Bug 210539 - lang/python33: HTTP Header Injection in Python urllib (CVE-2016-5699)
Summary: lang/python33: HTTP Header Injection in Python urllib (CVE-2016-5699)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Bernard Spil
URL: http://blog.blindspotsecurity.com/201...
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-06-24 20:43 UTC by VK
Modified: 2016-11-30 10:43 UTC (History)
5 users (show)

See Also:
koobs: maintainer-feedback+
brnrd: merge-quarterly+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description VK freebsd_triage 2016-06-24 20:43:08 UTC
Python 3.3 is vulnerable to HTTP Header injection in urllib.

* Nice summary of the problem with POC:
  http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

* CVE request:
  http://www.openwall.com/lists/oss-security/2016/06/14/7
  (assignment) http://www.openwall.com/lists/oss-security/2016/06/16/2

* Upstream issue:
  https://bugs.python.org/issue22928

* Upstream fix in Python 3.5, 3.4, 2.7 (but not 3.3):
  (3.5, 3.4) https://hg.python.org/cpython/rev/bf3e1c9b80e9
  (2.7) https://hg.python.org/cpython/rev/1c45047c5102

I've tested the POC given in the first link above, and indeed injection happens with 3.3, but not with 3.4 (haven't tested the others). I'll see if I can backport the patch myself, will attach it here. Also waiting for upstream to respond about my backport request.
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-07-04 01:46:50 UTC
A commit references this bug:

Author: junovitch
Date: Mon Jul  4 01:46:35 UTC 2016
New revision: 418007
URL: https://svnweb.freebsd.org/changeset/ports/418007

Log:
  Add fixed entries for Python 2.7, 3.4, 3.5 for urllib vulnerability.

  Reset 3.3 as unfixed.

  PR:		210539
  PR:		210541
  Reported by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Security:	CVE-2016-5699
  Security:	https://vuxml.FreeBSD.org/freebsd/a61374fc-3a4d-11e6-a671-60a44ce6887b.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-07-04 01:49:38 UTC
From https://bugs.python.org/issue22928 koobs@ brought up Python 3.3 should receive security support until 2017-09-29.  Pending an upstream patch level release.

Reset the associated VuXML as this is still unfixed in 3.3.
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-05 10:03:55 UTC
@Jason, feel free to add the VuXML entries for python33 if you haven't already.

We'd rather users be aware than not and it'll give us a little more impetus to get this sorted out quickly.

I'm happy if we (if possible) backport the patch manually and carry it locally until future upstream (sourtce only) release.
Comment 4 Jason Unovitch freebsd_committer freebsd_triage 2016-07-05 11:07:30 UTC
(In reply to Kubilay Kocak from comment #3)
> feel free to add the VuXML entries for python33 if you haven't already.

Done by brnrd@ and feld@ in for both the urllib and smtplib CVEs:
WWW: https://vuxml.FreeBSD.org/freebsd/a61374fc-3a4d-11e6-a671-60a44ce6887b.html
WWW: https://vuxml.FreeBSD.org/freebsd/8d5368ef-40fe-11e6-b2ec-b499baebfeaf.html

We'll need to adjust both with the appropriate fixed version one it's updated.
Comment 5 VK freebsd_triage 2016-07-05 12:31:27 UTC
I've backported the patch, added for review here: https://reviews.freebsd.org/D7107
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-05 12:38:58 UTC
Nice work Vlad

Can you confirm QA (poudriere, make test) passes after these changes, and if possible, test/confirm that the module behaves as expected with the test case in the upstream issue
Comment 7 VK freebsd_triage 2016-07-09 18:34:11 UTC
(In reply to Kubilay Kocak from comment #6)

Sure. The build passes Poudriere 10.3 amd64. I haven't yet tested with a 9.3 jail. The unit tests pass in both ways. Without the patch to HTTPMessage the tests fail meaning it's vulnerable. Witht he patch the tests pass meaning it's fixed. I was looking only at the test_invalid_headers() test. Some other tests fail, but have failed before this patch too and I have yet to figure out if that's because of my jail set up.
Comment 8 Mark Felder freebsd_committer freebsd_triage 2016-07-26 15:35:06 UTC
Is there a status update on this?
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2016-07-28 12:29:42 UTC
(In reply to Mark Felder from comment #8)

Yep, Robak and Bernard are testing, not sure who's committing.

See: https://reviews.freebsd.org/D7107
Comment 10 commit-hook freebsd_committer freebsd_triage 2016-11-27 16:53:23 UTC
A commit references this bug:

Author: brnrd
Date: Sun Nov 27 16:52:25 UTC 2016
New revision: 427246
URL: https://svnweb.freebsd.org/changeset/ports/427246

Log:
  lang/python33: Fix HTTP Header injection vulnerability

    - Backport of upstream fix for 3.4/3.5

  PR:             210539
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Reported by:    Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Reviewed by:    robak, brnrd
  MFH:		2016Q4
  Security:       CVE-2016-5699
  Security:       a61374fc-3a4d-11e6-a671-60a44ce6887b
  Differential Revision:  D7107

Changes:
  head/lang/python33/Makefile
  head/lang/python33/files/patch-Lib_http_client.py
  head/lang/python33/files/patch-Lib_test_test__httplib.py
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2016-11-28 09:13:19 UTC
Re-open for MFH, and assign to committer resolving.
Comment 12 commit-hook freebsd_committer freebsd_triage 2016-11-29 09:36:26 UTC
A commit references this bug:

Author: brnrd
Date: Tue Nov 29 09:36:14 UTC 2016
New revision: 427371
URL: https://svnweb.freebsd.org/changeset/ports/427371

Log:
  MFH: r427246

  lang/python33: Fix HTTP Header injection vulnerability

    - Backport of upstream fix for 3.4/3.5

  PR:             210539
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Reported by:    Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
  Reviewed by:    robak, brnrd
  Security:       CVE-2016-5699
  Security:       a61374fc-3a4d-11e6-a671-60a44ce6887b
  Differential Revision:  D7107

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/lang/python33/Makefile
  branches/2016Q4/lang/python33/files/patch-Lib_http_client.py
  branches/2016Q4/lang/python33/files/patch-Lib_test_test__httplib.py