Debian-LTS has issued an advisory on September 11: https://www.debian.org/lts/security/2020/dla-2370 The issue is fixed upstream in 19.2.
No obvious maintainer, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Assignee: pkg-bugs => python
openSUSE has issued an advisory for this on October 4: https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html See also Bug 27407.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=27407
RedHat has issued an advisory for this today (October 20): https://access.redhat.com/errata/RHSA-2020:4273
Ubuntu has issued an advisory for this on October 22: https://ubuntu.com/security/notices/USN-4601-1
RedHat has issued an advisory for this on November 3: https://access.redhat.com/errata/RHSA-2020:4432
Fixed in pypa-pip-issue-6413-fix.patch in openSUSE: https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/python-pip
Status comment: (none) => Patch available from openSUSE
SUSE fix applied to our package. Update on its way to updates_testig for mga7.
Status: NEW => ASSIGNEDCC: (none) => brunoAssignee: python => qa-bugs
What about CVE-2020-26137 (Bug 27407)? It doesn't look to be covered by the added patch.
Status comment: Patch available from openSUSE => CVE-2020-26137 to be addressedKeywords: (none) => feedback
CVE-2020-26137 is now managed through the additional patch you mentioned David. update in progress (python-pip-19.0.3-1.3.mga7)
Keywords: feedback => (none)
Blocks: (none) => 27407
Advisory: ======================== Updated python-pip packages fix security vulnerabilities: It was discovered that pip did not properly sanitize the filename during pip install. A remote attacker could possible use this issue to read and write arbitrary files on the host filesystem as root, resulting in a directory traversal attack (CVE-2019-20916). urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). The python-pip package bundles a copy of python-urllib3, which was affected by this issue. The bundled copy was patched to fix the issue (CVE-2020-26137). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20916 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137 https://ubuntu.com/security/notices/USN-4601-1 https://ubuntu.com/security/notices/USN-4570-1 https://bugs.mageia.org/show_bug.cgi?id=27301 https://bugs.mageia.org/show_bug.cgi?id=27407 ======================== Updated packages in core/updates_testing: ======================== python2-pip-19.0.3-1.3.mga7 python3-pip-19.0.3-1.3.mga7 python-pip-wheel-19.0.3-1.3.mga7 from python-pip-19.0.3-1.3.mga7.src.rpm
Status comment: CVE-2020-26137 to be addressed => (none)
mga7, x64 CVE-2020-26137 There is something at https://bugs.python.org/issue39603 which might be usable for a PoC but it requires knowledge of python modules and how to import them or facility with GET at the cli, both of which are beyond my scope. It involves manipulating an HTTP connection request for localhost:80.
CC: (none) => tarazed25
CVE-2020-20916 and CVE-2020-26137 https://bugs.python.org/issue39603 Thanks to Martin Whitaker and papoteur for help with the code snippet. $ python >>> import urllib3 >>> import http.client Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: No module named http.client >>> $ python3 >>> import urllib3 >>> import http.client >>> conn = http.client.HTTPConnection('localhost',80) >>> conn.request(method="GET / HTTP/1.1\r\nHost: abc\r\nRemainder:", url="/index.html") Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.7/http/client.py", line 1277, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.7/http/client.py", line 1288, in _send_request self.putrequest(method, url, **skips) File "/usr/lib64/python3.7/http/client.py", line 1116, in putrequest self._validate_method(method) File "/usr/lib64/python3.7/http/client.py", line 1214, in _validate_method f"method can't contain control characters. {method!r} " ValueError: method can't contain control characters. 'GET / HTTP/1.1\r\nHost: abc\r\nRemainder:' (found at least '\r') >>> exit() That shows that the issue had already been addressed for python3 in the release version. python2 test cannot be executed. Updated the three packages and pulled in python2-urllib3. Ran the PoC again. It failed for python2 and returned the same result as before for python3 which again confirms that the issue has been tackled successfully, at least for python3. This tester does not have the skills to analyze the failure of the python2 test to even start.
$ pip install --user easygui Collecting easygui Downloading https://files.pythonhosted.org/packages/89/b5/fd22bb3eb36085aeb7781670bbc59cf8b641b1774f77578ec06368865aa3/easygui-0.98.1-py2.py3-none-any.whl (90kB) 100% |████████████████████████████████| 92kB 1.9MB/s Installing collected packages: easygui Successfully installed easygui-0.98.1 $ sudo updatedb $ locate easygui /home/lcl/.local/lib/python3.7/site-packages/easygui /home/lcl/.local/lib/python3.7/site-packages/easygui-0.98.1.dist-info /home/lcl/.local/lib/python3.7/site-packages/easygui/__init__.py /home/lcl/.local/lib/python3.7/site-packages/easygui/__pycache__ /home/lcl/.local/lib/python3.7/site-packages/easygui/boxes .... $ cd .local/lib/python3.7/site-packages $ ls blosc/ blosc-1.10.2.dist-info/ easygui/ easygui-0.98.1.dist-info/ ls easygui boxes/ __init__.py python_and_check_logo.gif python_and_check_logo.png easygui.py __pycache__/ python_and_check_logo.jpg zzzzz.gif $ cd easygui $ python3 easygui.py <This invokes the gui box selector and indicates that Tk is the graphics toolkit.> Selection works. Other modules can be installed from https://pypi.org/ One successful installation plus a good result from the PoC test.
Whiteboard: (none) => MGA7-64-OK
Good work, Len! And another thank you from me for MartinW and papoteur, as well! Validating. Advisory in Comment 10.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Great work. Advisory pushed to SVN.
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0054.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED