Bug 24640 - python new security issue CVE-2019-9636
Summary: python new security issue CVE-2019-9636
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-04-08 16:51 CEST by David Walser
Modified: 2019-04-11 00:08 CEST (History)
4 users (show)

See Also:
Source RPM: python-2.7.15-1.2.mga6.src.rpm
Status comment:


Description David Walser 2019-04-08 16:51:59 CEST
RedHat has issued an advisory today (April 8):

This issue also affects python3 (Bug 23664).

Mageia 6 is also affected.
David Walser 2019-04-08 16:52:05 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2019-04-08 17:14:08 CEST
Is this security issue fixed in latest python 2.7.16 release?

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-04-08 17:27:37 CEST
No, 2.7.16 is also affected.  The RedHat bug has a link to an upstream patch (though that's probably for python3).  You should be able to get RedHat's patch for python at git.centos.org.  It would be worth also upgrading to 2.7.16 anyway.

Component: RPM Packages => Security
QA Contact: (none) => security

Comment 3 David Walser 2019-04-08 17:45:51 CEST
Well, it will be here, it hasn't been posted yet:
Comment 4 David GEIGER 2019-04-09 07:58:23 CEST
Fixed both mga6 and Cauldron!

Also for python3 from Cauldron, this is already fixed in latest 3.7.3 release.
So I still just check for python3 from mga6.
Comment 5 David GEIGER 2019-04-09 08:03:06 CEST
Also fixed in latest 3.5.7 release from mga6!
Comment 6 David Walser 2019-04-09 14:13:17 CEST
Thanks again David!


Updated python packages fixes security vulnerability:

A vulnerability was found in Python 2.x through 2.7.16. An improper Handling of
Unicode Encoding (with an incorrect netloc) during NFKC normalization could
lead to an Information Disclosure (credentials, cookies, etc. that are cached
against a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse
components. A specially crafted URL could be incorrectly parsed to locate
cookies or authentication data and send that information to a different host
than when parsed correctly (CVE-2019-9636).


Updated packages in core/updates_testing:

from python-2.7.15-1.3.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: python => qa-bugs
Version: Cauldron => 6

Comment 7 Len Lawrence 2019-04-09 18:16:40 CEST
mga6, x86_64

Possible reproducer at https://bugs.python.org/issue36216
>>> u = "https://example.com\uFF03@bing.com"
>>> urlsplit(u).netloc.rpartition("@")[2]

>>> # Simulate
>>> u = "https://example.com\uFF03@bing.com".encode("idna").decode("ascii")
>>> urlsplit(u).netloc.rpartition("@")[2]

Tried that here:
$ python
>>> u = "https://example.com\uFF03@bing.com"
>>> urlsplit(u).netloc.rpartition("@")[2]
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'urlsplit' is not defined
>>> exit()

All the listed packages are installed (before update) - maybe needing some other
package.  Seems that it might need /usr/lib/python2.7/urlparse.py.
The problem is I do not know how to include urlparse (not a python programmer).
>>> import urlparse
does not return an error but urlsplit is still not found.

In the end I wrote scripts including the urlparse code at

In both cases, running the scripts returned "bing" which might imply that the
vulnerability had already been patched but upstream tests returned "bing" for test 1 and
"example" for test 2.

$ ll /usr/lib64/python2.7/urlparse.py
-rw-r--r-- 1 root root 15164 Feb 12 07:03 /usr/lib64/python2.7/urlparse.py

After updates.

$ ll /usr/lib64/python2.7/urlparse.py
-rw-r--r-- 1 root root 15829 Apr  9 06:38 /usr/lib64/python2.7/urlparse.py

Created two new scripts with the new urlparse.py code and the the two POC tests.

testa.py >>
u = "https://example.com\uFF03@bing.com"
print( urlsplit(u).netloc.rpartition("@")[2] )

testb.py >>
v = "https://example.com\uFF03@bing.com".encode("idna").decode("ascii")
print( urlsplit(v).netloc.rpartition("@")[2] )

$ python testa.py
$ python testb.py

which I think is innocuous.

Upstream tests showed something like this:
netloc 'example.com#@bing.com' contains invalid characters under NFKC normalization

CC: (none) => tarazed25

Comment 8 Len Lawrence 2019-04-09 19:26:14 CEST
Installed zim and ran it under strace to create a notebook, save and edit it.  The trace
showed various python2.7 search and open operations and also many misses, which is par
for the course.

Ran the game unknown-horizons in tutorial mode for a while then examined the trace, filtering out most of the search failures.
Lots of python references again.

Traced a calibre session, adding a couple of books to the library.  Many references to
python in the trace.

python2.7 still in good shape.

Whiteboard: (none) => MGA6-64-OK

Comment 9 Dave Hodgins 2019-04-10 23:03:57 CEST
Advisory committed to svn. Validating based on comment 8.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2019-04-11 00:08:32 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.