Bug 23694 - python-requests new security issue CVE-2018-18074
Summary: python-requests new security issue CVE-2018-18074
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-15 22:23 CEST by David Walser
Modified: 2018-11-08 19:49 CET (History)
4 users (show)

See Also:
Source RPM: python-requests-2.19.1-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-15 22:23:15 CEST
Ubuntu has issued an advisory today (October 15):
https://usn.ubuntu.com/3790-1/
David Walser 2018-10-15 22:23:35 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-16 19:33:33 CEST
Assigning to the Python maintainers, CC'ing the registered maintainer.

CC: (none) => geiger.david68210, marja11
Assignee: bugsquad => python

Comment 2 David GEIGER 2018-10-16 21:58:57 CEST
Done for Cauldron and mga6!
Comment 3 David Walser 2018-10-17 20:20:59 CEST
Advisory:
========================

Updated python-requests packages fix security vulnerability:

It was discovered that Requests incorrectly handled certain HTTP headers. An
attacker could possibly use this issue to access sensitive information
(CVE-2018-18074).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074
https://usn.ubuntu.com/3790-1/
========================

Updated packages in core/updates_testing:
========================
python-requests-2.11.1-2.1.mga6
python3-requests-2.11.1-2.1.mga6

from python-requests-2.11.1-2.1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: python => qa-bugs

Comment 4 Herman Viaene 2018-10-25 17:13:50 CEST
Tried procedure as per bug 15496, but get stuck, and I don't speak python well:
$ python pyrequests_test1.py
Traceback (most recent call last):
  File "pyrequests_test1.py", line 1, in <module>
    import requests
  File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 60, in <module>
    from .packages.urllib3.exceptions import DependencyWarning
  File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 29, in <module>
    import urllib3
  File "/usr/lib/python2.7/site-packages/urllib3/__init__.py", line 8, in <module>
    from .connectionpool import (
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 29, in <module>
    from .connection import (
  File "/usr/lib/python2.7/site-packages/urllib3/connection.py", line 39, in <module>
    from .util.ssl_ import (
  File "/usr/lib/python2.7/site-packages/urllib3/util/__init__.py", line 4, in <module>
    from .request import make_headers
  File "/usr/lib/python2.7/site-packages/urllib3/util/request.py", line 5, in <module>
    from ..exceptions import UnrewindableBodyError
ImportError: cannot import name UnrewindableBodyError

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2018-10-25 22:08:10 CEST
@Herman re comment #4:

Just tried that script and it worked OK before the update.

$ python pyrequests_test1.py
[<Response [301]>]
https://github.com/
200
<RequestsCookieJar[<Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=VEhZSDJ0VzdCTkVtVTF6dzNOR0cxemttUU83S2Z1Tk8wdXQvY1R6b0hLaFVubmd2UG00VkJ6Q1BZMjVkeUFmNnRnQXBsM2tGNjl4VExKV0MxN1ZDZ3ZBRy9ILzd4bW95N3JidU1jbGQwdDFTdno0RHNOYWdHNFFXZkI0d0I4MTcxYjNmcWxJSURQS0RvRy9sK0I0eEZ5ckxqS09YUytZeWpyZjJNQ2hKS1NBS0hWTncrWURXd2xYQnloSG9iSmlib3FVWXNnQThVbzFIa1lNTWVJeWQ0QT09LS1LdUpSQ2pmU2NLamxvSE5PemEwM2FBPT0%3D--d14c9e80dcc7c1bfc5cae20f977eddba79f0f48b for github.com/>, <Cookie has_recent_activity=1 for github.com/>]>

$ python3 py3requests_test2.py
[<Response [301]>]
https://github.com/
200
<RequestsCookieJar[<Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=aU9TK1VHem5GREZQWHlhOUVmNWFpeWkxQjVSd1NOVDRFRU5WcDBEQ3A4ME1MRko5TUxtQ0t5ZHMxT1Y3Y29mWXIwdHN5bktLM0tMZGFyaGZ2SnRqR2pTUEhSQXI2WkU5OVZUaHpxZ05uOHR6VXUrcS9zWTlKNjhtenUvaGYwQlJwck1aam84WkwrMzRoZUZHNXJSVElvbzBBRlZTb3MxU1d6NnRVNUowTDlMNWhpYlJlNjlRQVQrWGszOHI0V2tIU21VaXJWZ1FnczFGWmZ5d0YwTE0xZz09LS1uNzJmcDFYY0VaUERiYjVyaUV0eFdBPT0%3D--2fe1ab0e70660d8b726e9c05f4ae49e557c8bf08 for github.com/>, <Cookie has_recent_activity=1 for github.com/>]>

As there is a possible PoC for the current update shall update later.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2018-10-25 22:33:29 CEST
Trying to make sense of the PoC at https://github.com/requests/requests/issues/4716 - unfamiliar territory.
It says to run a normal https server or netcat at localhost:8000.
No idea what a normal https server is and by 'netcat' I assume telnet.

