Bug 29010

To Python group; CC vicolas L, registered maintainer.

CC: (none) => mageia
Assignee: bugsquad => python

Fedora has issued an advisory for this on May 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/

They also fixed CVE-2021-28363 in the bundled python-urllib3.

Fedora has issued an advisory for the original issue on May 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/

python-pip-21.1.1-1.mga9 uploaded for Cauldron by Jani.

CC: (none) => jani.valimaa
Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA7TOO => (none)

SUSE has issued an advisory for this today (July 13):
https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html

Summary: python-pip new security issue fixed upstream in 21.1 => python-pip new security issue fixed upstream in 21.1 (CVE-2021-3572)

fixed in mga8:


src:
    - python-pip-20.3.3-3.1.mga8

Status comment: Fixed upstream in 21.1 => (none)
Assignee: python => qa-bugs

(In reply to David Walser from comment #2)
> Fedora has issued an advisory for this on May 24:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
> 
> They also fixed CVE-2021-28363 in the bundled python-urllib3.

It looks like this was forgotten.

Assignee: qa-bugs => python

fix pushed with CVE-2021-28363 included

src:
    - python-pip-20.3.3-3.2.mga8

Assignee: python => qa-bugs

Per bug 29041, I've also added the patch for CVE-2021-33503 in urllib3.

python-pip-wheel-20.3.3-3.3.mga8
python3-pip-20.3.3-3.3.mga8

from python-pip-20.3.3-3.3.mga8.src.rpm

mga8, x64

CVE-2021-3572 has been reserved for the issue.
No PoC as yet.
From https://bugzilla.suse.com/show_bug.cgi?id=1186819
It was discovered that pip incorrectly handled unicode separators in git
references. A remote attacker could possibly use this issue to install a
different revision on a repository.

Installed the updates.
Don't know any way to test this other than using pip.  Correct me if that is wrong.

$ sudo pip install pandas
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip install --user` instead.
Collecting pandas
  Downloading pandas-1.3.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.whl (10.6 MB)
     |████████████████████████████████| 10.6 MB 2.9 MB/s 
Requirement already satisfied: pytz>=2017.3 in /usr/lib/python3.8/site-packages (from pandas) (2020.5)
Requirement already satisfied: python-dateutil>=2.7.3 in /usr/lib/python3.8/site-packages (from pandas) (2.8.1)
Requirement already satisfied: numpy>=1.17.3 in /usr/lib64/python3.8/site-packages (from pandas) (1.19.4)
Requirement already satisfied: six>=1.5 in /usr/lib/python3.8/site-packages (from python-dateutil>=2.7.3->pandas) (1.15.0)
Installing collected packages: pandas
Successfully installed pandas-1.3.0

CC: (none) => tarazed25

Er, just noticed the advice to employ the --user option.
$ pip install --user pandas
Requirement already satisfied: pandas in /usr/local/lib64/python3.8/site-packages (1.3.0)
Requirement already satisfied: pytz>=2017.3 in /usr/lib/python3.8/site-packages (from pandas) (2020.5)
Requirement already satisfied: python-dateutil>=2.7.3 in /usr/lib/python3.8/site-packages (from pandas) (2.8.1)
Requirement already satisfied: numpy>=1.17.3 in /usr/lib64/python3.8/site-packages (from pandas) (1.19.4)
Requirement already satisfied: six>=1.5 in /usr/lib/python3.8/site-packages (from python-dateutil>=2.7.3->pandas) (1.15.0)

Advisory:
========================

Updated python-pip package fix security vulnerabilities:

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository (CVE-2021-3572).

The bundled python-urllib3 is also vulnerable to:

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted (CVE-2021-28363).

An issue was discovered in urllib3 before 1.26.5. When provided with a URL
containing many @ characters in the authority component, the authority regular
expression exhibits catastrophic backtracking, causing a denial of service if a
URL were passed as a parameter or redirected to via an HTTP redirect
(CVE-2021-33503).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29010
 - https://bugs.mageia.org/show_bug.cgi?id=29041
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28363
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/
 - https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html
========================

Updated packages in core/updates_testing:
========================
python-pip-wheel-20.3.3-3.3.mga8
python3-pip-20.3.3-3.3.mga8

from python-pip-20.3.3-3.3.mga8.src.rpm

CC: (none) => ouaurelien

(In reply to Aurelien Oudelet from comment #13)
> The bundled python-urllib3 is also vulnerable to:

You mean "was" not "is," let's not scare people :D

(In reply to David Walser from comment #14)
> (In reply to Aurelien Oudelet from comment #13)
> > The bundled python-urllib3 is also vulnerable to:
> 
> You mean "was" not "is," let's not scare people :D

Oh yeah, agree!

Just to confirm that urllib3 works OK - ran the PoC for an earlier bug:
$ python
>>> import urllib
>>> import http.client
>>> conn = http.client.HTTPConnection('localhost',80)
>>> conn.request(method="GET / HTTP/1.1\r\nHost: abc\r\nRemainder:", url="/index.html")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.8/http/client.py", line 1252, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.8/http/client.py", line 1263, in _send_request
    self.putrequest(method, url, **skips)
  File "/usr/lib64/python3.8/http/client.py", line 1091, in putrequest
    self._validate_method(method)
  File "/usr/lib64/python3.8/http/client.py", line 1188, in _validate_method
    raise ValueError(
ValueError: method can't contain control characters. 'GET / HTTP/1.1\r\nHost: abc\r\nRemainder:' (found at least '\r')

$ pip install --user easygui
Collecting easygui
  Downloading easygui-0.98.2-py2.py3-none-any.whl (92 kB)
     |████████████████████████████████| 92 kB 2.3 MB/s 
Installing collected packages: easygui
Successfully installed easygui-0.98.2

$ cd .local/lib/python3.8/site-packages/easygui
$ python easygui.py
This launched the gui with a selection menu for graphical demos.
That all worked well.

python-pip looks OK for 64-bits.

Whiteboard: (none) => MGA8-64-OK

Validating.

type: security
subject: Updated python-pip packages fix security vulnerabilities
CVE:
 - CVE-2021-3572
 - CVE-2021-28363
 - CVE-2021-33503
src:
  8:
   core:
     - python-pip-20.3.3-3.3.mga8
description: |
  A flaw was found in python-pip in the way it handled Unicode separators in git
  references. A remote attacker could possibly use this issue to install a
  different revision on a repository (CVE-2021-3572).
  
  The bundled python-urllib3 was also vulnerable to:
  The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate
  validation in some cases involving HTTPS to HTTPS proxies. The initial
  connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config)
  doesn't verify the hostname of the certificate. This means certificates for
  different servers that still validate properly with the default urllib3
  SSLContext will be silently accepted (CVE-2021-28363).
  
  An issue was discovered in urllib3 before 1.26.5. When provided with a URL
  containing many @ characters in the authority component, the authority regular
  expression exhibits catastrophic backtracking, causing a denial of service if
  a URL were passed as a parameter or redirected to via an HTTP redirect
  (CVE-2021-33503).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29010
 - https://bugs.mageia.org/show_bug.cgi?id=29041
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/
 - https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html

CVE: (none) => CVE-2021-3572, CVE-2021-28363, CVE-2021-33503
Keywords: (none) => advisory, validated_update
Source RPM: python-pip-20.3.3-5.mga9.src.rpm => python-pip-20.3.3-3.mga8.src.rpm
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0371.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED