Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743646 (CVE-2020-25032) - <dev-python/flask-cors-3.0.9: Directory traversal (CVE-2020-25032)
Summary: <dev-python/flask-cors-3.0.9: Directory traversal (CVE-2020-25032)
Status: RESOLVED FIXED
Alias: CVE-2020-25032
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/corydolphin/flask-...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 696640
Blocks: EAPI5Removal
  Show dependency tree
 
Reported: 2020-09-20 02:12 UTC by John Helmert III
Modified: 2020-12-03 17:46 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-09-20 02:12:36 UTC
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.



Need a bump to 3.0.9. Our version in tree is 5 years out of date and its maintainer doesn't seem to have made any commits since the git switch.
Comment 1 John Helmert III gentoo-dev Security 2020-09-20 02:15:47 UTC
CCing treecleaner due to lack of maintenance. Only revdep is media-sound/beets[webserver].
Comment 2 Sam James archtester gentoo-dev Security 2020-09-20 04:01:07 UTC
I see beets' maintainer has a PR for this, will get to reviewing it...
Comment 3 Guillaume Seren 2020-09-21 11:35:11 UTC
Hey,
I have rebased my branch and bump flask-cors to 3.0.9
Comment 4 Larry the Git Cow gentoo-dev 2020-12-02 20:48:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36c867f82127c775231e5200caa0551f661aa866

commit 36c867f82127c775231e5200caa0551f661aa866
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-12-02 20:46:06 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-12-02 20:47:36 +0000

    dev-python/flask-cors: bump to 3.0.9 and add more py compats
    
    Bug: https://bugs.gentoo.org/743256
    Bug: https://bugs.gentoo.org/743646
    Closes: https://bugs.gentoo.org/696640
    Closes: https://bugs.gentoo.org/718834
    
    Suggested-by: Guillaume Seren <guillaumeseren@gmail.com>
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-python/flask-cors/Manifest                |  1 +
 dev-python/flask-cors/flask-cors-3.0.9.ebuild | 32 +++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-12-02 20:50:47 UTC
@arches, please stabilize
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-12-02 23:30:44 UTC
x86 stable
Comment 7 Sam James archtester gentoo-dev Security 2020-12-03 04:34:09 UTC
amd64 done

all arches done
Comment 8 Sam James archtester gentoo-dev Security 2020-12-03 04:35:30 UTC
Please cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2020-12-03 08:29:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=049de164f57c0d78595a376097d5236a7707556a

commit 049de164f57c0d78595a376097d5236a7707556a
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-03 08:28:39 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-03 08:29:25 +0000

    dev-python/flask-cors: Remove old
    
    Bug: https://bugs.gentoo.org/743646
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/flask-cors/Manifest                |  1 -
 dev-python/flask-cors/flask-cors-2.1.0.ebuild | 69 ---------------------------
 2 files changed, 70 deletions(-)
Comment 10 John Helmert III gentoo-dev Security 2020-12-03 17:46:52 UTC
Tree is clean, thanks all!