Bug 28385

Summary: python-httplib2 security issue CVE-2021-21240
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, ouaurelien, petlaw726, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2021-21240
Whiteboard: MGA7TOO MGA8-64-OK MGA7-64-OK
Source RPM: python-httplib2-0.18.1-1.mga8.src.rpm CVE: CVE-2021-21240
Status comment:

Description Zombie Ryushu 2021-02-20 09:18:43 CET 
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
Zombie Ryushu 2021-02-20 09:19:02 CET

CVE: (none) => CVE-2021-21240

Comment 1 Aurelien Oudelet 2021-02-20 13:19:24 CET 
Upstream advisory released on February 8th 2021:
https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m

Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => makowski.mageia
Keywords: (none) => Triaged
Severity: normal => major

Aurelien Oudelet 2021-02-20 13:19:54 CET

Keywords: Triaged => (none)
Whiteboard: (none) => MGA7TOO MGA8TOO

David Walser 2021-02-20 18:43:35 CET

Status comment: (none) => Fixed upstream in 0.19.0

Comment 2 Nicolas Lécureuil 2021-02-27 22:59:34 CET 
src:

     - python-httplib2-0.19.0-1.mga7
     - python-httplib2-0.19.0-1.mga8

Status comment: Fixed upstream in 0.19.0 => (none)
Assignee: makowski.mageia => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2021-02-27 23:47:23 CET 
RPMS list:
python-httplib2-0.19.0-1.mga7
python3-httplib2-0.19.0-1.mga7
python3-httplib2-0.19.0-1.mga8

Version: Cauldron => 8
Whiteboard: MGA7TOO MGA8TOO => MGA7TOO

Comment 4 Dave Hodgins 2021-02-28 00:30:42 CET 
# urpmi python-httplib2 python3-httplib2
Some requested packages cannot be installed:
python-httplib2-0.19.0-1.mga7.noarch (due to unsatisfied python2.7dist(pyparsing)[>= 2.4.2])
python3-httplib2-0.19.0-1.mga7.noarch (due to unsatisfied python3.7dist(pyparsing)[>= 2.4.2])

CC: (none) => davidwhodgins

Comment 5 Nicolas Lécureuil 2021-02-28 00:52:18 CET 
we need to make sure i can update it w/o breaking deps.

Can someone using a mga 7 can do urpmq --whatrequires python3-pyparsing for ex ?
Comment 6 Dave Hodgins 2021-02-28 01:22:34 CET 
$ urpmq --whatrequires python3-pyparsing|sort -u
certbot-nginx
dot2tex
mitmproxy
odoo11
python3-cliff
python3-configshell
python3-httplib2
python3-matplotlib
python3-oslo-utils
python3-packaging
python3-pydot
python3-pyparsing
python3-rdflib
python3-rustcfg
Comment 7 Dave Hodgins 2021-02-28 01:24:31 CET 
$ urpmq --whatrequires python2-pyparsing|sort -u
odoo
puddletag
python2-celery
python2-cliff
python2-cmd2
python2-configshell
python2-matplotlib
python2-oslo-utils
python2-packaging
python2-pydot
python2-pyparsing
python-httplib2
python-rdflib
wfuzz
Comment 8 David Walser 2021-03-03 01:21:29 CET 
Advisory:
========================

Updated python-httplib2 packages fix security vulnerability:

A malicious server which responds with long series of \xa0 characters in the
www-authenticate header may cause Denial of Service (CPU burn while parsing
header) of the httplib2 client accessing said server (CVE-2021-21240).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21240
https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
Comment 9 Len Lawrence 2021-03-05 00:34:52 CET 
mga8, x64

Referring to bug 26750 for test script.
Before update:
$ python
Python 3.8.7 (default, Jan 24 2021, 11:10:31) 
[GCC 10.2.1 20210123] on linux
>>> import httplib2
>>> h = httplib2.Http('.cache')
>>> response, content = h.request('https://mageia.org', 'GET')
>>> print (dict(response.items()))
{'date': 'Thu, 04 Mar 2021 23:17:15 GMT', 'server': 'Apache/2.4.46 (Mageia) OpenSSL/1.1.0l mod_fcgid/2.3.9 PHP/7.3.27 mod_perl/2.0.10 Perl/v5.28.3', 'x-powered-by': 'PHP/7.3.27', 'transfer-encoding': 'chunked', 'content-type': 'text/html; charset=UTF-8', 'status': '200', 'content-location': 'https://www.mageia.org/en/'}
>>> exit()

Updated to python3-httplib2-0.19.0-1.mga8.

