813396 – (CVE-2021-39214) <net-proxy/mitmproxy-7.0.3: HTTP request smuggling

Bug 813396 (CVE-2021-39214) - <net-proxy/mitmproxy-7.0.3: HTTP request smuggling

Summary: <net-proxy/mitmproxy-7.0.3: HTTP request smuggling

Status:	RESOLVED FIXED

Alias:	CVE-2021-39214

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/mitmproxy/mitmprox...
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-09-16 14:40 UTC by Matthew Smith
Modified:	2021-09-17 18:23 UTC (History)
CC List:	0 users

See Also:	https://github.com/gentoo/gentoo/pull/22310
Package list:	net-proxy/mitmproxy-7.0.3
Runtime testing required:	No

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Smith gentoo-dev

2021-09-16 14:40:26 UTC

In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request's body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization.

Unless you use mitmproxy to protect an HTTP/1 service, no action is required.

Comment 1 Larry the Git Cow gentoo-dev

2021-09-16 18:44:02 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8916b8f61dbc5d8ab40f8366c9fdb480ec77446

commit a8916b8f61dbc5d8ab40f8366c9fdb480ec77446
Author:     Matt Smith <matt@offtopica.uk>
AuthorDate: 2021-09-16 16:21:20 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-09-16 18:43:32 +0000

    net-proxy/mitmproxy: Bump to 7.0.3
    
    Bug: https://bugs.gentoo.org/813396
    Package-Manager: Portage-3.0.23, Repoman-3.0.3
    Signed-off-by: Matt Smith <matt@offtopica.uk>
    Closes: https://github.com/gentoo/gentoo/pull/22310
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 net-proxy/mitmproxy/Manifest               |  1 +
 net-proxy/mitmproxy/mitmproxy-7.0.3.ebuild | 69 ++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)

Comment 2 John Helmert III archtester

2021-09-17 01:17:39 UTC

Thanks for reporting!

Comment 3 Agostino Sarubbo gentoo-dev

2021-09-17 09:18:35 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 4 Matthew Smith gentoo-dev

2021-09-17 09:24:07 UTC

I don't think it's worth sending out a GLSA for this as I really doubt that people are using mitmproxy in production to implement access controls or as a WAF.

Comment 5 Larry the Git Cow gentoo-dev

2021-09-17 18:19:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=163eed9fc08345008f693d773048b4b3d93d92e1

commit 163eed9fc08345008f693d773048b4b3d93d92e1
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-09-17 18:17:40 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-09-17 18:17:40 +0000

    net-proxy/mitmproxy: drop 7.0.2
    
    Bug: https://bugs.gentoo.org/813396
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-proxy/mitmproxy/Manifest               |  1 -
 net-proxy/mitmproxy/mitmproxy-7.0.2.ebuild | 69 ------------------------------
 2 files changed, 70 deletions(-)

Comment 6 John Helmert III archtester

2021-09-17 18:23:00 UTC

All done!