877521 – (CVE-2022-36087) <dev-python/oauthlib-3.2.2: DoS via malicious redirect URI

Bug 877521 (CVE-2022-36087) - <dev-python/oauthlib-3.2.2: DoS via malicious redirect URI

Summary: <dev-python/oauthlib-3.2.2: DoS via malicious redirect URI

Status:	RESOLVED FIXED

Alias:	CVE-2022-36087

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	877523
Blocks:
	Show dependency tree

Reported:	2022-10-18 05:15 UTC by Michał Górny
Modified:	2022-10-18 22:11 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-10-18 05:15:05 UTC

Apparently upstream has moved the changelog entry for this CVE fix from 3.2.1 to 3.2.2.

> In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.

Comment 1 Michał Górny archtester

2022-10-18 19:55:38 UTC

cleanup done.

Comment 2 John Helmert III archtester

2022-10-18 22:11:59 UTC

Thank you! Of course, now everybody that has fixed it will need to fix it again...

But, no GLSA from us, relatively few revdeps and likely hard to exploit given it requires using attacker infrastructure. All done.