Summary: | <dev-lang/python-{2.7.18_p9,3.6.13_p3,3.7.10_p3,3.8.9_p2,3.9.4_p1}: Improper Input Validation of octal literals (CVE-2021-29921) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mgorny, python, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sick.codes/sick-2021-014 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=788700 | ||
Whiteboard: | A4 [glsa+ cve] | ||
Package list: |
dev-lang/python-2.7.18_p9
dev-lang/python-3.6.13_p3
dev-lang/python-3.7.10_p3
dev-lang/python-3.8.9_p2
dev-lang/python-3.9.4_p1
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2021-05-01 01:13:00 UTC
Title ===== python stdlib “ipaddress” – Improper Input Validation of octal literals in python 3.8.0 thru v3.10 results in indeterminate SSRF & RFI vulnerabilities. — “ipaddress leading zeros in IPv4 address” Product Versions ================ 3.8.0 thru v3.10 Vulnerability Details ===================== Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid IP addresses. For example, an attacker submitting an IP address to a web application that relies on stdlib ipaddress, could cause SSRF via inputting octal input data; An attacker can submit exploitable IP addresses if the octet is 3 digits, with the minimum exploitable octect being 08 (Denial of Service) and the maximum exploitable octet is 099. For example, an attacker can submit 010.8.8.8, which is 8.8.8.8, yet Python ipaddress builtin will evaluate this as 10.8.8.8. Vendor Response =============== Currently unpatched – due to be addressed in next release. Proof of Concept ================ Vulnerability added in python3.8 https://github.com/python/cpython/pull/12577 Documentated to be vulnerable in the changelog: https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst Stop rejecting IPv4 octets for being ambiguously octal. Leading zeros are ignored, and no longer are assumed to specify octal octets. Octets are always decimal numbers. Octets must still be no more than three digits, including leading zeroes. ...and upstream is debating whether to actually fix it because someone may be relying on this in his workflow. Is it still ok to extend this to 'multiple vulnerabilities' or should I file a separate bug for earlier vulns we've missed? The recent security fixes for 3.9 are: bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25247) bpo-43472: Ensure PyInterpreterState_New audit events are raised when called through _xxsubinterpreters module (GH-25506) (GH-25508) [3.9] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595) (GH-25725) If all vulns will apply to Python versions we will handle in this bug we can add additional vulns to this bug. But if not all vulns apply to all Python versions we will handle here we cannot combine because we have to take care to not announce we have fixed vuln X in Y when Y wasn't affected by X. The ipaddress vulnerability apply only to python-3.8+ (it was a regression). The ReDoS and newline in URL fixes apply to all versions down to Python 2.7. Ok, here are all the versions that need to be stabilized. Feel free to move them around if you split the bug. ppc64 done hppa stable sparc stable amd64 done x86 done arm done arm64 done To be honest, I'm really wondering if upstream's solution to bpo-43882 is really improving security. They're changing behavior of urlparse module from passing LF, CR and HT through, to stripping it. Technically, if someone used urlparse results without validation, this fixes potential vulnerabilities. However, it doesn't help if someone uses the original unprocessed URL independently of urlparse results. At the same time, it can introduce vulnerabilities if someone is using urlparse to feed an URL validator, and then uses the original URL. It means the validator will get a 'sanitized' URL and will not reject it but the original URL will still contain dangerous chars that the validator previously rejected. I know that at the very least the validators in botocore and django were broken by this (both patched in Gentoo now) but I don't know if any real vulnerabilities were caused by broken validation. ppc done all arches done The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9d5f7a74ea1e392da6eb54af26c1ebaa11c3592 commit d9d5f7a74ea1e392da6eb54af26c1ebaa11c3592 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-05-07 07:20:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-05-07 07:20:15 +0000 dev-lang/python: Remove old Bug: https://bugs.gentoo.org/787260 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 14 -- dev-lang/python/python-2.7.18_p8.ebuild | 355 ---------------------------- dev-lang/python/python-3.10.0_alpha7.ebuild | 347 --------------------------- dev-lang/python/python-3.6.13_p1.ebuild | 338 -------------------------- dev-lang/python/python-3.7.10_p1.ebuild | 330 -------------------------- dev-lang/python/python-3.8.8_p1.ebuild | 336 -------------------------- dev-lang/python/python-3.8.9.ebuild | 336 -------------------------- dev-lang/python/python-3.9.2_p1.ebuild | 345 --------------------------- dev-lang/python/python-3.9.4.ebuild | 345 --------------------------- 9 files changed, 2746 deletions(-) ppc stable Unable to check for sanity:
> no match for package: dev-lang/python-2.7.18_p9
GLSA requested The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1 commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:12:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:31:45 +0000 [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787260 Bug: https://bugs.gentoo.org/793833 Bug: https://bugs.gentoo.org/811165 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/835443 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Bug: https://bugs.gentoo.org/876815 Bug: https://bugs.gentoo.org/877851 Bug: https://bugs.gentoo.org/878385 Bug: https://bugs.gentoo.org/880629 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) |