Fedora packages:

Fedora 32:
$ repoquery -q --repo={fedora,updates} --releasever 32 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source
pipenv-2018.11.26-13.fc32.src.rpm
python34-3.4.10-11.fc32.src.rpm


Fedora 33:
$ repoquery -q --repo={fedora,updates} --releasever 33 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source
jython-2.7.1-14.fc33.src.rpm
pipenv-2020.8.13-1.fc33.src.rpm
pypy-7.3.1-2.fc33.src.rpm
python2.7-2.7.18-8.fc33.src.rpm
python3.5-3.5.10-5.fc33.src.rpm


Fedora 34:
$ repoquery -q --repo={fedora,updates} --releasever 34 --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source
jython-2.7.1-16.fc34.src.rpm
pipenv-2020.11.15-2.fc34.src.rpm
pypy-7.3.1-3.fc34.src.rpm
python2.7-2.7.18-9.fc34.src.rpm
python3.5-3.5.10-5.fc34.src.rpm


Fedora 35 (Rawhide):
$ repoquery -q --repo=rawhide --latest=1 --whatprovides 'bundled(python*-pip)' --whatprovides 'bundled(python*dist(pip))' --source
pipenv-2020.11.15-2.fc35.src.rpm
pypy-7.3.1-3.fc34.src.rpm
python2.7-2.7.18-10.fc35.src.rpm
python3.5-3.5.10-5.fc35.src.rpm

Thanks.

Comment 14 Lumír Balhar 2021-07-20 07:10:58 UTC
After a deep investigation of this issue in older pip versions in SCL, I've discovered that the older pip versions are not vulnerable when used with Python 2. The reason is that the output from git commands like `git show-ref` is processed as bytes and therefore methods like `splitlines` ignore Unicode characters.

See the different implementation of console_to_str for different Pythons: https://github.com/pypa/pip/blob/281eb61b09d87765d7c2b92f6982b3fe76ccb0af/pip/compat/__init__.py#L70-L90

For example, pip 8.1.2 in combination with Python 3.6 is vulnerable:

$ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version
Collecting git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version
  Cloning https://github.com/frenzymadness/CVE-2021-3572.git (to original_version) to /tmp/pip-docgjnth-build
…
ValueError: not enough values to unpack (expected 2, got 1)

$ pip install git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version
Collecting git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version
  Cloning https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git (to original_version) to /tmp/pip-u2t8sr1v-build
…
Successfully installed cve-2021-3572-9999.0  <- vulnerable version

but when I use the same version of pip with Python 2:

$ pip install git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version     
Collecting git+https://github.com/frenzymadness/CVE-2021-3572.git@original_version
  Cloning https://github.com/frenzymadness/CVE-2021-3572.git (to original_version) to /tmp/pip-FdQt3Z-build
Installing collected packages: cve-2021-3572
  Running setup.py install for cve-2021-3572 ... done
Successfully installed cve-2021-3572-1.0  <- correct version

$ pip install git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version
Collecting git+https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git@original_version
  Cloning https://gitlab.cee.redhat.com/lbalhar/CVE-2021-3572.git (to original_version) to /tmp/pip-BRA1UZ-build
Installing collected packages: cve-2021-3572
  Running setup.py install for cve-2021-3572 ... done
Successfully installed cve-2021-3572-1.0  <- correct version

The output of the git command where a unicode character is at the end of the line looks like this in Python 2 (the last line only):

'78d66bca804c673ae8458fcd264dc9be6622ea6f refs/tags/original_version\xe2\x80\xa8\n'

but the bytes are not there in Python 3:

'78d66bca804c673ae8458fcd264dc9be6622ea6f refs/tags/original_version\n'

The same applies to the tags with an unicode character in the middle of the tags' name. Python 2, where it's only one line:

'4bf1a91683406ace8b3f5a6032932b2f5e575c71 refs/tags/original_version\xe2\x80\xa8a\xe2\x80\x80a/original_version\n'

and Python 3, where the split happens and the result are two lines:

'4bf1a91683406ace8b3f5a6032932b2f5e575c71 refs/tags/original_version\u2028a\u2000a/original_version\n'

Comment 15 errata-xmlrpc 2021-08-24 08:09:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254

Comment 16 Product Security DevOps Team 2021-08-24 15:35:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3572

Comment 17 errata-xmlrpc 2021-11-09 17:27:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160

Comment 18 errata-xmlrpc 2021-11-09 17:28:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162

Comment 19 errata-xmlrpc 2021-11-09 18:51:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4455 https://access.redhat.com/errata/RHSA-2021:4455


Note You need to log in before you can comment on or make changes to this bug.