Bug 14130 - python-requests new security issues CVE-2014-1829 and CVE-2014-1830
Summary: python-requests new security issues CVE-2014-1829 and CVE-2014-1830
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/615624/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-20 00:51 CEST by David Walser
Modified: 2014-10-09 18:34 CEST (History)
3 users (show)

See Also:
Source RPM: python-requests-2.0.0-4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-09-20 00:51:44 CEST
A reminder was posted to oss-security of issues fixed in 2.3.0:
http://openwall.com/lists/oss-security/2014/09/19/1

We have 2.3.0 in Cauldron.  If I read the RedHat bug correctly, the problem was introduced in 2.0.0 (the version we have in Mageia 4), so Mageia 3 wouldn't be affected:
https://bugzilla.redhat.com/show_bug.cgi?id=1046626

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-20 00:52:04 CEST

CC: (none) => makowski.mageia

Comment 1 David GEIGER 2014-10-07 17:26:59 CEST
Fixed and submitted for mga4 with the following packages in Core/Upodates_testing:

- python-requests-2.3.0-1.mga4.noarch
- python3-requests-2.3.0-1.mga4.noarch 
- python-requests-2.3.0-1.mga4.src.rpm
Comment 2 David Walser 2014-10-07 18:02:09 CEST
Thanks David!

Note the package list in Comment 1.  Also note the PoC in the Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108

Advisory:
========================

Updated python-requests packages fix security vulnerability:

Python-requests was found to have a vulnerability, where the attacker can
retrieve the passwords from ~/.netrc file through redirect requests, if the
user has their passwords stored in the ~/.netrc file (CVE-2014-1829).

It was discovered that the python-requests Proxy-Authorization header was
never re-evaluated when a redirect occurs. The Proxy-Authorization header
was sent to any new proxy or non-proxy destination as redirected
(CVE-2014-1830).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830
https://bugzilla.redhat.com/show_bug.cgi?id=1046626
https://bugzilla.redhat.com/show_bug.cgi?id=1144907

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 claire robinson 2014-10-09 11:20:35 CEST
Testing complete mga4 64

The PoC is python3 so testing python3-requests first.

Downloaded testhttpserver.py & testhttpclient.py and also the netrc file which is netrc.netrc.

Used two terminal tabs, one to run the server and another to test the client.

$ python3 testhttpserver.py 
Serving HTTP on 0.0.0.0 port 8000 ...

$ python3 testhttpclient.py 
host: 127.0.0.42:8000
auth: None

Moved/renamed netrc.netrc to ~/.netrc


Before
------
$ python3 testhttpclient.py 
host: 127.0.0.42:8000
auth: Basic ZWdnczpoYW0=

After
-----
$ python3 testhttpclient.py 
host: 127.0.0.42:8000
auth: None



python-requests:

$ python testhttpserver.py 
Traceback (most recent call last):
  File "testhttpserver.py", line 3, in <module>
    import http.server
ImportError: No module named http.server


So not able to use it without converting it and I don't have the python knowledge for that.

Testing instead with a previous test script which just fetches http from mageia.org.

$ cat test.py
import requests
r = requests.get('https://mageia.org')
print r.text


$ python test.py
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Home of the Mageia project</title>
...etc

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 4 claire robinson 2014-10-09 13:46:57 CEST
Testing complete mga4 32

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-10-09 15:50:25 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-10-09 16:39:55 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0409.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-10-09 18:34:43 CEST

URL: (none) => http://lwn.net/Vulnerabilities/615624/


Note You need to log in before you can comment on or make changes to this bug.