Bug 361223 (CVE-2011-1521)

Summary:	<dev-lang/python-{2.6.8,2.7.2-r3,3.1.5,3.2.2}: File Disclosure or Denial of Service Vulnerability in urllib/urllib2 (CVE-2011-1521)
Product:	Gentoo Security	Reporter:	Tim Sammut (RETIRED) <underling>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	alexanderyt, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://bugs.python.org/issue11662
Whiteboard:	A3 [glsa]
Package list:		Runtime testing required:	---

Description Tim Sammut (RETIRED) gentoo-dev

2011-03-30 04:02:10 UTC

From the upstream bug at $URL:

description:
--------------------
The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL
schemes.

Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:

 1) File disclosure: A web application, that normally fetches and
 displays a web page, is redirected to file:///etc/passwd and
 discloses it.

 2) Denial of Service: An application is redirected to a system device
 (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk
 usage.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2011-06-24 00:24:59 UTC

CVE-2011-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1521):
  The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before
  3.2.1 process Location headers that specify redirection to file: URLs, which
  makes it easier for remote attackers to obtain sensitive information or
  cause a denial of service (resource consumption) via a crafted URL, as
  demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

Comment 2 Sergey Popov (RETIRED) gentoo-dev

2014-01-06 22:03:56 UTC

Covered by GLSA 201401-04

Closing as fixed