Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 787260 (CVE-2021-29921) - <dev-lang/python-{2.7.18_p9, 3.6.13_p3, 3.7.10_p3, 3.8.9_p2, 3.9.4_p1}: Improper Input Validation of octal literals (CVE-2021-29921)
Summary: <dev-lang/python-{2.7.18_p9, 3.6.13_p3, 3.7.10_p3, 3.8.9_p2, 3.9.4_p1}: Impro...
Status: IN_PROGRESS
Alias: CVE-2021-29921
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://sick.codes/sick-2021-014
Whiteboard: A4 [glsa? cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-01 01:13 UTC by GLSAMaker/CVETool Bot
Modified: 2021-06-16 19:16 UTC (History)
3 users (show)

See Also:
Package list:
dev-lang/python-2.7.18_p9 dev-lang/python-3.6.13_p3 dev-lang/python-3.7.10_p3 dev-lang/python-3.8.9_p2 dev-lang/python-3.9.4_p1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2021-05-01 01:13:00 UTC
CVE-2021-29921 (https://nvd.nist.gov/vuln/detail/CVE-2021-29921):
  Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib
  ipaddress allows unauthenticated remote attackers to perform indeterminate
  SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib
  ipaddress. IP address octects are left stripped instead of evaluated as
  valid IP addresses. For example, an attacker submitting an IP address to a
  web application that relies on stdlib ipaddress, could cause SSRF via
  inputting octal input data; An attacker can submit exploitable IP addresses
  if the octet is 3 digits, with the minimum exploitable octect being 08
  (Denial of Service) and the maximum exploitable octet is 099. For example,
  an attacker can submit 010.8.8.8, which is 8.8.8.8, yet Python ipaddress
  builtin will evaluate this as 10.8.8.8.
Comment 1 Thomas Deutschmann gentoo-dev Security 2021-05-01 01:15:42 UTC
Title
=====
python stdlib “ipaddress” – Improper Input Validation of octal literals in python 3.8.0 thru v3.10 results in indeterminate SSRF & RFI vulnerabilities. — “ipaddress leading zeros in IPv4 address”

Product Versions
================
3.8.0 thru v3.10

Vulnerability Details
=====================
Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid IP addresses. For example, an attacker submitting an IP address to a web application that relies on stdlib ipaddress, could cause SSRF via inputting octal input data; An attacker can submit exploitable IP addresses if the octet is 3 digits, with the minimum exploitable octect being 08 (Denial of Service) and the maximum exploitable octet is 099. For example, an attacker can submit 010.8.8.8, which is 8.8.8.8, yet Python ipaddress builtin will evaluate this as 10.8.8.8.

Vendor Response
===============
Currently unpatched – due to be addressed in next release.

Proof of Concept
================
Vulnerability added in python3.8

https://github.com/python/cpython/pull/12577

Documentated to be vulnerable in the changelog:

https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst

Stop rejecting IPv4 octets for being ambiguously octal. Leading zeros are ignored, and no longer are assumed to specify octal octets. Octets are always decimal numbers. Octets must still be no more than three digits, including leading zeroes.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-01 07:37:26 UTC
...and upstream is debating whether to actually fix it because someone may be relying on this in his workflow.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-02 15:29:54 UTC
Is it still ok to extend this to 'multiple vulnerabilities' or should I file a separate bug for earlier vulns we've missed?

The recent security fixes for 3.9 are:

    bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25247)

    bpo-43472: Ensure PyInterpreterState_New audit events are raised when called through _xxsubinterpreters module (GH-25506) (GH-25508)

    [3.9] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595) (GH-25725)
Comment 4 Thomas Deutschmann gentoo-dev Security 2021-05-02 16:08:05 UTC
If all vulns will apply to Python versions we will handle in this bug we can add additional vulns to this bug.

But if not all vulns apply to all Python versions we will handle here we cannot combine because we have to take care to not announce we have fixed vuln X in Y when Y wasn't affected by X.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-02 16:19:30 UTC
The ipaddress vulnerability apply only to python-3.8+ (it was a regression).

The ReDoS and newline in URL fixes apply to all versions down to Python 2.7.
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-02 16:36:20 UTC
Ok, here are all the versions that need to be stabilized.  Feel free to move them around if you split the bug.
Comment 7 Sam James archtester gentoo-dev Security 2021-05-03 19:21:28 UTC
ppc64 done
Comment 8 Rolf Eike Beer archtester 2021-05-04 07:37:21 UTC
hppa stable
Comment 9 Rolf Eike Beer archtester 2021-05-04 20:03:25 UTC
sparc stable
Comment 10 Sam James archtester gentoo-dev Security 2021-05-04 20:04:45 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-04 20:04:56 UTC
x86 done
Comment 12 Sam James archtester gentoo-dev Security 2021-05-04 20:05:10 UTC
arm done
Comment 13 Sam James archtester gentoo-dev Security 2021-05-04 20:05:21 UTC
arm64 done
Comment 14 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-06 23:07:43 UTC
To be honest, I'm really wondering if upstream's solution to bpo-43882 is really improving security.

They're changing behavior of urlparse module from passing LF, CR and HT through, to stripping it.  Technically, if someone used urlparse results without validation, this fixes potential vulnerabilities.  However, it doesn't help if someone uses the original unprocessed URL independently of urlparse results.

At the same time, it can introduce vulnerabilities if someone is using urlparse to feed an URL validator, and then uses the original URL.  It means the validator will get a 'sanitized' URL and will not reject it but the original URL will still contain dangerous chars that the validator previously rejected.

I know that at the very least the validators in botocore and django were broken by this (both patched in Gentoo now) but I don't know if any real vulnerabilities were caused by broken validation.
Comment 15 Sam James archtester gentoo-dev Security 2021-05-06 23:32:06 UTC
ppc done

all arches done
Comment 16 Larry the Git Cow gentoo-dev 2021-05-07 07:28:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9d5f7a74ea1e392da6eb54af26c1ebaa11c3592

commit d9d5f7a74ea1e392da6eb54af26c1ebaa11c3592
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-05-07 07:20:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-05-07 07:20:15 +0000

    dev-lang/python: Remove old
    
    Bug: https://bugs.gentoo.org/787260
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                    |  14 --
 dev-lang/python/python-2.7.18_p8.ebuild     | 355 ----------------------------
 dev-lang/python/python-3.10.0_alpha7.ebuild | 347 ---------------------------
 dev-lang/python/python-3.6.13_p1.ebuild     | 338 --------------------------
 dev-lang/python/python-3.7.10_p1.ebuild     | 330 --------------------------
 dev-lang/python/python-3.8.8_p1.ebuild      | 336 --------------------------
 dev-lang/python/python-3.8.9.ebuild         | 336 --------------------------
 dev-lang/python/python-3.9.2_p1.ebuild      | 345 ---------------------------
 dev-lang/python/python-3.9.4.ebuild         | 345 ---------------------------
 9 files changed, 2746 deletions(-)
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2021-05-11 20:51:33 UTC
ppc stable
Comment 18 NATTkA bot gentoo-dev 2021-06-16 11:16:25 UTC
Unable to check for sanity:

> no match for package: dev-lang/python-2.7.18_p9