Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 707822 (CVE-2020-8492) - <dev-lang/python-{2.7.18,3.6.10-r2,3.7.7-r2,3.8.2-r2,3.9.0_alpha5-r1}: Python allows an HTTP server to conduct ReDoS attacks against a client (CVE-2020-8492)
Summary: <dev-lang/python-{2.7.18,3.6.10-r2,3.7.7-r2,3.8.2-r2,3.9.0_alpha5-r1}: Python...
Status: CONFIRMED
Alias: CVE-2020-8492
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.python.org/issue39503
Whiteboard: A3 [stable glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-01 22:41 UTC by filip ambroz
Modified: 2020-05-14 22:21 UTC (History)
4 users (show)

See Also:
Package list:
dev-lang/python-2.7.18 dev-lang/python-3.6.10-r2 dev-lang/python-3.7.7-r2 dev-lang/python-3.8.2-r2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-01 22:41:12 UTC
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-03-02 07:10:59 UTC
CVE-2020-8492 (https://nvd.nist.gov/vuln/detail/CVE-2020-8492):
  Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
  through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
  Regular Expression Denial of Service (ReDoS) attacks against a client
  because of urllib.request.AbstractBasicAuthHandler catastrophic
  backtracking.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 09:12:40 UTC
So apparently 3.8.2 is the only good version now.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 09:22:00 UTC
Hmm, no, apparently the CVE didn't account for 3.8.2.  Upstream did not merge a fix yet ;-/.
Comment 5 Larry the Git Cow gentoo-dev 2020-04-22 13:32:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d0962541c4227d11c9fbcc5373104676680859f

commit 4d0962541c4227d11c9fbcc5373104676680859f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 12:20:35 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:28 +0000

    dev-lang/python: Backport secfixes to 3.9.0a5, redo patchset
    
    Bug: https://bugs.gentoo.org/707822
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                      |   2 +
 dev-lang/python/python-3.9.0_alpha5-r1.ebuild | 329 ++++++++++++++++++++++++++
 2 files changed, 331 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d24d55c6519197b1f7f70c9233aac9d06823a0cc

commit d24d55c6519197b1f7f70c9233aac9d06823a0cc
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 12:16:04 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:26 +0000

    dev-lang/python: Backport secfixes to 3.8.2, redo patchset
    
    Bug: https://bugs.gentoo.org/707822
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   2 +-
 dev-lang/python/python-3.8.2-r2.ebuild | 348 +++++++++++++++++++++++++++++++++
 2 files changed, 349 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84738a6394aa497ed0cc14c1cca27cf2f3a42030

commit 84738a6394aa497ed0cc14c1cca27cf2f3a42030
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 12:11:25 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:25 +0000

    dev-lang/python: Backport secfixes to 3.7.7, redo patchset
    
    Bug: https://bugs.gentoo.org/707822
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.7.7-r2.ebuild | 345 +++++++++++++++++++++++++++++++++
 2 files changed, 346 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f79755dbf44b79c2f5b99e9f3258b656d2d99ebb

commit f79755dbf44b79c2f5b99e9f3258b656d2d99ebb
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 11:57:16 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:24 +0000

    dev-lang/python: Backport secfixes to 3.6.10, redo patchset
    
    Bug: https://bugs.gentoo.org/707822
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.6.10-r2.ebuild | 359 ++++++++++++++++++++++++++++++++
 2 files changed, 360 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca57e96ecbcd060e4f70aa24ccd83470ccb8a434

commit ca57e96ecbcd060e4f70aa24ccd83470ccb8a434
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 11:33:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:23 +0000

    dev-lang/python: Bump to 2.7.18
    
    Bug: https://bugs.gentoo.org/707822
    Closes: https://bugs.gentoo.org/716332
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest             |   2 +
 dev-lang/python/python-2.7.18.ebuild | 366 +++++++++++++++++++++++++++++++++++
 2 files changed, 368 insertions(+)
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-04-25 10:47:48 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-26 18:15:47 UTC
arm stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2020-04-26 23:48:33 UTC
x86 stable
Comment 9 Sam James (sec padawan) 2020-04-28 23:29:55 UTC
arm64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-04-30 15:59:01 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-05-01 13:59:10 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-05-01 14:01:02 UTC
ppc64 stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-05-14 22:19:57 UTC
This issue was resolved and addressed in
 GLSA 202005-09 at https://security.gentoo.org/glsa/202005-09
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Thomas Deutschmann gentoo-dev Security 2020-05-14 22:21:02 UTC
Re-opening for cleanup and remaining architectures.