Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585946 (CVE-2016-0772) - <dev-lang/python-{2.7.12,3.4.5}: smtplib StartTLS stripping attack (CVE-2016-0772)
Summary: <dev-lang/python-{2.7.12,3.4.5}: smtplib StartTLS stripping attack (CVE-2016-...
Status: RESOLVED FIXED
Alias: CVE-2016-0772
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: 575948
Blocks: 531002 CVE-2016-5636 602240
  Show dependency tree
 
Reported: 2016-06-14 16:04 UTC by Agostino Sarubbo
Modified: 2017-01-10 14:56 UTC (History)
1 user (show)

See Also:
Package list:
=dev-lang/python-2.7.12 =dev-lang/python-3.4.5
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-14 16:04:53 UTC
From ${URL} :

A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib 
does not seem to raise an exception when the remote end (smtp server) is capable of negotiating 
starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow 
a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly 
check the response code for startTLS.

Patch :

Branch 2.7 : https://hg.python.org/cpython/rev/b3ce713fb9be
Branch 3.4 : https://hg.python.org/cpython/rev/d590114c2394


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-11-21 12:36:25 UTC
CVE-2016-0772 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0772):
  The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5,
  and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which
  might allow man-in-the-middle attackers to bypass the TLS protections by
  leveraging a network position between the client and the registry to block
  the StartTLS command, aka a "StartTLS stripping attack."
Comment 3 Mike Gilbert gentoo-dev 2016-11-21 17:17:31 UTC
Please proceed with stabilization of 2.7.12 and 3.4.5.
Comment 4 Thomas Deutschmann gentoo-dev Security 2016-11-21 17:34:20 UTC
@ Arches,

please test and mark stable:

=dev-lang/python-2.7.12
=dev-lang/python-3.4.5

While stabilizing python-3.4.5 please have a look at https://gitweb.gentoo.org/data/gentoo-news.git/tree/2015-12-16-python-abiflags-rebuild-needed/2015-12-16-python-abiflags-rebuild-needed.en.txt
Comment 5 Agostino Sarubbo gentoo-dev 2016-11-22 11:31:20 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-11-22 11:32:38 UTC
x86 stable
Comment 7 Tobias Klausmann gentoo-dev 2016-11-23 18:01:46 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2016-11-29 17:38:32 UTC
arm stable
Comment 9 Michael Palimaka (kensington) gentoo-dev 2016-12-18 17:26:49 UTC
An automated check of this bug failed - repoman reported dependency errors (50 lines truncated): 

> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop/gnome) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop/gnome) ['>=app-eselect/eselect-python-20140125-r1']
Comment 10 Michael Palimaka (kensington) gentoo-dev 2016-12-18 17:38:31 UTC
An automated check of this bug failed - repoman reported dependency errors (50 lines truncated): 

> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop/gnome) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=app-eselect/eselect-python-20140125-r1']
> dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop/gnome) ['>=app-eselect/eselect-python-20140125-r1']
Comment 11 Michael Palimaka (kensington) gentoo-dev 2016-12-18 17:45:13 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 12 Agostino Sarubbo gentoo-dev 2016-12-20 09:45:38 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-12-22 09:35:45 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-12-25 10:10:50 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-12-25 10:15:20 UTC
ia64 stable
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2016-12-31 13:50:50 UTC
Stable for HPPA.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-01-10 14:01:14 UTC
This issue was resolved and addressed in
 GLSA 201701-18 at https://security.gentoo.org/glsa/201701-18
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 18 Thomas Deutschmann gentoo-dev Security 2017-01-10 14:03:52 UTC
Re-opening for cleanup.

@ Maintainer(s): Please drop =dev-lang/python-2.7.10-r1 and =dev-lang/python-3.4.3-r1! If you want to keep them in repository, please either drop keywords or apply a mask indicating a security problem.
Comment 19 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-01-10 14:54:11 UTC
commit a44128f035324efa9a517c0165ddfa79f255fdfa
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Tue Jan 10 15:48:32 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Tue Jan 10 15:52:49 2017

    dev-lang/python: Sec cleanup, #585946

 dev-lang/python/Manifest                |   4 --
 dev-lang/python/python-2.7.10-r1.ebuild | 347 ---------------------------------------------------------------------------------------------------
 dev-lang/python/python-3.4.3-r1.ebuild  | 324 --------------------------------------------------------------------------------------------
 3 files changed, 675 deletions(-)
Comment 20 Thomas Deutschmann gentoo-dev Security 2017-01-10 14:56:56 UTC
@ Maintainer(s): Thank you for your work!

Repository is now clean, all done.