Bug 29010 - python-pip new security issue fixed upstream in 21.1 (CVE-2021-3572)
Summary: python-pip new security issue fixed upstream in 21.1 (CVE-2021-3572)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-29 01:13 CEST by David Walser
Modified: 2021-07-25 16:46 CEST (History)
6 users (show)

See Also:
Source RPM: python-pip-20.3.3-3.mga8.src.rpm
CVE: CVE-2021-3572, CVE-2021-28363, CVE-2021-33503
Status comment:


Attachments

Description David Walser 2021-05-29 01:13:28 CEST
Ubuntu has issued an advisory on May 19:
https://ubuntu.com/security/notices/USN-4961-1

The issue is fixed upstream in 21.1.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-29 01:13:47 CEST

Status comment: (none) => Fixed upstream in 21.1
Whiteboard: (none) => MGA8TOO, MGA7TOO
CC: (none) => bruno

Comment 1 Lewis Smith 2021-05-29 20:39:44 CEST
To Python group; CC vicolas L, registered maintainer.

CC: (none) => mageia
Assignee: bugsquad => python

Comment 2 David Walser 2021-05-30 04:11:42 CEST
Fedora has issued an advisory for this on May 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/

They also fixed CVE-2021-28363 in the bundled python-urllib3.
David Walser 2021-05-30 04:15:40 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29041

Comment 3 David Walser 2021-05-30 04:30:11 CEST
Fedora has issued an advisory for the original issue on May 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/
Comment 4 David Walser 2021-05-31 19:41:14 CEST
python-pip-21.1.1-1.mga9 uploaded for Cauldron by Jani.

CC: (none) => jani.valimaa
Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 5 David Walser 2021-07-01 18:54:46 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA7TOO => (none)

Comment 6 David Walser 2021-07-13 17:45:02 CEST
SUSE has issued an advisory for this today (July 13):
https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html

Summary: python-pip new security issue fixed upstream in 21.1 => python-pip new security issue fixed upstream in 21.1 (CVE-2021-3572)

Comment 7 Nicolas Lécureuil 2021-07-23 01:03:52 CEST
fixed in mga8:


src:
    - python-pip-20.3.3-3.1.mga8

Status comment: Fixed upstream in 21.1 => (none)
Assignee: python => qa-bugs

Comment 8 David Walser 2021-07-23 01:19:59 CEST
(In reply to David Walser from comment #2)
> Fedora has issued an advisory for this on May 24:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
> 
> They also fixed CVE-2021-28363 in the bundled python-urllib3.

It looks like this was forgotten.

Assignee: qa-bugs => python

Comment 9 Nicolas Lécureuil 2021-07-23 15:35:07 CEST
fix pushed with CVE-2021-28363 included

src:
    - python-pip-20.3.3-3.2.mga8

Assignee: python => qa-bugs

Comment 10 David Walser 2021-07-23 17:52:08 CEST
Per bug 29041, I've also added the patch for CVE-2021-33503 in urllib3.

python-pip-wheel-20.3.3-3.3.mga8
python3-pip-20.3.3-3.3.mga8

from python-pip-20.3.3-3.3.mga8.src.rpm
Comment 11 Len Lawrence 2021-07-23 19:38:41 CEST
mga8, x64

CVE-2021-3572 has been reserved for the issue.
No PoC as yet.
From https://bugzilla.suse.com/show_bug.cgi?id=1186819
It was discovered that pip incorrectly handled unicode separators in git
references. A remote attacker could possibly use this issue to install a
different revision on a repository.

Installed the updates.
Don't know any way to test this other than using pip.  Correct me if that is wrong.

$ sudo pip install pandas
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip install --user` instead.
Collecting pandas
  Downloading pandas-1.3.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.whl (10.6 MB)
     |████████████████████████████████| 10.6 MB 2.9 MB/s 
Requirement already satisfied: pytz>=2017.3 in /usr/lib/python3.8/site-packages (from pandas) (2020.5)
Requirement already satisfied: python-dateutil>=2.7.3 in /usr/lib/python3.8/site-packages (from pandas) (2.8.1)
Requirement already satisfied: numpy>=1.17.3 in /usr/lib64/python3.8/site-packages (from pandas) (1.19.4)
Requirement already satisfied: six>=1.5 in /usr/lib/python3.8/site-packages (from python-dateutil>=2.7.3->pandas) (1.15.0)
Installing collected packages: pandas
Successfully installed pandas-1.3.0

CC: (none) => tarazed25

Comment 12 Len Lawrence 2021-07-23 19:42:21 CEST
Er, just noticed the advice to employ the --user option.
$ pip install --user pandas
Requirement already satisfied: pandas in /usr/local/lib64/python3.8/site-packages (1.3.0)
Requirement already satisfied: pytz>=2017.3 in /usr/lib/python3.8/site-packages (from pandas) (2020.5)
Requirement already satisfied: python-dateutil>=2.7.3 in /usr/lib/python3.8/site-packages (from pandas) (2.8.1)
Requirement already satisfied: numpy>=1.17.3 in /usr/lib64/python3.8/site-packages (from pandas) (1.19.4)
Requirement already satisfied: six>=1.5 in /usr/lib/python3.8/site-packages (from python-dateutil>=2.7.3->pandas) (1.15.0)
Comment 13 Aurelien Oudelet 2021-07-23 22:44:58 CEST
Advisory:
========================

Updated python-pip package fix security vulnerabilities:

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository (CVE-2021-3572).

