Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 361223 (CVE-2011-1521) - <dev-lang/python-{2.6.8,2.7.2-r3,3.1.5,3.2.2}: File Disclosure or Denial of Service Vulnerability in urllib/urllib2 (CVE-2011-1521)
Summary: <dev-lang/python-{2.6.8,2.7.2-r3,3.1.5,3.2.2}: File Disclosure or Denial of S...
Status: RESOLVED FIXED
Alias: CVE-2011-1521
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://bugs.python.org/issue11662
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-30 04:02 UTC by Tim Sammut (RETIRED)
Modified: 2014-01-06 22:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-30 04:02:10 UTC
From the upstream bug at $URL:

description:
--------------------
The Python urllib and urllib2 modules are typically used to fetch web
pages but by default also contains handlers for ftp:// and file:// URL
schemes.

Now unfortunately it appears that it is possible for a web server to
redirect (HTTP 302) a urllib request to any of the supported
schemes. Examples on how this could turn bad:

 1) File disclosure: A web application, that normally fetches and
 displays a web page, is redirected to file:///etc/passwd and
 discloses it.

 2) Denial of Service: An application is redirected to a system device
 (e.g. file:///dev/zero) which will result in excessive CPU/memory/disk
 usage.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:24:59 UTC
CVE-2011-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1521):
  The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before
  3.2.1 process Location headers that specify redirection to file: URLs, which
  makes it easier for remote attackers to obtain sensitive information or
  cause a denial of service (resource consumption) via a crafted URL, as
  demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
Comment 2 Sergey Popov gentoo-dev 2014-01-06 22:03:56 UTC
Covered by GLSA 201401-04

Closing as fixed