Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 680298 (CVE-2019-9636) - <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636)
Summary: <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: Information Disclosure due to ur...
Status: RESOLVED FIXED
Alias: CVE-2019-9636
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on: CVE-2018-20852 701116
Blocks:
  Show dependency tree
 
Reported: 2019-03-14 08:33 UTC by Agostino Sarubbo
Modified: 2020-03-15 15:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-03-14 08:33:14 UTC
From ${URL} :

A vulnerability was found in Python 2.7.x through 2.7.16 and 3.x through 3.7.2. An improper Handling of Unicode Encoding (with an incorrect 
netloc) during NFKC normalization could lead to an Information Disclosure (credentials, cookies, etc. that are cached against a given 
hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse components. A specially crafted URL could be incorrectly parsed to locate 
cookies or authentication data and send that information to a different host than when parsed correctly.  



References:
https://bugs.python.org/issue36216
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html

Uptream Patch:
https://github.com/python/cpython/pull/12201


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2019-03-29 12:59:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e3fcda6cbf3533091102bc3c7272d0bcf357fb9

commit 1e3fcda6cbf3533091102bc3c7272d0bcf357fb9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-03-29 12:27:40 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-03-29 12:59:12 +0000

    dev-lang/python: Bump to 3.7.3
    
    Bug: https://bugs.gentoo.org/676700
    Bug: https://bugs.gentoo.org/680298
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   2 +
 dev-lang/python/python-3.7.3.ebuild | 325 ++++++++++++++++++++++++++++++++++++
 2 files changed, 327 insertions(+)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 05:43:16 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-10-26 14:09:12 UTC
Fixed in 2.7.17 which is not yet available in Gentoo repository.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-03 08:30:46 UTC
All affected versions should be gone now.
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-03-15 15:44:51 UTC
Added to an existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 15:59:01 UTC
This issue was resolved and addressed in
 GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).