Bug 27301 - python-pip new security issue CVE-2020-20916
Summary: python-pip new security issue CVE-2020-20916
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 27407
  Show dependency treegraph
Reported: 2020-09-22 19:43 CEST by David Walser
Modified: 2021-01-25 16:27 CET (History)
5 users (show)

See Also:
Source RPM: python-pip-19.0.3-1.1.mga7.src.rpm
Status comment:


Description David Walser 2020-09-22 19:43:34 CEST
Debian-LTS has issued an advisory on September 11:

The issue is fixed upstream in 19.2.
Comment 1 Lewis Smith 2020-09-22 20:52:54 CEST
No obvious maintainer, so assigning this globally.

Assignee: bugsquad => pkg-bugs

David Walser 2020-09-22 21:39:04 CEST

Assignee: pkg-bugs => python

Comment 2 David Walser 2020-10-13 19:43:35 CEST
openSUSE has issued an advisory for this on October 4:

See also Bug 27407.

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=27407

Comment 3 David Walser 2020-10-20 20:11:32 CEST
RedHat has issued an advisory for this today (October 20):
Comment 4 David Walser 2020-10-29 17:00:33 CET
Ubuntu has issued an advisory for this on October 22:
Comment 5 David Walser 2020-11-04 15:06:42 CET
RedHat has issued an advisory for this on November 3:
Comment 6 David Walser 2020-12-28 18:52:16 CET
Fixed in pypa-pip-issue-6413-fix.patch in openSUSE:

Status comment: (none) => Patch available from openSUSE

Comment 7 Bruno Cornec 2021-01-05 00:40:39 CET
SUSE fix applied to our package. Update on its way to updates_testig for mga7.

CC: (none) => bruno
Assignee: python => qa-bugs

Comment 8 David Walser 2021-01-05 00:47:49 CET
What about CVE-2020-26137 (Bug 27407)?  It doesn't look to be covered by the added patch.

Status comment: Patch available from openSUSE => CVE-2020-26137 to be addressed
Keywords: (none) => feedback

Comment 9 Bruno Cornec 2021-01-05 14:59:03 CET
CVE-2020-26137 is now managed through the additional patch you mentioned David. update in progress (python-pip-19.0.3-1.3.mga7)

Keywords: feedback => (none)

David Walser 2021-01-05 15:20:45 CET

Blocks: (none) => 27407

Comment 10 David Walser 2021-01-05 15:26:28 CET

Updated python-pip packages fix security vulnerabilities:

It was discovered that pip did not properly sanitize the filename during pip
install. A remote attacker could possible use this issue to read and write
arbitrary files on the host filesystem as root, resulting in a directory
traversal attack (CVE-2019-20916).

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP
request method, as demonstrated by inserting CR and LF control characters in
the first argument of putrequest(). The python-pip package bundles a copy of
python-urllib3, which was affected by this issue.  The bundled copy was
patched to fix the issue (CVE-2020-26137).


Updated packages in core/updates_testing:

from python-pip-19.0.3-1.3.mga7.src.rpm

Status comment: CVE-2020-26137 to be addressed => (none)

Comment 11 Len Lawrence 2021-01-22 12:29:59 CET
mga7, x64

There is something at https://bugs.python.org/issue39603 which might be usable for a PoC but it requires knowledge of python modules and how to import them or facility with GET at the cli, both of which are beyond my scope.
It involves manipulating an HTTP connection request for localhost:80.

CC: (none) => tarazed25

Comment 12 Len Lawrence 2021-01-23 02:09:26 CET
CVE-2020-20916 and CVE-2020-26137
Thanks to Martin Whitaker and papoteur for help with the code snippet.

$ python
>>> import urllib3
>>> import http.client
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named http.client

$ python3
>>> import urllib3
>>> import http.client
>>> conn = http.client.HTTPConnection('localhost',80)
>>> conn.request(method="GET / HTTP/1.1\r\nHost: abc\r\nRemainder:", url="/index.html")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.7/http/client.py", line 1277, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.7/http/client.py", line 1288, in _send_request
    self.putrequest(method, url, **skips)
File "/usr/lib64/python3.7/http/client.py", line 1116, in putrequest
  File "/usr/lib64/python3.7/http/client.py", line 1214, in _validate_method
    f"method can't contain control characters. {method!r} "
ValueError: method can't contain control characters. 'GET / HTTP/1.1\r\nHost: abc\r\nRemainder:' (found at least '\r')
>>> exit()

That shows that the issue had already been addressed for python3 in the release version.  python2 test cannot be executed.

Updated the three packages and pulled in python2-urllib3.

Ran the PoC again.
It failed for python2 and returned the same result as before for python3 which again confirms that the issue has been tackled successfully, at least for python3.

This tester does not have the skills to analyze the failure of the python2 test to even start.
Comment 13 Len Lawrence 2021-01-23 11:40:49 CET
$ pip install --user easygui
Collecting easygui
  Downloading https://files.pythonhosted.org/packages/89/b5/fd22bb3eb36085aeb7781670bbc59cf8b641b1774f77578ec06368865aa3/easygui-0.98.1-py2.py3-none-any.whl (90kB)
    100% |████████████████████████████████| 92kB 1.9MB/s 
Installing collected packages: easygui
Successfully installed easygui-0.98.1

$ sudo updatedb
$ locate easygui

$ cd .local/lib/python3.7/site-packages
$ ls
blosc/  blosc-1.10.2.dist-info/  easygui/  easygui-0.98.1.dist-info/
 ls easygui
boxes/      __init__.py   python_and_check_logo.gif  python_and_check_logo.png
easygui.py  __pycache__/  python_and_check_logo.jpg  zzzzz.gif
$ cd easygui
$ python3 easygui.py
<This invokes the gui box selector and indicates that Tk is the graphics toolkit.>
Selection works.

Other modules can be installed from https://pypi.org/

One successful installation plus a good result from the PoC test.

Whiteboard: (none) => MGA7-64-OK

Comment 14 Thomas Andrews 2021-01-24 15:15:13 CET
Good work, Len! And another thank you from me for MartinW and papoteur, as well!

Validating. Advisory in Comment 10.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 15 Aurelien Oudelet 2021-01-25 15:06:38 CET
Great work.
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 16 Mageia Robot 2021-01-25 16:27:02 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.