Bug 1727276 (CVE-2019-18348) - CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()
Summary: CVE-2019-18348 python: CRLF injection via the host part of the url passed to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-18348
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1765139 1765138 1765140 1765141 1765142 1765143 1765144 1765145 1765146 1765147 1765148 1765149 1765150 1765151 1765152 1765153 1882670
Blocks: 1727267
TreeView+ depends on / blocked
 
Reported: 2019-07-05 10:22 UTC by Riccardo Schirone
Modified: 2021-03-04 14:35 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
Clone Of:
Environment:
Last Closed: 2020-10-19 20:21:12 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Python 38576 0 None None None 2019-12-20 10:05:40 UTC
Red Hat Product Errata RHSA-2020:4273 0 None None None 2020-10-20 16:00:46 UTC
Red Hat Product Errata RHSA-2020:4285 0 None None None 2020-10-19 18:05:36 UTC

Description Riccardo Schirone 2019-07-05 10:22:43 UTC
An issue was discovered in urllib/urllib2 in Python. CRLF injection is possible if the attacker controls the host part of the url parameter passed to urlopen().

The fix for CVE-2019-9947 is ineffective if the glibc version used by python is still affected by CVE-2016-10739. The original fix for CVE-2019-9947 only checked the part of the URL after the port (e.g. in "http://server:7777/my/path?query" only "/my/path?query" was checked for invalid characters) so if an attacker can control the hostname part he is still able to inject HTTP headers. Due to CVE-2016-10739, getaddrinfo() resolves an invalid hostname as a valid one, so the URL can contain CLRF sequences and, at the same time, it can be resolved to a valid host.


Reference:
https://bugs.python.org/issue30458#msg347282

Comment 3 Riccardo Schirone 2019-10-24 08:13:15 UTC
I have created a new and separate issue upstream to keep track of this CVE.
https://bugs.python.org/issue38576

Comment 4 Riccardo Schirone 2019-10-24 12:29:34 UTC
Created python2 tracking bugs for this issue:

Affects: fedora-all [bug 1765145]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1765146]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1765138]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1765139]
Affects: fedora-all [bug 1765140]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1765141]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1765142]
Affects: fedora-all [bug 1765143]


Created python38 tracking bugs for this issue:

Affects: fedora-all [bug 1765144]

Comment 7 Riccardo Schirone 2019-10-24 12:37:06 UTC
This flaw can be exploited only when glibc flaw CVE-2016-10739 is not fixed, as it requires getaddrinfo() function to resolve an invalid hostname, containing control characters like the CRLF sequence, as a valid one.

Comment 8 Miro Hrončok 2019-12-20 10:05:40 UTC
The new Python issue is https://bugs.python.org/issue38576

Comment 9 Fedora Update System 2020-07-04 01:12:22 UTC
FEDORA-2020-8bdd3fd7a4 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2020-07-10 01:01:01 UTC
FEDORA-2020-ea5bdbcc90 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2020-10-19 18:05:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285

Comment 17 Product Security DevOps Team 2020-10-19 20:21:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18348

Comment 18 errata-xmlrpc 2020-10-20 16:00:43 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273

Comment 19 Riccardo Schirone 2021-03-04 14:35:43 UTC
Statement:

This issue does not affect the versions of python and python3 as shipped with Red Hat Enterprise Linux 7.7 and above because glibc flaw CVE-2016-10739 was fixed in RHSA-2019:2118-03, which makes this bug not exploitable.

This issue does not affect the versions of python and python3 as shipped with Red Hat Enterprise Linux 8 because glibc is not vulnerable to CVE-2016-10739, making this bug not exploitable.


Note You need to log in before you can comment on or make changes to this bug.