Python 3.3 is vulnerable to HTTP Header injection in urllib. * Nice summary of the problem with POC: http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html * CVE request: http://www.openwall.com/lists/oss-security/2016/06/14/7 (assignment) http://www.openwall.com/lists/oss-security/2016/06/16/2 * Upstream issue: https://bugs.python.org/issue22928 * Upstream fix in Python 3.5, 3.4, 2.7 (but not 3.3): (3.5, 3.4) https://hg.python.org/cpython/rev/bf3e1c9b80e9 (2.7) https://hg.python.org/cpython/rev/1c45047c5102 I've tested the POC given in the first link above, and indeed injection happens with 3.3, but not with 3.4 (haven't tested the others). I'll see if I can backport the patch myself, will attach it here. Also waiting for upstream to respond about my backport request.
A commit references this bug: Author: junovitch Date: Mon Jul 4 01:46:35 UTC 2016 New revision: 418007 URL: https://svnweb.freebsd.org/changeset/ports/418007 Log: Add fixed entries for Python 2.7, 3.4, 3.5 for urllib vulnerability. Reset 3.3 as unfixed. PR: 210539 PR: 210541 Reported by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Security: CVE-2016-5699 Security: https://vuxml.FreeBSD.org/freebsd/a61374fc-3a4d-11e6-a671-60a44ce6887b.html Changes: head/security/vuxml/vuln.xml
From https://bugs.python.org/issue22928 koobs@ brought up Python 3.3 should receive security support until 2017-09-29. Pending an upstream patch level release. Reset the associated VuXML as this is still unfixed in 3.3.
@Jason, feel free to add the VuXML entries for python33 if you haven't already. We'd rather users be aware than not and it'll give us a little more impetus to get this sorted out quickly. I'm happy if we (if possible) backport the patch manually and carry it locally until future upstream (sourtce only) release.
(In reply to Kubilay Kocak from comment #3) > feel free to add the VuXML entries for python33 if you haven't already. Done by brnrd@ and feld@ in for both the urllib and smtplib CVEs: WWW: https://vuxml.FreeBSD.org/freebsd/a61374fc-3a4d-11e6-a671-60a44ce6887b.html WWW: https://vuxml.FreeBSD.org/freebsd/8d5368ef-40fe-11e6-b2ec-b499baebfeaf.html We'll need to adjust both with the appropriate fixed version one it's updated.
I've backported the patch, added for review here: https://reviews.freebsd.org/D7107
Nice work Vlad Can you confirm QA (poudriere, make test) passes after these changes, and if possible, test/confirm that the module behaves as expected with the test case in the upstream issue
(In reply to Kubilay Kocak from comment #6) Sure. The build passes Poudriere 10.3 amd64. I haven't yet tested with a 9.3 jail. The unit tests pass in both ways. Without the patch to HTTPMessage the tests fail meaning it's vulnerable. Witht he patch the tests pass meaning it's fixed. I was looking only at the test_invalid_headers() test. Some other tests fail, but have failed before this patch too and I have yet to figure out if that's because of my jail set up.
Is there a status update on this?
(In reply to Mark Felder from comment #8) Yep, Robak and Bernard are testing, not sure who's committing. See: https://reviews.freebsd.org/D7107
A commit references this bug: Author: brnrd Date: Sun Nov 27 16:52:25 UTC 2016 New revision: 427246 URL: https://svnweb.freebsd.org/changeset/ports/427246 Log: lang/python33: Fix HTTP Header injection vulnerability - Backport of upstream fix for 3.4/3.5 PR: 210539 Submitted by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Reported by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Reviewed by: robak, brnrd MFH: 2016Q4 Security: CVE-2016-5699 Security: a61374fc-3a4d-11e6-a671-60a44ce6887b Differential Revision: D7107 Changes: head/lang/python33/Makefile head/lang/python33/files/patch-Lib_http_client.py head/lang/python33/files/patch-Lib_test_test__httplib.py
Re-open for MFH, and assign to committer resolving.
A commit references this bug: Author: brnrd Date: Tue Nov 29 09:36:14 UTC 2016 New revision: 427371 URL: https://svnweb.freebsd.org/changeset/ports/427371 Log: MFH: r427246 lang/python33: Fix HTTP Header injection vulnerability - Backport of upstream fix for 3.4/3.5 PR: 210539 Submitted by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Reported by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Reviewed by: robak, brnrd Security: CVE-2016-5699 Security: a61374fc-3a4d-11e6-a671-60a44ce6887b Differential Revision: D7107 Approved by: ports-secteam (junovitch) Changes: _U branches/2016Q4/ branches/2016Q4/lang/python33/Makefile branches/2016Q4/lang/python33/files/patch-Lib_http_client.py branches/2016Q4/lang/python33/files/patch-Lib_test_test__httplib.py