$ python
Python 3.8.7 (default, Jan 24 2021, 11:10:31) 
>>> import httplib2
>>> h = httplib2.Http('.cache')
>>> response, content = h.request('https://mageia.org', 'GET')
>>> print (dict(response.items()))
{'date': 'Thu, 04 Mar 2021 23:25:53 GMT', 'server': 'Apache/2.4.46 (Mageia) OpenSSL/1.1.0l mod_fcgid/2.3.9 PHP/7.3.27 mod_perl/2.0.10 Perl/v5.28.3', 'x-powered-by': 'PHP/7.3.27', 'transfer-encoding': 'chunked', 'content-type': 'text/html; charset=UTF-8', 'status': '200', 'content-location': 'https://www.mageia.org/en/'}
>>> exit()

Fair enough.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
CC: (none) => tarazed25

Comment 10 Dave Hodgins 2021-03-05 01:54:03 CET 
Adding feedback tag due to
python-httplib2-0.19.0-1.mga7.noarch (due to unsatisfied python2.7dist(pyparsing)[>= 2.4.2])
python3-httplib2-0.19.0-1.mga7.noarch (due to unsatisfied python3.7dist(pyparsing)[>= 2.4.2])
and reassigning back to the maintainer.

Keywords: (none) => feedback
Assignee: qa-bugs => makowski.mageia
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK

David Walser 2021-03-05 04:08:07 CET

Assignee: makowski.mageia => python

Comment 12 Nicolas Lécureuil 2021-03-05 09:50:34 CET 
can someone under mageia 7 provide the packages requiring python2.7dist(pyparsing) and python3.7dist(pyparsing) ?
Comment 13 Dave Hodgins 2021-03-05 18:55:38 CET 
(In reply to Nicolas Lécureuil from comment #12)
> can someone under mageia 7 provide the packages requiring
> python2.7dist(pyparsing) and python3.7dist(pyparsing) ?

See comment 6 and comment 7
Comment 14 Nicolas Lécureuil 2021-03-05 21:10:28 CET 
(In reply to Dave Hodgins from comment #13)
> (In reply to Nicolas Lécureuil from comment #12)
> > can someone under mageia 7 provide the packages requiring
> > python2.7dist(pyparsing) and python3.7dist(pyparsing) ?
> 
> See comment 6 and comment 7

sorry, perfect :-)
Comment 15 Nicolas Lécureuil 2021-03-05 21:31:04 CET 
New rpm: python-pyparsing-2.4.2-1.mga7



RPMS list:
python-httplib2-0.19.0-1.mga7
python3-httplib2-0.19.0-1.mga7
python2-pyparsing-2.4.2-1.mga7
python3-pyparsing-2.4.2-1.mga7
python3-httplib2-0.19.0-1.mga8
Nicolas Lécureuil 2021-03-05 21:31:19 CET

Assignee: python => qa-bugs

David Walser 2021-03-05 21:40:50 CET

Keywords: feedback => (none)

Comment 16 Herman Viaene 2021-03-08 15:09:46 CET 
MGA7-64 MATE on Peaq C1011
No installation issues.
Ref bug 26750 Comment 5 using test files. Output is same as there.
OK

CC: (none) => herman.viaene
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK

Comment 17 Thomas Andrews 2021-03-08 17:04:58 CET 
Validating. Advisory in Comment 8.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 18 Aurelien Oudelet 2021-03-11 22:28:58 CET 
Advisory committed to SVN.

Keywords: (none) => advisory

Comment 19 Mageia Robot 2021-03-12 02:27:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0122.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 20 Dave Hodgins 2021-03-12 17:30:03 CET 
*** Bug 28590 has been marked as a duplicate of this bug. ***

CC: (none) => petlaw726