Bug 1688543 (CVE-2019-9636) - CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
Summary: CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC no...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9636
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1688552 1689318 1689327 1689328 1744471 1688544 1688545 1688546 1688547 1688549 1688550 1689316 1689317 1689319 1689320 1689321 1689322 1689323 1689324 1689325 1689326 1693973 1693974 1693975 1694514 1694515 1694516 1694517 1696755 1716744 1744472
Blocks: 1688554
TreeView+ depends on / blocked
 
Reported: 2019-03-13 23:14 UTC by Laura Pardo
Modified: 2019-10-08 10:01 UTC (History)
33 users (show)

Fixed In Version: python 3.5.7, python 3.7.3
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that python's functions urllib.parse.urlsplit and urllib.parse.urlparse do not properly handle URLs encoded with Punycode/Internationalizing Domain Names in Applications (IDNA), which may result in a wrong domain name (specifically the netloc component of URL - user@domain:port) being returned by those functions. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:50:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0740 None None None 2019-04-10 18:44:11 UTC
Red Hat Product Errata RHBA-2019:0752 None None None 2019-04-15 09:03:06 UTC
Red Hat Product Errata RHBA-2019:0769 None None None 2019-04-17 10:12:07 UTC
Red Hat Product Errata RHBA-2019:0776 None None None 2019-04-17 21:05:40 UTC
Red Hat Product Errata RHBA-2019:0777 None None None 2019-04-17 20:36:42 UTC
Red Hat Product Errata RHBA-2019:0960 None None None 2019-05-01 17:22:38 UTC
Red Hat Product Errata RHBA-2019:1125 None None None 2019-05-09 10:14:28 UTC
Red Hat Product Errata RHBA-2019:1126 None None None 2019-05-09 10:13:13 UTC
Red Hat Product Errata RHBA-2019:1141 None None None 2019-05-09 21:18:02 UTC
Red Hat Product Errata RHBA-2019:1246 None None None 2019-05-20 18:20:46 UTC
Red Hat Product Errata RHSA-2019:0710 None None None 2019-04-08 12:59:32 UTC
Red Hat Product Errata RHSA-2019:0765 None None None 2019-04-16 14:06:02 UTC
Red Hat Product Errata RHSA-2019:0806 None None None 2019-04-23 11:38:56 UTC
Red Hat Product Errata RHSA-2019:0902 None None None 2019-04-29 14:30:30 UTC
Red Hat Product Errata RHSA-2019:0981 None None None 2019-05-07 04:20:01 UTC
Red Hat Product Errata RHSA-2019:0997 None None None 2019-05-07 04:21:58 UTC
Red Hat Product Errata RHSA-2019:1467 None None None 2019-06-13 12:32:10 UTC
Red Hat Product Errata RHSA-2019:2980 None None None 2019-10-08 10:01:03 UTC

Description Laura Pardo 2019-03-13 23:14:41 UTC
A vulnerability was found in Python 2.7.x through 2.7.16 and 3.x through 3.7.2. An improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization could lead to an Information Disclosure (credentials, cookies, etc. that are cached against a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse components. A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.  



References:
https://bugs.python.org/issue36216
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html

Uptream Patch:
https://github.com/python/cpython/pull/12201

Comment 1 Laura Pardo 2019-03-13 23:15:22 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1688546]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1688552]
Affects: fedora-all [bug 1688549]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1688550]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1688547]
Affects: fedora-29 [bug 1688544]


Created python37 tracking bugs for this issue:

Affects: fedora-28 [bug 1688545]

Comment 8 errata-xmlrpc 2019-04-08 12:59:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0710 https://access.redhat.com/errata/RHSA-2019:0710

Comment 26 errata-xmlrpc 2019-04-16 14:06:00 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:0765 https://access.redhat.com/errata/RHSA-2019:0765

Comment 30 errata-xmlrpc 2019-04-23 11:38:55 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:0806 https://access.redhat.com/errata/RHSA-2019:0806

Comment 34 errata-xmlrpc 2019-04-29 14:30:29 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:0902 https://access.redhat.com/errata/RHSA-2019:0902

