Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 749339 (CVE-2020-26116)

Summary: dev-lang/python: CRLF injection in http.client (CVE-2020-26116)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.python.org/issue39603
Whiteboard: A4 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 736854, 743232, 743235, 759928    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 18:35:45 UTC 
CVE-2020-26116:

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.


Patch in 3.6.12: https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae
3.7.9: https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a
3.8.5: https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf

3.9 and 3.10 are both patched as they are in our tree, but links to patches for completeness:
https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71
https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e

I imagine 2.7 is unpatched, though I'm not sure if anything in the tree uses it in that way.

The necessary stablereqs for 3.{6,7,8} are already rolling, so we'll just depend on them here.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 18:40:06 UTC 
Maintainer, if 2.7 needs patching please do so.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 19:42:28 UTC 
Unless I'm mistaken, this has been backported to all stable 3.x versions, and it is in >=2.7.18-r2.  I'm going to do the cleanup now.
Comment 3 Larry the Git Cow gentoo-dev 2020-10-15 19:43:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b36327f343dfda178953e30181c59c58d2f037bf

commit b36327f343dfda178953e30181c59c58d2f037bf
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-10-15 19:43:04 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-10-15 19:43:40 +0000

    dev-lang/python: Remove old 2.7 versions
    
    Bug: https://bugs.gentoo.org/749339
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   2 -
 dev-lang/python/python-2.7.18-r1.ebuild | 366 --------------------------------
 dev-lang/python/python-2.7.18-r2.ebuild | 366 --------------------------------
 dev-lang/python/python-2.7.18-r3.ebuild | 366 --------------------------------
 4 files changed, 1100 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-17 01:00:37 UTC 
(In reply to Michał Górny from comment #2)
> Unless I'm mistaken, this has been backported to all stable 3.x versions,
> and it is in >=2.7.18-r2.  I'm going to do the cleanup now.

Are you sure? This is a different issue than the email CRLF bug. I can't find any Gentoo patches that touch the same files as the upstream patches.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-10-17 03:27:12 UTC 
commit 138e2caeb4827ccfd1eaff2cf63afb79dfeeb3c4 (HEAD -> gentoo-2.7-vanilla, gentoo/gentoo-2.7-vanilla)
Author: Michał Górny <mgorny@gentoo.org>
Date:   2020-09-10 13:39:48 +0200

    bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)
    
    reject control chars in http method in http.client.putrequest to prevent http header injection
    (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
    
    Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
    
    [rebased for py2.7]

 Lib/httplib.py           | 17 +++++++++++++++++
 Lib/test/test_httplib.py | 20 ++++++++++++++++++++
 2 files changed, 37 insertions(+)
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:00:40 UTC 
This issue was resolved and addressed in
 GLSA 202101-18 at https://security.gentoo.org/glsa/202101-18
by GLSA coordinator Aaron Bauman (b-man).