Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749339 (CVE-2020-26116) - dev-lang/python: CRLF injection in http.client (CVE-2020-26116)
Summary: dev-lang/python: CRLF injection in http.client (CVE-2020-26116)
Status: RESOLVED FIXED
Alias: CVE-2020-26116
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.python.org/issue39603
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on: 736854 743232 743235 759928
Blocks:
  Show dependency tree
 
Reported: 2020-10-15 18:35 UTC by John Helmert III
Modified: 2021-01-25 00:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-10-15 18:35:45 UTC
CVE-2020-26116:

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.


Patch in 3.6.12: https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae
3.7.9: https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a
3.8.5: https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf

3.9 and 3.10 are both patched as they are in our tree, but links to patches for completeness:
https://github.com/python/cpython/commit/27b811057ff5e93b68798e278c88358123efdc71
https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e

I imagine 2.7 is unpatched, though I'm not sure if anything in the tree uses it in that way.

The necessary stablereqs for 3.{6,7,8} are already rolling, so we'll just depend on them here.
Comment 1 John Helmert III gentoo-dev Security 2020-10-15 18:40:06 UTC
Maintainer, if 2.7 needs patching please do so.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-10-15 19:42:28 UTC
Unless I'm mistaken, this has been backported to all stable 3.x versions, and it is in >=2.7.18-r2.  I'm going to do the cleanup now.
Comment 3 Larry the Git Cow gentoo-dev 2020-10-15 19:43:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b36327f343dfda178953e30181c59c58d2f037bf

commit b36327f343dfda178953e30181c59c58d2f037bf
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-10-15 19:43:04 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-10-15 19:43:40 +0000

    dev-lang/python: Remove old 2.7 versions
    
    Bug: https://bugs.gentoo.org/749339
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   2 -
 dev-lang/python/python-2.7.18-r1.ebuild | 366 --------------------------------
 dev-lang/python/python-2.7.18-r2.ebuild | 366 --------------------------------
 dev-lang/python/python-2.7.18-r3.ebuild | 366 --------------------------------
 4 files changed, 1100 deletions(-)
Comment 4 John Helmert III gentoo-dev Security 2020-10-17 01:00:37 UTC
(In reply to Michał Górny from comment #2)
> Unless I'm mistaken, this has been backported to all stable 3.x versions,
> and it is in >=2.7.18-r2.  I'm going to do the cleanup now.

Are you sure? This is a different issue than the email CRLF bug. I can't find any Gentoo patches that touch the same files as the upstream patches.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-10-17 03:27:12 UTC
commit 138e2caeb4827ccfd1eaff2cf63afb79dfeeb3c4 (HEAD -> gentoo-2.7-vanilla, gentoo/gentoo-2.7-vanilla)
Author: Michał Górny <mgorny@gentoo.org>
Date:   2020-09-10 13:39:48 +0200

    bpo-39603: Prevent header injection in http methods (GH-18485) (GH-21539)
    
    reject control chars in http method in http.client.putrequest to prevent http header injection
    (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
    
    Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
    
    [rebased for py2.7]

 Lib/httplib.py           | 17 +++++++++++++++++
 Lib/test/test_httplib.py | 20 ++++++++++++++++++++
 2 files changed, 37 insertions(+)
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:00:40 UTC
This issue was resolved and addressed in
 GLSA 202101-18 at https://security.gentoo.org/glsa/202101-18
by GLSA coordinator Aaron Bauman (b-man).