RedHat has issued an advisory today (April 8): https://access.redhat.com/errata/RHSA-2019:0710 This issue also affects python3 (Bug 23664). Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Is this security issue fixed in latest python 2.7.16 release?
CC: (none) => geiger.david68210
No, 2.7.16 is also affected. The RedHat bug has a link to an upstream patch (though that's probably for python3). You should be able to get RedHat's patch for python at git.centos.org. It would be worth also upgrading to 2.7.16 anyway.
Component: RPM Packages => SecurityQA Contact: (none) => security
Well, it will be here, it hasn't been posted yet: https://git.centos.org/summary/rpms!python.git
Fixed both mga6 and Cauldron! Also for python3 from Cauldron, this is already fixed in latest 3.7.3 release. So I still just check for python3 from mga6.
Also fixed in latest 3.5.7 release from mga6!
Thanks again David! Advisory: ======================== Updated python packages fixes security vulnerability: A vulnerability was found in Python 2.x through 2.7.16. An improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization could lead to an Information Disclosure (credentials, cookies, etc. that are cached against a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse components. A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly (CVE-2019-9636). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636 https://access.redhat.com/errata/RHSA-2019:0710 ======================== Updated packages in core/updates_testing: ======================== python-2.7.15-1.3.mga6 libpython2.7-2.7.15-1.3.mga6 libpython2.7-stdlib-2.7.15-1.3.mga6 libpython2.7-testsuite-2.7.15-1.3.mga6 libpython-devel-2.7.15-1.3.mga6 python-docs-2.7.15-1.3.mga6 tkinter-2.7.15-1.3.mga6 tkinter-apps-2.7.15-1.3.mga6 from python-2.7.15-1.3.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: python => qa-bugsVersion: Cauldron => 6
CVE-2019-9636 mga6, x86_64 CVE-2019-9636 Possible reproducer at https://bugs.python.org/issue36216 >>> u = "https://example.com\uFF03@bing.com" >>> urlsplit(u).netloc.rpartition("@")[2] bing.com >>> # Simulate >>> u = "https://example.com\uFF03@bing.com".encode("idna").decode("ascii") >>> urlsplit(u).netloc.rpartition("@")[2] example.com Tried that here: $ python >>> u = "https://example.com\uFF03@bing.com" >>> urlsplit(u).netloc.rpartition("@")[2] Traceback (most recent call last): File "<stdin>", line 1, in <module> NameError: name 'urlsplit' is not defined >>> exit() All the listed packages are installed (before update) - maybe needing some other package. Seems that it might need /usr/lib/python2.7/urlparse.py. The problem is I do not know how to include urlparse (not a python programmer). >>> import urlparse does not return an error but urlsplit is still not found. In the end I wrote scripts including the urlparse code at /usr/lib64/python2.7/urlparse.py In both cases, running the scripts returned "bing" which might imply that the vulnerability had already been patched but upstream tests returned "bing" for test 1 and "example" for test 2. $ ll /usr/lib64/python2.7/urlparse.py -rw-r--r-- 1 root root 15164 Feb 12 07:03 /usr/lib64/python2.7/urlparse.py After updates. $ ll /usr/lib64/python2.7/urlparse.py -rw-r--r-- 1 root root 15829 Apr 9 06:38 /usr/lib64/python2.7/urlparse.py Created two new scripts with the new urlparse.py code and the the two POC tests. testa.py >> u = "https://example.com\uFF03@bing.com" print( urlsplit(u).netloc.rpartition("@")[2] ) testb.py >> v = "https://example.com\uFF03@bing.com".encode("idna").decode("ascii") print( urlsplit(v).netloc.rpartition("@")[2] ) $ python testa.py bing.com $ python testb.py bing.com which I think is innocuous. Upstream tests showed something like this: netloc 'example.com#@bing.com' contains invalid characters under NFKC normalization
CC: (none) => tarazed25
Installed zim and ran it under strace to create a notebook, save and edit it. The trace showed various python2.7 search and open operations and also many misses, which is par for the course. Ran the game unknown-horizons in tutorial mode for a while then examined the trace, filtering out most of the search failures. Lots of python references again. Traced a calibre session, adding a couple of books to the library. Many references to python in the trace. python2.7 still in good shape.
Whiteboard: (none) => MGA6-64-OK
Advisory committed to svn. Validating based on comment 8.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0148.html
Status: NEW => RESOLVEDResolution: (none) => FIXED