Summary: | ~dev-python/urllib3-1.25.8: DoS in _encode_invalid_chars, scales poorly with input (CVE-2020-7212) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | herrtimson, leio, mgorny, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/urllib3/urllib3/pull/1787 | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: |
dev-python/urllib3-1.25.8
dev-python/trustme-0.6.0
dev-python/brotlipy-0.7.0
|
Runtime testing required: | --- |
Description
Sam James
2020-03-06 21:15:37 UTC
Let's stabilize it where possible for a start. An automated check of this bug failed - repoman reported dependency errors (110 lines truncated):
> dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: BDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-python/trustme-0.5.3[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]']
> dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: BDEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-python/trustme-0.5.3[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]']
> dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: BDEPEND: amd64(default/linux/amd64/17.0/desktop/gnome) ['>=dev-python/trustme-0.5.3[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]']
An automated check of this bug failed - repoman reported dependency errors (70 lines truncated):
> dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: BDEPEND: arm(default/linux/arm/17.0) ['dev-python/brotlipy[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]']
> dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: RDEPEND: arm(default/linux/arm/17.0) ['dev-python/brotlipy[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]']
> dependency.bad dev-python/urllib3/urllib3-1.25.8.ebuild: RDEPEND: arm64(default/linux/arm64/17.0) ['dev-python/brotlipy[python_targets_pypy3(-)?,python_targets_python2_7(-)?,python_targets_python3_6(-)?,python_targets_python3_7(-)?,python_targets_python3_8(-)?,-python_single_target_pypy3(-),-python_single_target_python2_7(-),-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-)]']
An automated check of this bug succeeded - the previous repoman errors are now resolved. Just for the records: Current stable =dev-python/urllib3-1.24.2 was *not* affected. Vulnerability was introduced with commit https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a (1.25.2). Arch testers, if urllib3 fails tests due to resolver errors, you can either disable network-sandbox, add 'localhost.' (with a trailing dot) to /etc/hosts or use nss_myhostname. I'm looking how to make it work properly with the default config. dev-python/requests-2.21.0-r1 requires <urllib3-1.25 and is not part of the stabilization round here. Please handle that via package list or dependent bugs, or skip this stabilization for now per comment #5 and drop the vulnerable ~arch versions instead. arm stable a suitable dev-python/requests should be added to the queue, I went for 2.22.0 on my stable arm in the meantime. amd64 stable x86 stable This was also stable for ppc, ppc64, and spare. Are we stabilizing these as well, or are we going to drop them from stable? requests stabling suitable for this urllib3 here appears to have happened in bug 714490 meanwhile arm64 stable Resetting sanity check; keywords are not fully specified and arches are not CC-ed. |