Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 770853 (CVE-2021-23336) - <dev-lang/python-{2.7.18_p7,3.6.12_p3,3.7.9_p3,3.8.7_p2,3.9.1_p2,3.10.0_alpha5_p1}: parameter cloaking vulnerability (CVE-2021-23336)
Summary: <dev-lang/python-{2.7.18_p7,3.6.12_p3,3.7.9_p3,3.8.7_p2,3.9.1_p2,3.10.0_alpha...
Status: IN_PROGRESS
Alias: CVE-2021-23336
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.python.org/issue42967
Whiteboard: A4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-15 22:20 UTC by John Helmert III
Modified: 2021-04-06 12:48 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-15 22:20:40 UTC
CVE-2021-23336:

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.


Doesn't appear to be released.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-02-15 22:37:35 UTC
I'll backport it in ~1 hour.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-02-15 23:15:04 UTC
Oh my, this is a backwards-incompatible change.  I wonder if it'll break something.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-02-15 23:56:10 UTC
I've filled the package list for future reference but let's not run the stablereq yet.  The current behavior was present practically since forever, and the change is not backwards-compatible.  Let's give it at least a few more days to see if it doesn't break stuff.
Comment 4 NATTkA bot gentoo-dev 2021-02-15 23:56:51 UTC Comment hidden (obsolete)
Comment 5 Larry the Git Cow gentoo-dev 2021-02-16 00:13:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2a53a94f3b6b6395ef4541051a02d80c61442d0

commit f2a53a94f3b6b6395ef4541051a02d80c61442d0
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-15 23:48:16 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-16 00:12:55 +0000

    dev-lang/python: Backport CVE-2021-23336 fix to 2.7
    
    Bug: https://bugs.gentoo.org/770853
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-2.7.18_p7.ebuild | 358 ++++++++++++++++++++++++++++++++
 2 files changed, 359 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b22068f64c351ccf7d6140b362559a78593f29b

commit 6b22068f64c351ccf7d6140b362559a78593f29b
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-15 23:47:23 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-16 00:12:54 +0000

    dev-lang/python: Backport CVE-2021-23336 fix to 3.6
    
    Bug: https://bugs.gentoo.org/770853
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.6.12_p3.ebuild | 341 ++++++++++++++++++++++++++++++++
 2 files changed, 342 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=266ba3cecffea1dfde91ac09ba3ce44a95b6fdf5

commit 266ba3cecffea1dfde91ac09ba3ce44a95b6fdf5
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-15 23:46:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-16 00:12:53 +0000

    dev-lang/python: Backport CVE-2021-23336 fix to 3.7
    
    Bug: https://bugs.gentoo.org/770853
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.7.9_p3.ebuild | 333 +++++++++++++++++++++++++++++++++
 2 files changed, 334 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5a326329d0121f8a618e73feb3fe1dfb31f9e1f

commit b5a326329d0121f8a618e73feb3fe1dfb31f9e1f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-15 23:44:52 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-16 00:12:52 +0000

    dev-lang/python: Backport CVE-2021-23336 fix to 3.8
    
    Bug: https://bugs.gentoo.org/770853
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.8.7_p2.ebuild | 337 +++++++++++++++++++++++++++++++++
 2 files changed, 338 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1144374a1b5cf6f7fe32d536d8ef454d1e96b7e8

commit 1144374a1b5cf6f7fe32d536d8ef454d1e96b7e8
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-15 23:43:45 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-16 00:12:51 +0000

    dev-lang/python: Backport CVE-2021-23336 fix to 3.9
    
    Bug: https://bugs.gentoo.org/770853
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.9.1_p2.ebuild | 346 +++++++++++++++++++++++++++++++++
 2 files changed, 347 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b67b5c6ab21333995d79ae8b7ffad18163639768

commit b67b5c6ab21333995d79ae8b7ffad18163639768
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-15 23:38:46 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-16 00:12:50 +0000

    dev-lang/python: Backport CVE-2021-23336 fix to 3.10
    
    Bug: https://bugs.gentoo.org/770853
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                       |   1 +
 dev-lang/python/python-3.10.0_alpha5_p1.ebuild | 349 +++++++++++++++++++++++++
 2 files changed, 350 insertions(+)
Comment 6 John Helmert III gentoo-dev Security 2021-02-16 00:17:50 UTC
Thank you!
Comment 7 Sam James archtester gentoo-dev Security 2021-03-11 07:01:51 UTC
ping.
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-03-11 09:07:10 UTC
Ok, let's stabilize the new set.
Comment 9 NATTkA bot gentoo-dev 2021-03-11 09:09:02 UTC
All sanity-check issues have been resolved
Comment 10 Sam James archtester gentoo-dev Security 2021-03-11 13:34:07 UTC
ppc64 done
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-03-12 08:12:21 UTC
amd64 stable
Comment 12 Thomas Deutschmann gentoo-dev Security 2021-03-15 01:40:33 UTC
x86 stable
Comment 13 Sam James archtester gentoo-dev Security 2021-03-15 03:50:49 UTC
ppc done
Comment 14 Rolf Eike Beer 2021-03-15 18:13:10 UTC
hppa stable
Comment 15 Rolf Eike Beer 2021-03-19 20:08:48 UTC
sparc stable
Comment 16 Sam James archtester gentoo-dev Security 2021-03-28 10:58:18 UTC
arm64 done
Comment 17 Sam James archtester gentoo-dev Security 2021-03-28 11:02:56 UTC
arm done
Comment 18 Sam James archtester gentoo-dev Security 2021-04-05 22:25:50 UTC
s390 done

all arches done
Comment 19 John Helmert III gentoo-dev Security 2021-04-06 01:48:16 UTC
Please cleanup.
Comment 20 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-04-06 06:30:21 UTC
It's already cleaned up, isn't it?
Comment 21 John Helmert III gentoo-dev Security 2021-04-06 12:48:10 UTC
(In reply to Michał Górny from comment #20)
> It's already cleaned up, isn't it?

Yep, sorry!