743646 – (CVE-2020-25032) <dev-python/flask-cors-3.0.9: Directory traversal (CVE-2020-25032)

Bug 743646 (CVE-2020-25032) - <dev-python/flask-cors-3.0.9: Directory traversal (CVE-2020-25032)

Summary: <dev-python/flask-cors-3.0.9: Directory traversal (CVE-2020-25032)

Status:	RESOLVED FIXED

Alias:	CVE-2020-25032

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/corydolphin/flask-...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	696640
Blocks:	EAPI5Removal
	Show dependency tree

Reported:	2020-09-20 02:12 UTC by John Helmert III
Modified:	2020-12-03 17:46 UTC (History)
CC List:	4 users (show)

See Also:	718834 743256 https://github.com/gentoo/gentoo/pull/16046
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-09-20 02:12:36 UTC

An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.



Need a bump to 3.0.9. Our version in tree is 5 years out of date and its maintainer doesn't seem to have made any commits since the git switch.

Comment 1 John Helmert III archtester

2020-09-20 02:15:47 UTC

CCing treecleaner due to lack of maintenance. Only revdep is media-sound/beets[webserver].

Comment 2 Sam James archtester

2020-09-20 04:01:07 UTC

I see beets' maintainer has a PR for this, will get to reviewing it...

Comment 3 Guillaume Seren 2020-09-21 11:35:11 UTC

Hey,
I have rebased my branch and bump flask-cors to 3.0.9

Comment 4 Larry the Git Cow gentoo-dev

2020-12-02 20:48:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36c867f82127c775231e5200caa0551f661aa866

commit 36c867f82127c775231e5200caa0551f661aa866
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-12-02 20:46:06 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-12-02 20:47:36 +0000

    dev-python/flask-cors: bump to 3.0.9 and add more py compats
    
    Bug: https://bugs.gentoo.org/743256
    Bug: https://bugs.gentoo.org/743646
    Closes: https://bugs.gentoo.org/696640
    Closes: https://bugs.gentoo.org/718834
    
    Suggested-by: Guillaume Seren <guillaumeseren@gmail.com>
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-python/flask-cors/Manifest                |  1 +
 dev-python/flask-cors/flask-cors-3.0.9.ebuild | 32 +++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2020-12-02 20:50:47 UTC

@arches, please stabilize

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-02 23:30:44 UTC

x86 stable

Comment 7 Sam James archtester

2020-12-03 04:34:09 UTC

amd64 done

all arches done

Comment 8 Sam James archtester

2020-12-03 04:35:30 UTC

Please cleanup.

Comment 9 Larry the Git Cow gentoo-dev

2020-12-03 08:29:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=049de164f57c0d78595a376097d5236a7707556a

commit 049de164f57c0d78595a376097d5236a7707556a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-03 08:28:39 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-03 08:29:25 +0000

    dev-python/flask-cors: Remove old
    
    Bug: https://bugs.gentoo.org/743646
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/flask-cors/Manifest                |  1 -
 dev-python/flask-cors/flask-cors-2.1.0.ebuild | 69 ---------------------------
 2 files changed, 70 deletions(-)

Comment 10 John Helmert III archtester

2020-12-03 17:46:52 UTC

Tree is clean, thanks all!