Bug 2047376 (CVE-2022-0391) - CVE-2022-0391 python: urllib.parse does not sanitize URLs containing ASCII newline and tabs
Summary: CVE-2022-0391 python: urllib.parse does not sanitize URLs containing ASCII ne...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0391
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 2047377 (view as bug list)
Depends On: 2050109 2047577 2047578 2047579 2047580 2047581 2047582 2047583 2047584 2047585 2047587 2048471 2048472 2048473 2048474 2048475 2048476 2048477 2048479 2048480 2050110 2050625 2050626 2064447 2064448 2083677 2126651 2130869 2292369
Blocks: 2034739 2047379
TreeView+ depends on / blocked
 
Reported: 2022-01-27 18:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-06-24 09:41 UTC (History)
29 users (show)

Fixed In Version: python 3.10.0b1, python 3.9.5, python 3.8.11, python 3.7.11, python 3.6.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.
Clone Of:
Environment:
Last Closed: 2022-05-11 03:46:29 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1663 0 None None None 2022-05-02 08:05:20 UTC
Red Hat Product Errata RHSA-2022:1764 0 None None None 2022-05-10 13:18:34 UTC
Red Hat Product Errata RHSA-2022:1821 0 None None None 2022-05-10 13:39:35 UTC
Red Hat Product Errata RHSA-2022:6457 0 None None None 2022-09-13 09:45:19 UTC

Description Guilherme de Almeida Suckevicz 2022-01-27 18:02:53 UTC
Python urllib.parse does not sanitize URLs containing ASCII newline and tabs.

Reference:
https://bugs.python.org/issue43882

Comment 1 Guilherme de Almeida Suckevicz 2022-01-27 18:04:23 UTC
*** Bug 2047377 has been marked as a duplicate of this bug. ***

Comment 2 Sandipan Roy 2022-01-28 06:16:26 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2047578]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2047579]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2047585]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2047587]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 2047580]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2047581]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2047582]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2047583]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2047584]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2047577]

Comment 3 Miro Hrončok 2022-01-28 08:07:06 UTC
Sandipan, I've actually collected the versions where this was fixed and ye we have received 6 pointless outdated reports for Fedora python3.6 to python3.11 nevertheless. What is exactly the purpose? If you need that for some kind fo tracking, could you report the bugzillas but close them immediatelly?

Comment 4 Sandipan Roy 2022-01-28 08:46:05 UTC
Hello Miro, I will close those kinds of tracking bugs from now on.
Thanks.

Comment 17 errata-xmlrpc 2022-05-02 08:05:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:1663 https://access.redhat.com/errata/RHSA-2022:1663

Comment 21 errata-xmlrpc 2022-05-10 13:18:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1764 https://access.redhat.com/errata/RHSA-2022:1764

Comment 22 errata-xmlrpc 2022-05-10 13:39:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821

Comment 23 Product Security DevOps Team 2022-05-11 03:46:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0391

Comment 25 errata-xmlrpc 2022-09-13 09:45:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6457 https://access.redhat.com/errata/RHSA-2022:6457

Comment 29 Sandipan Roy 2024-06-14 07:38:08 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2292369]

Comment 33 Lumír Balhar 2024-06-14 11:30:05 UTC
@saroy could you please check the versions before creating new trackers?

As pointed out in comment 3 here in the same bugzilla by Miro from January 2021, we have received pointless trackers for components where the vulnerability is not present because we ship newer versions.

Now, you've created trackers for Python 3.9 in RHEL 9. The vulnerability is fixed in 3.9.5 (as you can see here for years now) and we have 3.9.19 in RHEL 9. The vulnerability was fixed by the update to 3.9.5 in May 2021.

Do you need these trackers for something special? If so, could you please check the versions of the affected components and close the trackers immediately, or not create them at all?

Comment 35 jcastran 2024-06-14 11:50:17 UTC
According to the CVE RHEL 9 is affected, and not fixed yet.

https://access.redhat.com/security/cve/CVE-2022-0391

Products / Services             Components      State
Red Hat Enterprise Linux 9	python3.9	Affected		

> The vulnerability is fixed in 3.9.5 (as you can see here for years now) and we have 3.9.19 in RHEL 9. The vulnerability was fixed by the update to 3.9.5 in May 2021.

Are you saying that RHEL 9 was never vulnerable?

Comment 36 Lumír Balhar 2024-06-14 13:08:11 UTC
(In reply to jcastran from comment #35)
> According to the CVE RHEL 9 is affected, and not fixed yet.
> 
> https://access.redhat.com/security/cve/CVE-2022-0391
> 
> Products / Services             Components      State
> Red Hat Enterprise Linux 9	python3.9	Affected		
> 
> > The vulnerability is fixed in 3.9.5 (as you can see here for years now) and we have 3.9.19 in RHEL 9. The vulnerability was fixed by the update to 3.9.5 in May 2021.
> 
> Are you saying that RHEL 9 was never vulnerable?

Correct. RHEL 9 was never affected. We had Python 3.9.6 in RHEL 9.0.0 beta and version 3.9.10 in RHEL 9.0.0 GA. See https://errata.devel.redhat.com/advisory/81331/builds


Note You need to log in before you can comment on or make changes to this bug.