Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 689822 (CVE-2018-20852) - <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: validation flaw in Lib/http/cookiejar.py (CVE-2018-20852)
Summary: <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: validation flaw in Lib/http/cook...
Status: RESOLVED FIXED
Alias: CVE-2018-20852
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugs.python.org/issue35121
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on: 701116
Blocks: CVE-2019-5010 CVE-2019-9740 CVE-2019-9636 CVE-2019-9947, CVE-2019-9948
  Show dependency tree
 
Reported: 2019-07-14 07:45 UTC by D'juan McDonald (domhnall)
Modified: 2020-03-15 15:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-14 07:45:14 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2018-20852):

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.


Gentoo Security Padawan
(domhnall)
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-07-14 08:04:33 UTC
[?] dev-lang/python
     Available versions:  
     (2.7)  2.7.15 (~)2.7.16{xpak}
     (3.5)  3.5.5(3.5/3.5m)^t (~)3.5.7(3.5/3.5m)^t{xpak}
     (3.6)  3.6.5(3.6/3.6m)^t (~)3.6.8(3.6/3.6m)^t{xpak}
     (3.7)  (~)3.7.2(3.7/3.7m)^t (~)3.7.3(3.7/3.7m)^t{xpak}

So we need to stabilize new versions of 2.7, 3.5, 3.7 and bump+stabilize 3.6.
Comment 2 Larry the Git Cow gentoo-dev 2019-07-14 13:05:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9

commit 1cd1842cd013485101789106c7b25c8999cff9e9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-07-14 12:46:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-07-14 12:48:20 +0000

    dev-lang/python: Bump to 3.6.9
    
    Bug: https://bugs.gentoo.org/689822
    Bug: https://bugs.gentoo.org/680246
    Bug: https://bugs.gentoo.org/676700
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   1 +
 dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 13:46:46 UTC
@ maintainer(s): You still need to fix 2.7.x branch (https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13) or bump to 2.7.17!
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-07 01:21:19 UTC
Let's use this one for stabilization.

@ maintainer(s): Please call for stabilization!
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-03 08:31:03 UTC
All affected versions should be gone now.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 15:43:29 UTC
New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 15:59:17 UTC
This issue was resolved and addressed in
 GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).