Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 680298 (CVE-2019-9636)

Summary: <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1688543
Whiteboard: A4 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 689822, 701116    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2019-03-14 08:33:14 UTC
From ${URL} :

A vulnerability was found in Python 2.7.x through 2.7.16 and 3.x through 3.7.2. An improper Handling of Unicode Encoding (with an incorrect 
netloc) during NFKC normalization could lead to an Information Disclosure (credentials, cookies, etc. that are cached against a given 
hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse components. A specially crafted URL could be incorrectly parsed to locate 
cookies or authentication data and send that information to a different host than when parsed correctly.  



References:
https://bugs.python.org/issue36216
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html

Uptream Patch:
https://github.com/python/cpython/pull/12201


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2019-03-29 12:59:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e3fcda6cbf3533091102bc3c7272d0bcf357fb9

commit 1e3fcda6cbf3533091102bc3c7272d0bcf357fb9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-03-29 12:27:40 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-03-29 12:59:12 +0000

    dev-lang/python: Bump to 3.7.3
    
    Bug: https://bugs.gentoo.org/676700
    Bug: https://bugs.gentoo.org/680298
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   2 +
 dev-lang/python/python-3.7.3.ebuild | 325 ++++++++++++++++++++++++++++++++++++
 2 files changed, 327 insertions(+)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 05:43:16 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 14:09:12 UTC
Fixed in 2.7.17 which is not yet available in Gentoo repository.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-03 08:30:46 UTC
All affected versions should be gone now.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 15:44:51 UTC
Added to an existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 15:59:01 UTC
This issue was resolved and addressed in
 GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).