689822 – (CVE-2018-20852) <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: validation flaw in Lib/http/cookiejar.py (CVE-2018-20852)

Bug 689822 (CVE-2018-20852) - <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: validation flaw in Lib/http/cookiejar.py (CVE-2018-20852)

Summary: <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: validation flaw in Lib/http/cook...

Status:	RESOLVED FIXED

Alias:	CVE-2018-20852

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugs.python.org/issue35121
Whiteboard:	A4 [glsa+ cve]
Keywords:

Depends on:	701116
Blocks:	CVE-2019-5010 CVE-2019-9740 CVE-2019-9636 CVE-2019-9947, CVE-2019-9948
	Show dependency tree

Reported:	2019-07-14 07:45 UTC by D'juan McDonald (domhnall)
Modified:	2020-03-15 15:59 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2019-07-14 07:45:14 UTC

(https://nvd.nist.gov/vuln/detail/CVE-2018-20852):

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.


Gentoo Security Padawan
(domhnall)

Comment 1 Michał Górny archtester

2019-07-14 08:04:33 UTC

[?] dev-lang/python
     Available versions:  
     (2.7)  2.7.15 (~)2.7.16{xpak}
     (3.5)  3.5.5(3.5/3.5m)^t (~)3.5.7(3.5/3.5m)^t{xpak}
     (3.6)  3.6.5(3.6/3.6m)^t (~)3.6.8(3.6/3.6m)^t{xpak}
     (3.7)  (~)3.7.2(3.7/3.7m)^t (~)3.7.3(3.7/3.7m)^t{xpak}

So we need to stabilize new versions of 2.7, 3.5, 3.7 and bump+stabilize 3.6.

Comment 2 Larry the Git Cow gentoo-dev

2019-07-14 13:05:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9

commit 1cd1842cd013485101789106c7b25c8999cff9e9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-07-14 12:46:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-07-14 12:48:20 +0000

    dev-lang/python: Bump to 3.6.9
    
    Bug: https://bugs.gentoo.org/689822
    Bug: https://bugs.gentoo.org/680246
    Bug: https://bugs.gentoo.org/676700
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   1 +
 dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 13:46:46 UTC

@ maintainer(s): You still need to fix 2.7.x branch (https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13) or bump to 2.7.17!

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2019-12-07 01:21:19 UTC

Let's use this one for stabilization.

@ maintainer(s): Please call for stabilization!

Comment 5 Michał Górny archtester

2020-01-03 08:31:03 UTC

All affected versions should be gone now.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-15 15:43:29 UTC

New GLSA request filed.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2020-03-15 15:59:17 UTC

This issue was resolved and addressed in
 GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).