Bug 27407

Summary: python-urllib3 new security issue CVE-2020-26137
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: bruno, geiger.david68210, guillaume.royer, jani.valimaa, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=27301
Whiteboard: MGA7-64-OK
Source RPM: python-urllib3-1.24.3-1.1.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 27301    
Bug Blocks:    
Attachments: Tests urllib3 module with a few simple examples
Output from running tutorial.py

Description David Walser 2020-10-13 18:40:23 CEST 
Ubuntu has issued an advisory on October 5:
https://ubuntu.com/security/notices/USN-4570-1

The issue is fixed upstream in 1.25.9.

python-pip bundles this and may need to be fixed too.

Mageia 7 is also affected.
David Walser 2020-10-13 18:40:30 CEST

Whiteboard: (none) => MGA7TOO

David Walser 2020-10-13 19:43:35 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=27301

Comment 1 Aurelien Oudelet 2020-10-14 18:43:51 CEST 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.
CC'd recent commiter.
(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => makowski.mageia
CC: (none) => jani.valimaa
Keywords: (none) => Triaged

Comment 2 David Walser 2020-10-21 20:29:26 CEST 
RedHat has issued an advisory for this on October 20:
https://access.redhat.com/errata/RHSA-2020:4299
Comment 3 Philippe Makowski 2020-11-14 10:54:44 CET 
Cauldron have 1.25.10 so it is not affected
Philippe Makowski 2020-11-14 13:35:31 CET

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

David Walser 2020-11-14 16:29:44 CET

Source RPM: python-urllib3-1.25.8-1.mga8.src.rpm => python-urllib3-1.24.3-1.1.mga7.src.rpm

Comment 4 David GEIGER 2020-11-20 09:44:13 CET 
Done for mga7!

CC: (none) => geiger.david68210

Comment 5 David Walser 2020-11-20 16:35:26 CET 
(In reply to David Walser from comment #0)
> python-pip bundles this and may need to be fixed too.

What about this?  (See also Bug 27301 for python-pip).
Comment 6 David Walser 2020-11-20 16:50:54 CET 
python-urllib3 package list:
python2-urllib3-1.24.3-1.2.mga7
python3-urllib3-1.24.3-1.2.mga7

from python-urllib3-1.24.3-1.2.mga7.src.rpm
David Walser 2020-12-28 19:01:13 CET

Status comment: (none) => Bundled copy in python-pip also needs to be fixed

Comment 7 Bruno Cornec 2021-01-05 00:41:29 CET 
python-pip now fixed

CC: (none) => bruno

Comment 8 Bruno Cornec 2021-01-05 15:00:22 CET 
New python-pip fixing fully this BR

Status: NEW => ASSIGNED

Comment 9 David Walser 2021-01-05 15:20:45 CET 
Advisory:
========================

Updated python-urllib3 packages fix security vulnerability:

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP
request method, as demonstrated by inserting CR and LF control characters in
the first argument of putrequest() (CVE-2020-26137).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
https://ubuntu.com/security/notices/USN-4570-1
========================

Updated packages in core/updates_testing:
========================
python2-urllib3-1.24.3-1.2.mga7
python3-urllib3-1.24.3-1.2.mga7

from python-urllib3-1.24.3-1.2.mga7.src.rpm

Depends on: (none) => 27301
Status comment: Bundled copy in python-pip also needs to be fixed => (none)
Assignee: makowski.mageia => qa-bugs

Comment 10 Guillaume Royer 2021-01-24 21:35:05 CET 
Installation done with no message error.

Using QA Repo with mentioned above packages list, update over existing installation returns no errors.
==========================================
installation de python3-urllib3-1.24.3-1.2.mga7.noarch.rpm depuis //home/guillaume/qa-testing/x86_64
Préparation...                   ###########################
      1/1: python3-urllib3       ###########################
      1/1: désinstallation de python3-urllib3-1.24.3-1.1.mga7.noarch
                                 ###########################
writing /var/lib/rpm/installed-through-deps.list

CC: (none) => guillaume.royer

Comment 11 Len Lawrence 2021-01-25 10:21:03 CET 
See this script for basic testing.  Annotations will be added later.
The jls8.pdf produced by one of the tests covers the Java Language Specification.

$ cat tutorial.py

# This python snippet exercizes the basic functions of urllib3.
# It is a truncated version of the introduction at https://zetcode.com/python/urllib3/
# *** Install python3-certifi before running this ***
# The script was intended for python3 but seems to work with python2.

import urllib3
print( urllib3.__version__ )

http = urllib3.PoolManager( )
url = 'http://webcode.me'
resp = http.request( 'GET', url )
print( resp.status )
print( resp.data.decode('utf-8') )

resp = http.request( 'HEAD', url )
print( resp.headers['Server'] )
print( resp.headers['Date'] )
print( resp.headers['Content-Type'] )
print( resp.headers['Last-Modified'] )

# Install python3-certifi to make this work

import certifi

url = 'https://httpbin.org/anything'
http = urllib3.PoolManager( ca_certs=certifi.where( ) )
resp = http.request( 'GET', url )
print( resp.status )

payload = { 'name': 'Peter', 'age': 23 }
url = 'https://httpbin.org/get'
req = http.request( 'GET', url, fields=payload )
print( req.data.decode( 'utf-8' ) )

url = 'https://httpbin.org/post'
req = http.request( 'POST', url, fields={ 'name': 'John Doe' } )
print( req.data.decode( 'utf-8' ) )

import json

payload = {'name': 'John Doe'}
encoded_data = json.dumps(payload).encode('utf-8')
resp = http.request(
     'POST',
     'https://httpbin.org/post',
     body=encoded_data,
     headers={ 'Content-Type': 'application/json' } )
data = json.loads( resp.data.decode( 'utf-8' ) )['json']
print( data )

url = 'http://webcode.me/favicon.ico'
req = http.request( 'GET', url )
with open( 'favicon.ico', 'wb' ) as f:
    f.write( req.data )

url = "https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf"
local_filename = url.split('/')[-1]
http = urllib3.PoolManager( ca_certs=certifi.where() )
resp = http.request(
    'GET',
    url,
    preload_content=False )
with open( local_filename, 'wb' ) as f:
    for chunk in resp.stream( 1024 ):
        f.write( chunk )
resp.release_conn( )
    
url = 'https://httpbin.org/redirect-to?url=/'
resp = http.request( 'GET', url, redirect=True )
print( resp.status )
print( resp.geturl( ) )
print( resp.info( ) )

CC: (none) => tarazed25

Comment 12 Aurelien Oudelet 2021-01-25 15:11:00 CET 
You have tested it in Bug 27301 for same fix because of embedded one.
Great work.

So, validating.
Advisory pushed to SVN.

Keywords: Triaged => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => ouaurelien, sysadmin-bugs

Comment 13 Mageia Robot 2021-01-25 16:27:06 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0055.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 14 Len Lawrence 2021-01-25 17:37:40 CET 
Created attachment 12259 [details]
Tests urllib3 module with a few simple examples

$ python3 tutorial.py
See session file for sample output.
Comment 15 Len Lawrence 2021-01-25 17:39:29 CET 
Created attachment 12260 [details]
Output from running tutorial.py
Comment 16 David Walser 2021-02-05 23:55:06 CET 
Note that this is the same issue as CVE-2020-26116 in python itself (Bug 26268).