Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 834533 (CVE-2021-28861, CVE-2021-3654) - <dev-lang/python-{3.8.13_p5,3.9.13_p2,3.10.6} <dev-python/pypy3-7.3.9_p5: SimpleHTTPRequestHandler open redirect
Summary: <dev-lang/python-{3.8.13_p5,3.9.13_p2,3.10.6} <dev-python/pypy3-7.3.9_p5: Sim...
Status: IN_PROGRESS
Alias: CVE-2021-28861, CVE-2021-3654
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.python.org/issue32084
Whiteboard: A4 [glsa]
Keywords:
Depends on: 864741 864743 864745 864781
Blocks:
  Show dependency tree
 
Reported: 2022-03-03 15:00 UTC by John Helmert III
Modified: 2022-11-19 01:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-03 15:00:54 UTC
CVE-2021-3654

A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.

https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66

RedHat issued this as an Openstack Nova vulnerability, but this
actually seems to be a CVE to indicate that Nova worked around a
known, different Python bug. From the commit,

"Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:

  http://vncproxy.my.domain.com//example.com/%2F..

which if visited, will redirect a user to example.com."

The Python issue at URL was closed as a duplicate of
https://bugs.python.org/issue43223, which has a reference to a stalled
PR: https://github.com/python/cpython/pull/24848.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-09 21:54:41 UTC
(In reply to John Helmert III from comment #0)
> [...]
> The Python issue at URL was closed as a duplicate of
> https://bugs.python.org/issue43223, which has a reference to a stalled
> PR: https://github.com/python/cpython/pull/24848.

... which was closed in favor of https://github.com/python/cpython/pull/93879, merged in mainline as:

https://github.com/python/cpython/commit/4abab6b603dd38bec1168e9a37c40a48ec89508e

Which seems to have only been backported into 3.11.0 and 3.10.6.
Comment 2 Larry the Git Cow gentoo-dev 2022-08-10 06:02:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36063b2db18e7ab9604a7d876d74494a7883f2b0

commit 36063b2db18e7ab9604a7d876d74494a7883f2b0
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 05:57:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 06:02:31 +0000

    dev-lang/python: Backport secfixes to 3.8.13_p5
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.8.13_p5.ebuild | 349 ++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ac85939cdee26b89aeb9e500d97d3c798a1f57f

commit 2ac85939cdee26b89aeb9e500d97d3c798a1f57f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 05:51:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 06:02:31 +0000

    dev-lang/python: Backport secfixes to 3.9.13_p2
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.9.13_p2.ebuild | 403 ++++++++++++++++++++++++++++++++
 2 files changed, 404 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2022-08-10 09:31:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53de9a0c1a9392749b46e9b326516023b3dcbcdc

commit 53de9a0c1a9392749b46e9b326516023b3dcbcdc
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 09:28:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 09:28:47 +0000

    dev-python/pypy3: Backport secfixes to 7.3.9_p5
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pypy3/Manifest              |   1 +
 dev-python/pypy3/pypy3-7.3.9_p5.ebuild | 210 +++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 15:59:59 UTC
Python 2.7 is probably affected too but the code changed a lot, so verifying would take more time than I can spend.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-23 19:43:10 UTC
This seems to have gotten another CVE.

CVE-2021-28861 (https://bugs.python.org/issue43223):
https://github.com/python/cpython/pull/93879
https://github.com/python/cpython/pull/24848

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-25 07:42:50 UTC
cleanup done.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-25 15:32:58 UTC
Thank you!
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-19 01:15:25 UTC
GLSA requested