Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 743646 (CVE-2020-25032)

Summary: <dev-python/flask-cors-3.0.9: Directory traversal (CVE-2020-25032)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: guillaumeseren, proxy-maint, treecleaner, wking
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/corydolphin/flask-cors/releases/tag/3.0.9
See Also: https://bugs.gentoo.org/show_bug.cgi?id=718834
https://bugs.gentoo.org/show_bug.cgi?id=743256
https://github.com/gentoo/gentoo/pull/16046
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 696640    
Bug Blocks: 698100    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 02:12:36 UTC 
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.



Need a bump to 3.0.9. Our version in tree is 5 years out of date and its maintainer doesn't seem to have made any commits since the git switch.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 02:15:47 UTC 
CCing treecleaner due to lack of maintenance. Only revdep is media-sound/beets[webserver].
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 04:01:07 UTC 
I see beets' maintainer has a PR for this, will get to reviewing it...
Comment 3 Guillaume Seren 2020-09-21 11:35:11 UTC 
Hey,
I have rebased my branch and bump flask-cors to 3.0.9
Comment 4 Larry the Git Cow gentoo-dev 2020-12-02 20:48:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36c867f82127c775231e5200caa0551f661aa866

commit 36c867f82127c775231e5200caa0551f661aa866
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-12-02 20:46:06 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-12-02 20:47:36 +0000

    dev-python/flask-cors: bump to 3.0.9 and add more py compats
    
    Bug: https://bugs.gentoo.org/743256
    Bug: https://bugs.gentoo.org/743646
    Closes: https://bugs.gentoo.org/696640
    Closes: https://bugs.gentoo.org/718834
    
    Suggested-by: Guillaume Seren <guillaumeseren@gmail.com>
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-python/flask-cors/Manifest                |  1 +
 dev-python/flask-cors/flask-cors-3.0.9.ebuild | 32 +++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2020-12-02 20:50:47 UTC 
@arches, please stabilize
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-02 23:30:44 UTC 
x86 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 04:34:09 UTC 
amd64 done

all arches done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 04:35:30 UTC 
Please cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2020-12-03 08:29:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=049de164f57c0d78595a376097d5236a7707556a

commit 049de164f57c0d78595a376097d5236a7707556a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-03 08:28:39 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-03 08:29:25 +0000

    dev-python/flask-cors: Remove old
    
    Bug: https://bugs.gentoo.org/743646
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/flask-cors/Manifest                |  1 -
 dev-python/flask-cors/flask-cors-2.1.0.ebuild | 69 ---------------------------
 2 files changed, 70 deletions(-)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 17:46:52 UTC 
Tree is clean, thanks all!