Bug 10055 - python-httplib2 new security issue CVE-2013-2037
: python-httplib2 new security issue CVE-2013-2037
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/550453/
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-10 18:54 CEST by David Walser
Modified: 2013-05-25 21:41 CEST (History)
3 users (show)

See Also:
Source RPM: python-httplib2-0.7.7-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-05-10 18:54:39 CEST
OpenSuSE has issued an advisory today (May 10):
http://lists.opensuse.org/opensuse-updates/2013-05/msg00018.html

The fix is attached to the upstream bug:
http://code.google.com/p/httplib2/issues/detail?id=282

It is currently checked into Mageia 2 and Cauldron SVN.

Freeze push for Cauldron requested.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-05-11 20:18:42 CEST
Patched packages uploaded for Mageia 2 and Cauldron.

Patch added in Mageia 1 SVN.

Advisory:
========================

Updated python-httplib2 packages fix security vulnerability:

httplib2 only validates SSL certificates on the first request to a connection,
and doesn't report validation failures on subsequent requests (CVE-2013-2037).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2037
http://lists.opensuse.org/opensuse-updates/2013-05/msg00018.html
========================

Updated packages in core/updates_testing:
========================
python-httplib2-0.7.4-3.mga2
python3-httplib2-0.7.4-3.mga2

from python-httplib2-0.7.4-3.mga2.src.rpm
Comment 2 claire robinson 2013-05-22 19:22:09 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6568#c6
Comment 3 claire robinson 2013-05-22 20:22:55 CEST
Possible problem with python3 but I'm fumbling in the dark a bit.

Testing using this saved as p3get.py

import httplib2
h = httplib2.Http('.cache')
response, content = h.request('http://mageia.org', 'GET')
print (dict(response.items()))

run as..

$ python3 p3get.py
{'status': '200', 'content-location': 'http://www.mageia.org/en/', 'x-powered-by': 'PHP/5.3.18', 'transfer-encoding': 'chunked', 'server': 'Apache/2.2.23 (Mageia/PREFORK-1.mga1)', 'date': 'Wed, 22 May 2013 18:11:37 GMT', 'content-type': 'text/html'}


It works ok with http but with https..

$ python3 p3get.py
Traceback (most recent call last):
  File "p3get.py", line 3, in <module>
    response, content = h.request('https://mageia.org', 'GET')
  File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 1061, in request
    self.disable_ssl_certificate_validation)
  File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 774, in __init__
    context.load_verify_locations(ca_certs)
IOError: [Errno 2] No such file or directory


The regular python-httplib2 works well with the script from the procedure in comment 2 so this is failing only with python3 and only https.

I found this http://code.google.com/p/httplib2/issues/detail?id=173 and added
h.disable_ssl_certificate_validation=True

$ python3 p3get.py
Traceback (most recent call last):
  File "p3get.py", line 4, in <module>
    response, content = h.request('https://mageia.org', 'GET')
  File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 1061, in request
    self.disable_ssl_certificate_validation)
  File "/usr/lib/python3.2/site-packages/httplib2/__init__.py", line 777, in __init__
    check_hostname=True)
  File "/usr/lib/python3.2/http/client.py", line 1089, in __init__
    raise ValueError("check_hostname needs a SSL context with "
ValueError: check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED


Seems the same problem mentioned there, with a potential fix.
Comment 5 David Walser 2013-05-22 20:31:25 CEST
Philippe, see Comment 3 and Comment 4.
Comment 6 Philippe Makowski 2013-05-23 18:08:34 CEST
ok I see what the problem is thanks
Comment 7 Philippe Makowski 2013-05-23 23:27:06 CEST
Sorry for the problem, it should be ok now

Updated packages in core/updates_testing:
========================
python-httplib2-0.7.4-4.mga2
python3-httplib2-0.7.4-4.mga2
python-httplib2-0.7.7-4.mga3
python3-httplib2-0.7.7-4.mga3
Comment 8 claire robinson 2013-05-24 10:29:35 CEST
Thanks Philippe

Converted the bug for the extra updates for mga3.

Testing complete mga2 32 using the scripts below..

$ cat get.py
import httplib2
h = httplib2.Http(".cache")
resp, content = h.request("https://mageia.org/", "GET")
print resp
print content

Run with 'python get.py'

$ cat p3get.py
import httplib2
h = httplib2.Http('.cache')
response, content = h.request('https://mageia.org', 'GET')
print (dict(response.items()))

Run with 'python3 p3get.py'
Comment 9 claire robinson 2013-05-24 11:00:31 CEST
Testing complete mga2 64 and mga3 32 & 64

Validating

SRPMs:
python-httplib2-0.7.4-4.mga2.src.rpm
python-httplib2-0.7.7-4.mga3.src.rpm

Advisory in comment 1

Could sysadmin please push from core/updates_testing to core/updates for mga2 & 3

Thanks!
Comment 10 David Walser 2013-05-24 15:34:48 CEST
(In reply to claire robinson from comment #9)
> Testing complete mga2 64 and mga3 32 & 64
> 
> Validating
> 
> SRPMs:
> python-httplib2-0.7.4-4.mga2.src.rpm
> python-httplib2-0.7.7-4.mga3.src.rpm
> 
> Advisory in comment 1

Not quite, that advisory was only for the Mageia 2 update, which fixed a security issue that was already fixed upstream in the Cauldron version.  We'll need an addendum to the advisory for the bugfix, which will also server as a MGAA bugfix advisory for the Mageia 3 update.
Comment 11 claire robinson 2013-05-24 15:53:19 CEST
Philippe could you add the necessary advisory please.
Comment 12 David Walser 2013-05-24 17:36:49 CEST
The newest python3 fix is re-fixing Bug 6568 for the python3 httplib2 package.

Philippe, it probably doesn't need to be corrected in updates immediately, as most systems probably already have rootcerts installed, but both of these packages should Requires: rootcerts.

Advisory (Mageia 2):
========================

Updated python-httplib2 packages fix security vulnerability:

httplib2 only validates SSL certificates on the first request to a connection,
and doesn't report validation failures on subsequent requests (CVE-2013-2037).

Additionally, the python3-httplib2 package has been fixed so that it will use
the system-wide Mozilla CA certificates from the rootcerts package.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2037
http://lists.opensuse.org/opensuse-updates/2013-05/msg00018.html
========================

Updated packages in core/updates_testing:
========================
python-httplib2-0.7.4-4.mga2
python3-httplib2-0.7.4-4.mga2

from python-httplib2-0.7.4-4.mga2.src.rpm

Advisory (Mageia 3):
========================

The python3-httplib2 package has been fixed so that it will use
the system-wide Mozilla CA certificates from the rootcerts package.

========================

Updated packages in core/updates_testing:
========================
python-httplib2-0.7.7-4.mga3
python3-httplib2-0.7.7-4.mga3

from python-httplib2-0.7.7-4.mga3.src.rpm
Comment 13 Thomas Backlund 2013-05-25 21:41:08 CEST
Mageia 2 update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0152

Mageia 3 update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGAA-2013-0025

Note You need to log in before you can comment on or make changes to this bug.