Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 361223 (CVE-2011-1521)

Summary: <dev-lang/python-{2.6.8,2.7.2-r3,3.1.5,3.2.2}: File Disclosure or Denial of Service Vulnerability in urllib/urllib2 (CVE-2011-1521)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.python.org/issue11662
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-03-30 04:02:10 UTC 
From the upstream bug at $URL:

description:
--------------------
The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL
schemes.

Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:

 1) File disclosure: A web application, that normally fetches and
 displays a web page, is redirected to file:///etc/passwd and
 discloses it.

 2) Denial of Service: An application is redirected to a system device
 (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk
 usage.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:24:59 UTC 
CVE-2011-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1521):
  The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before
  3.2.1 process Location headers that specify redirection to file: URLs, which
  makes it easier for remote attackers to obtain sensitive information or
  cause a denial of service (resource consumption) via a crafted URL, as
  demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
Comment 2 Sergey Popov gentoo-dev 2014-01-06 22:03:56 UTC 
Covered by GLSA 201401-04

Closing as fixed