Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 769653 (CVE-2021-21240)

Summary: <dev-python/httplib2-0.19.0: client REDoS via malicious header (CVE-2021-21240)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 04:48:21 UTC 
CVE-2021-21240:

httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.


PR: https://github.com/httplib2/httplib2/pull/182
Patch: https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc

Released in 0.19.0, please bump.
Comment 1 NATTkA bot gentoo-dev 2021-02-09 09:16:50 UTC Comment hidden (obsolete)
Comment 2 Larry the Git Cow gentoo-dev 2021-02-09 09:20:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01fa5e8e750b5d0baa16ff7f7bd27fcffc247713

commit 01fa5e8e750b5d0baa16ff7f7bd27fcffc247713
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-09 09:13:19 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-09 09:20:15 +0000

    dev-python/httplib2: Bump to 0.19.0
    
    Bug: https://bugs.gentoo.org/769653
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/httplib2/Manifest               |  1 +
 dev-python/httplib2/httplib2-0.19.0.ebuild | 56 ++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
Comment 3 NATTkA bot gentoo-dev 2021-02-09 09:25:01 UTC 
All sanity-check issues have been resolved
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 21:32:02 UTC 
amd64 arm arm64 hppa ppc ppc64 sparc x86 (ALLARCHES) done

all arches done
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-10 00:51:49 UTC 
Please cleanup.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-25 01:10:52 UTC 
Very limited impact so no GLSA, all done!