Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 689822 (CVE-2018-20852)

Summary: <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: validation flaw in Lib/http/cookiejar.py (CVE-2018-20852)
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.python.org/issue35121
Whiteboard: A4 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 701116    
Bug Blocks: 676700, 680246, 680298, 684838    

Description D'juan McDonald (domhnall) 2019-07-14 07:45:14 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2018-20852):

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.


Gentoo Security Padawan
(domhnall)
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-07-14 08:04:33 UTC 
[?] dev-lang/python
     Available versions:  
     (2.7)  2.7.15 (~)2.7.16{xpak}
     (3.5)  3.5.5(3.5/3.5m)^t (~)3.5.7(3.5/3.5m)^t{xpak}
     (3.6)  3.6.5(3.6/3.6m)^t (~)3.6.8(3.6/3.6m)^t{xpak}
     (3.7)  (~)3.7.2(3.7/3.7m)^t (~)3.7.3(3.7/3.7m)^t{xpak}

So we need to stabilize new versions of 2.7, 3.5, 3.7 and bump+stabilize 3.6.
Comment 2 Larry the Git Cow gentoo-dev 2019-07-14 13:05:06 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9

commit 1cd1842cd013485101789106c7b25c8999cff9e9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-07-14 12:46:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-07-14 12:48:20 +0000

    dev-lang/python: Bump to 3.6.9
    
    Bug: https://bugs.gentoo.org/689822
    Bug: https://bugs.gentoo.org/680246
    Bug: https://bugs.gentoo.org/676700
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   1 +
 dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 13:46:46 UTC 
@ maintainer(s): You still need to fix 2.7.x branch (https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13) or bump to 2.7.17!
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-07 01:21:19 UTC 
Let's use this one for stabilization.

@ maintainer(s): Please call for stabilization!
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-03 08:31:03 UTC 
All affected versions should be gone now.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 15:43:29 UTC 
New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 15:59:17 UTC 
This issue was resolved and addressed in
 GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).