Comment 36 Charalampos Stratakis 2019-05-06 09:31:45 UTC
The CVE fix we pushed unfortunately introduced a regression, fixed by https://bugs.python.org/issue36742

Comment 38 errata-xmlrpc 2019-05-07 04:19:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0981 https://access.redhat.com/errata/RHSA-2019:0981

Comment 39 errata-xmlrpc 2019-05-07 04:21:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0997 https://access.redhat.com/errata/RHSA-2019:0997

Comment 40 Riccardo Schirone 2019-05-20 07:53:20 UTC
This flaw also affects the versions of python as shipped with Red Hat Enterprise Linux 5 and 6, which are, respectively, python 2.4 and 2.6.

Comment 42 Riccardo Schirone 2019-06-03 14:51:50 UTC
The flaw was reproduced both on python 2.4 shipped with Red Hat Enterprise Linux 5 and on python 2.6 shipped with Red Hat Enterprise Linux 6.

Comment 43 Riccardo Schirone 2019-06-03 15:01:36 UTC
This flaw affects applications that process untrusted URLs and store credentials, cookies or other kind of information based on the domain name of the URL, when encoded with Punycode/Internationalizing Domain Names in Applications (IDNA), more precisely the netloc component returned by urlparse()/urlsplit(). Assuming an application has cookies stored for the netloc "redhat.com", an attacker may construct a URL that, when encoded with IDNA and parsed through urlparse()/urlsplit() would indicate "redhat.com" as netloc, even though the connection would be made to the attacker-controlled host, possibly leaking the information that were associated with "redhat.com".

Comment 45 Riccardo Schirone 2019-06-03 15:02:21 UTC
External References:

https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html

Comment 48 Riccardo Schirone 2019-06-04 07:44:02 UTC
netloc is the part of a URL that includes <user>:<password>@<host>:<port>.

See https://tools.ietf.org/html/rfc1808.html#section-2.1 for more information about netloc.

Comment 50 Riccardo Schirone 2019-06-05 10:23:25 UTC
In reply to comment #36:
> The CVE fix we pushed unfortunately introduced a regression, fixed by
> https://bugs.python.org/issue36742

The initial fix for this regression can be found at https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3.
However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus it requires https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete.

Comment 53 Riccardo Schirone 2019-06-06 09:19:11 UTC
In reply to comment #50:
> In reply to comment #36:
> > The CVE fix we pushed unfortunately introduced a regression, fixed by
> > https://bugs.python.org/issue36742
> 
> The initial fix for this regression can be found at
> https://github.com/python/cpython/commit/
> d537ab0ff9767ef024f26246899728f0116b1ec3.
> However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus
> it requires
> https://github.com/python/cpython/commit/
> 8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete.

Reference:
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html

Comment 54 Riccardo Schirone 2019-06-10 07:56:45 UTC
CVE-2019-10160 has been assigned to this security regression.In reply to comment #50:
> In reply to comment #36:
> > The CVE fix we pushed unfortunately introduced a regression, fixed by
> > https://bugs.python.org/issue36742
> 
> The initial fix for this regression can be found at
> https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3.
> However, alone it would re-introduce this vulnerability, CVE-2019-9636, thus
> it requires https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e to be complete.

CVE-2019-10160 has been assigned to the security regression introduced with https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3

Comment 55 errata-xmlrpc 2019-06-13 12:32:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1467 https://access.redhat.com/errata/RHSA-2019:1467

Comment 56 Riccardo Schirone 2019-06-21 13:38:09 UTC
In reply to comment #55:
> This issue has been addressed in the following products:
> 
>   Red Hat Enterprise Linux 6
> 
> Via RHSA-2019:1467 https://access.redhat.com/errata/RHSA-2019:1467

CVE-2019-10160 was discovered by Red Hat during the development of the Red Hat Enterprise Linux 6 patch, thus RHSA-2019:1467 was directly shipped with the proper fix for CVE-2019-9636. The security regression CVE-2019-10160 was not introduced in RHEL 6.

Comment 63 errata-xmlrpc 2019-10-08 10:01:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:2980 https://access.redhat.com/errata/RHSA-2019:2980


Note You need to log in before you can comment on or make changes to this bug.