Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 684838 (CVE-2019-9947, CVE-2019-9948) - <dev-lang/python-{2.7.17,3.6.9,3.7.4}: Multiple Vulnerabilities (CVE-2019-{9947,9948})
Summary: <dev-lang/python-{2.7.17,3.6.9,3.7.4}: Multiple Vulnerabilities (CVE-2019-{99...
Status: RESOLVED FIXED
Alias: CVE-2019-9947, CVE-2019-9948
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: CVE-2018-20852 701116
Blocks:
  Show dependency tree
 
Reported: 2019-05-01 00:12 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-15 15:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-01 00:12:47 UTC
CVE-2019-9948 (https://nvd.nist.gov/vuln/detail/CVE-2019-9948):
  urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which
  makes it easier for remote attackers to bypass protection mechanisms that
  blacklist file: URIs, as demonstrated by triggering a
  urllib.urlopen('local_file:///etc/passwd') call.

CVE-2019-9947 (https://nvd.nist.gov/vuln/detail/CVE-2019-9947):
  An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
  in Python 3.x through 3.7.2. CRLF injection is possible if the attacker
  controls a url parameter, as demonstrated by the first argument to
  urllib.request.urlopen with \r\n (specifically in the query string or
  PATH_INFO) followed by an HTTP header or a Redis command. This is similar to
  CVE-2019-9740.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-10-26 14:06:11 UTC
CVE-2019-9947 is handled in bug 680246.

CVE-2019-9948:
2.7: Fixed in 2.7.17 which is not yet available in Gentoo repository.

3.5.8rc1: https://github.com/python/cpython/commit/4fe82a8eef7aed60de05bfca0f2c322730ea921e
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-03 08:30:57 UTC
All affected versions should be gone now.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-15 15:44:17 UTC
Added to an existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 15:59:09 UTC
This issue was resolved and addressed in
 GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).