The bundled python-urllib3 is also vulnerable to:

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted (CVE-2021-28363).

An issue was discovered in urllib3 before 1.26.5. When provided with a URL
containing many @ characters in the authority component, the authority regular
expression exhibits catastrophic backtracking, causing a denial of service if a
URL were passed as a parameter or redirected to via an HTTP redirect
(CVE-2021-33503).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29010
 - https://bugs.mageia.org/show_bug.cgi?id=29041
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28363
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/
 - https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html
========================

Updated packages in core/updates_testing:
========================
python-pip-wheel-20.3.3-3.3.mga8
python3-pip-20.3.3-3.3.mga8

from python-pip-20.3.3-3.3.mga8.src.rpm

CC: (none) => ouaurelien

Comment 14 David Walser 2021-07-23 23:24:42 CEST
(In reply to Aurelien Oudelet from comment #13)
> The bundled python-urllib3 is also vulnerable to:

You mean "was" not "is," let's not scare people :D
Comment 15 Aurelien Oudelet 2021-07-23 23:27:20 CEST
(In reply to David Walser from comment #14)
> (In reply to Aurelien Oudelet from comment #13)
> > The bundled python-urllib3 is also vulnerable to:
> 
> You mean "was" not "is," let's not scare people :D

Oh yeah, agree!
Comment 16 Len Lawrence 2021-07-24 00:38:14 CEST
Just to confirm that urllib3 works OK - ran the PoC for an earlier bug:
$ python
>>> import urllib
>>> import http.client
>>> conn = http.client.HTTPConnection('localhost',80)
>>> conn.request(method="GET / HTTP/1.1\r\nHost: abc\r\nRemainder:", url="/index.html")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.8/http/client.py", line 1252, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.8/http/client.py", line 1263, in _send_request
    self.putrequest(method, url, **skips)
  File "/usr/lib64/python3.8/http/client.py", line 1091, in putrequest
    self._validate_method(method)
  File "/usr/lib64/python3.8/http/client.py", line 1188, in _validate_method
    raise ValueError(
ValueError: method can't contain control characters. 'GET / HTTP/1.1\r\nHost: abc\r\nRemainder:' (found at least '\r')

$ pip install --user easygui
Collecting easygui
  Downloading easygui-0.98.2-py2.py3-none-any.whl (92 kB)
     |████████████████████████████████| 92 kB 2.3 MB/s 
Installing collected packages: easygui
Successfully installed easygui-0.98.2

$ cd .local/lib/python3.8/site-packages/easygui
$ python easygui.py
This launched the gui with a selection menu for graphical demos.
That all worked well.

python-pip looks OK for 64-bits.

Whiteboard: (none) => MGA8-64-OK

Comment 17 Aurelien Oudelet 2021-07-25 12:44:06 CEST
Validating.

type: security
subject: Updated python-pip packages fix security vulnerabilities
CVE:
 - CVE-2021-3572
 - CVE-2021-28363
 - CVE-2021-33503
src:
  8:
   core:
     - python-pip-20.3.3-3.3.mga8
description: |
  A flaw was found in python-pip in the way it handled Unicode separators in git
  references. A remote attacker could possibly use this issue to install a
  different revision on a repository (CVE-2021-3572).
  
  The bundled python-urllib3 was also vulnerable to:
  The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate
  validation in some cases involving HTTPS to HTTPS proxies. The initial
  connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config)
  doesn't verify the hostname of the certificate. This means certificates for
  different servers that still validate properly with the default urllib3
  SSLContext will be silently accepted (CVE-2021-28363).
  
  An issue was discovered in urllib3 before 1.26.5. When provided with a URL
  containing many @ characters in the authority component, the authority regular
  expression exhibits catastrophic backtracking, causing a denial of service if
  a URL were passed as a parameter or redirected to via an HTTP redirect
  (CVE-2021-33503).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29010
 - https://bugs.mageia.org/show_bug.cgi?id=29041
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/
 - https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html

CVE: (none) => CVE-2021-3572, CVE-2021-28363, CVE-2021-33503
Keywords: (none) => advisory, validated_update
Source RPM: python-pip-20.3.3-5.mga9.src.rpm => python-pip-20.3.3-3.mga8.src.rpm
CC: (none) => sysadmin-bugs

Comment 18 Mageia Robot 2021-07-25 16:46:21 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0371.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.