Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 684838 (CVE-2019-9947, CVE-2019-9948)

Summary: <dev-lang/python-{2.7.17,3.6.9,3.7.4}: Multiple Vulnerabilities (CVE-2019-{9947,9948})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 689822, 701116    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-01 00:12:47 UTC
CVE-2019-9948 (https://nvd.nist.gov/vuln/detail/CVE-2019-9948):
  urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which
  makes it easier for remote attackers to bypass protection mechanisms that
  blacklist file: URIs, as demonstrated by triggering a
  urllib.urlopen('local_file:///etc/passwd') call.

CVE-2019-9947 (https://nvd.nist.gov/vuln/detail/CVE-2019-9947):
  An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
  in Python 3.x through 3.7.2. CRLF injection is possible if the attacker
  controls a url parameter, as demonstrated by the first argument to
  urllib.request.urlopen with \r\n (specifically in the query string or
  PATH_INFO) followed by an HTTP header or a Redis command. This is similar to
  CVE-2019-9740.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 14:06:11 UTC
CVE-2019-9947 is handled in bug 680246.

CVE-2019-9948:
2.7: Fixed in 2.7.17 which is not yet available in Gentoo repository.

3.5.8rc1: https://github.com/python/cpython/commit/4fe82a8eef7aed60de05bfca0f2c322730ea921e
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-03 08:30:57 UTC
All affected versions should be gone now.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 15:44:17 UTC
Added to an existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 15:59:09 UTC
This issue was resolved and addressed in
 GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).