CVE-2020-26116: http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. Patch in 3.6.12: https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae 3.7.9: https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a 3.8.5: https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf 3.9 and 3.10 are both patched as they are in our tree, but links to patches for completeness: https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71 https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e I imagine 2.7 is unpatched, though I'm not sure if anything in the tree uses it in that way. The necessary stablereqs for 3.{6,7,8} are already rolling, so we'll just depend on them here.
Maintainer, if 2.7 needs patching please do so.
Unless I'm mistaken, this has been backported to all stable 3.x versions, and it is in >=2.7.18-r2. I'm going to do the cleanup now.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b36327f343dfda178953e30181c59c58d2f037bf commit b36327f343dfda178953e30181c59c58d2f037bf Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-10-15 19:43:04 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-10-15 19:43:40 +0000 dev-lang/python: Remove old 2.7 versions Bug: https://bugs.gentoo.org/749339 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 - dev-lang/python/python-2.7.18-r1.ebuild | 366 -------------------------------- dev-lang/python/python-2.7.18-r2.ebuild | 366 -------------------------------- dev-lang/python/python-2.7.18-r3.ebuild | 366 -------------------------------- 4 files changed, 1100 deletions(-)
(In reply to Michał Górny from comment #2) > Unless I'm mistaken, this has been backported to all stable 3.x versions, > and it is in >=2.7.18-r2. I'm going to do the cleanup now. Are you sure? This is a different issue than the email CRLF bug. I can't find any Gentoo patches that touch the same files as the upstream patches.
commit 138e2caeb4827ccfd1eaff2cf63afb79dfeeb3c4 (HEAD -> gentoo-2.7-vanilla, gentoo/gentoo-2.7-vanilla) Author: Michał Górny <mgorny@gentoo.org> Date: 2020-09-10 13:39:48 +0200 bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539) reject control chars in http method in http.client.putrequest to prevent http header injection (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com> [rebased for py2.7] Lib/httplib.py | 17 +++++++++++++++++ Lib/test/test_httplib.py | 20 ++++++++++++++++++++ 2 files changed, 37 insertions(+)
This issue was resolved and addressed in GLSA 202101-18 at https://security.gentoo.org/glsa/202101-18 by GLSA coordinator Aaron Bauman (b-man).