$ telnet -S localhost:8000
Setting TOS to 0x0
telnet> 

The run an ssl https server with special properties at localhost:4443.
Copied the code to ssl_server.py
-------------------------------------------------------------------------
#!/bin/env python
import BaseHTTPServer
import ssl

class Handler(BaseHTTPServer.BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302)
        self.send_header('Location', 'http://localhost:8000/')
        self.end_headers()
        self.wfile.write('')

httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), Handler)
httpd.socket = ssl.wrap_socket (httpd.socket, server_side=True,
                                certfile='yourpemfile.pem')
httpd.serve_forever()
-------------------------------------------------------------------------
but do not know how to run it.  Tried:

$ ./ssl_server.py localhost:4443
Traceback (most recent call last):
  File "./ssl_server.py", line 14, in <module>
    certfile='yourpemfile.pem')
  File "/usr/lib64/python2.7/ssl.py", line 949, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 560, in __init__
    self._context.load_cert_chain(certfile, keyfile)
IOError: [Errno 2] No such file or directory

So it needs a pemfile, whatever that is or something.  ??
Looks like this is going to take a while.
Comment 7 David Walser 2018-10-25 22:38:24 CEST
A pemfile is an SSL certificate, which any web server running https would have.
Comment 8 Len Lawrence 2018-10-25 22:41:18 CEST
Good to know, but where can I find such a certificate?
Comment 9 Len Lawrence 2018-10-25 22:48:27 CEST
locate yields 218 pem certificates on this sytem.  Guess it is a case of looking through all of them.
Comment 10 Len Lawrence 2018-10-25 22:49:47 CEST
Filtering on https reduces it to 32.
Comment 11 David Walser 2018-10-25 22:50:21 CEST
/etc/pki/tls, should be a certs and private directory with httpd.pem files containing the public and private certs.
Comment 12 Len Lawrence 2018-10-25 22:55:38 CEST
Yes, thanks.  Both do have httpd.pem.
Comment 13 Len Lawrence 2018-10-25 23:00:24 CEST
$ sudo ./ssl_server.py localhost:4443
Traceback (most recent call last):
  File "./ssl_server.py", line 14, in <module>
    certfile='/etc/pki/tls/private/httpd.pem')
  File "/usr/lib64/python2.7/ssl.py", line 949, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib64/python2.7/ssl.py", line 560, in __init__
    self._context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:2779)

It may be time to drop this.
Comment 14 David Walser 2018-10-25 23:16:44 CEST
Try the public cert, it should be that one.
Comment 15 Len Lawrence 2018-10-26 00:12:06 CEST
Tried the certs one but that failed also.  However, the tls directory contains a script for generating a pem file - tried that and ran the server command.
Don't know if sudo is necessary but the command does not fault:
$ sudo ./ssl_server.py localhost:4443

So, the server may be running.  Running out of time for testing this tonight.  There is python3 as well.

Request file is: 

import requests
requests.get('https://localhost:4443', auth=('hello', 'world'), verify=False)

Submitted it and received some output

[localhost:4443]
127.0.0.1 - - [25/Oct/2018 23:04:05] "GET / HTTP/1.1" 302 -

[terminal]
$ python request.py
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:841: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
Traceback (most recent call last):
  File "request.py", line 2, in <module>
    requests.get('https://localhost:4443', auth=('hello', 'world'), verify=False)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 617, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 177, in resolve_redirects
    **adapter_kwargs
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 596, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 487, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='localhost', port=8000): Max retries exceeded with url: / (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7f5f44037b50>: Failed to establish a new connection: [Errno 111] Connection refused',))

Must have misunderstood.  Maybe this should have been sent via the telnet server - getting confused.
Comment 16 Len Lawrence 2018-10-26 07:17:17 CEST
Leaving the servers running all night was not a good idea.  It was dead in the morning.  Power cycled the monitor and the PC then went into the BIOS to boot the machine.  Restarted the servers on ports 8000 and 4443.  Changed the verify in the request line to True and tried again.

$ sudo python request.py
Traceback (most recent call last):
  File "request.py", line 2, in <module>
    requests.get('https://localhost:4443', auth=('hello', 'world'), verify=True)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 596, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
Comment 17 David Walser 2018-11-08 19:49:57 CET
Fedora has issued an advisory for this on November 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ODR7ZTGPEISZ35PPEJLPU5CAE5D23CXV/

The issue is fixed upstream in 2.20.0.

Note You need to log in before you can comment on or make changes to this bug.