Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1526176 - (CVE-2017-17522) CVE-2017-17522 python: Command injection in Lib/webbrowser.py
CVE-2017-17522 python: Command injection in Lib/webbrowser.py
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20171214,repor...
: Security
Depends On: 1526177 1526178 1526179 1526180 1526181 1526182
Blocks: 1526183
  Show dependency treegraph
 
Reported: 2017-12-14 16:28 EST by Pedro Sampaio
Modified: 2018-01-21 23:53 EST (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-01-18 12:13:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Python 32367 None None None 2017-12-18 11:38 EST

  None (edit)
Description Pedro Sampaio 2017-12-14 16:28:54 EST
Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.

References:

https://security-tracker.debian.org/tracker/CVE-2017-17522
Comment 1 Pedro Sampaio 2017-12-14 16:29:19 EST
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1526182]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1526180]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1526181]


Created python33 tracking bugs for this issue:

Affects: fedora-all [bug 1526178]


Created python34 tracking bugs for this issue:

Affects: fedora-all [bug 1526179]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1526177]
Comment 2 Miro Hrončok 2017-12-15 12:01:51 EST
Pedro, how do you track what Python version do we have in Fedora? Note that you are creating a bug for the python component, but that's dead since Fedora 25 EOL. Please update it to python2 in your tracking info. Also, we added python37 quite recently as well.
Comment 3 Charalampos Stratakis 2017-12-18 11:38:09 EST
It seems python upstream was not notified of this issue.

Pedro could you provide any info (if any) on the relevant upstream bug?
Comment 4 Pedro Sampaio 2017-12-18 14:00:38 EST
Charalampos,

I couldn't find any more info on it. This CVE seems issued by Debian. Maybe they have more information.

Miro,

Our tracking docs are correct, but I copied that affect list from an old bug. Thank you for pointing that out.

I fixed the list.
Comment 5 Petr Viktorin 2017-12-21 05:33:39 EST
I don't understand which strings need to be validated here.
Comment 6 Huzaifa S. Sidhpurwala 2018-01-02 00:56:45 EST
I think what the reporter actually mentions is the ability to trick the user into setting a specially-crafted BROWSER variable, before launching the browser via the webbrowser.py command. I tried the following:

1. $export set BROWSER="elinks; touch /tmp/foo"
   $python -m webbrowser -t "http://www.google.com"
Result: Launches firefox and /tmp/foo does not exists

2. $export set BROWSER="elinks; /home/huzaifas/a"
   $python -m webbrowser -t "http://www.google.com"
Result: Launches firefox and /tmp/foo is created. Here /home/huzaifas/a contains "touch /tmp/foo"

3. $export set BROWSER="elinks; ls > /tmp/list"
   $python -m webbrowser -t "http://www.google.com"
Result: Lanches firefox, /tmp/list is not created

4. $export set BROWSER="ls > /tmp/list"
   $python -m webbrowser -t "http://www.google.com"
Result: Lanches firefox, /tmp/list is not created

So i assume that the argument at https://nvd.nist.gov/vuln/detail/CVE-2017-17522#vulnDescriptionTitle is correct. Since webbrowser.py using Popen, which has shell=False as default, it would not be possible for the attacker to inject malicious commands via the BROWSER env variable.
Comment 7 Petr Viktorin 2018-01-02 05:32:28 EST
Yes, BROWSER is fine.

One thing Python does not validate is the URL, so one could, for example, open a *private* window of Firefox with:

    export BROWSER=firefox
    python3 -c 'import webbrowser; webbrowser.open("--private-window")'

or set the default browser:

    export BROWSER=firefox
    python3 -c 'import webbrowser; webbrowser.open("--setDefaultBrowser")'

Maybe that's what the CVE reporter wanted to say?
Comment 8 Huzaifa S. Sidhpurwala 2018-01-14 22:27:23 EST
(In reply to Petr Viktorin from comment #7)
> Yes, BROWSER is fine.
> 
> One thing Python does not validate is the URL, so one could, for example,
> open a *private* window of Firefox with:
> 
>     export BROWSER=firefox
>     python3 -c 'import webbrowser; webbrowser.open("--private-window")'
> 
> or set the default browser:
> 
>     export BROWSER=firefox
>     python3 -c 'import webbrowser; webbrowser.open("--setDefaultBrowser")'
> 
> Maybe that's what the CVE reporter wanted to say?

Upstream contested this CVE and the desc explicitly mentions "BROWSER" variable not the URL variable. Also i dont see any merit in fixing this.
Comment 9 Petr Viktorin 2018-01-18 12:13:33 EST
I don't either. Closing; if any more discussion is needed then please re-open.
Comment 10 Huzaifa S. Sidhpurwala 2018-01-21 23:53:51 EST
Statement:

As per upstream, "exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting". On testing it seems, upstream has correctly concluded the non-security nature of this bug.

Note You need to log in before you can comment on or make changes to this bug.