30188 – httpie new security issue CVE-2022-24737

Bug 30188 - httpie new security issue CVE-2022-24737

Summary: httpie new security issue CVE-2022-24737

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-03-18 03:49 CET by David Walser
Modified:	2023-06-15 09:28 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	httpie-2.6.0-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-18 03:49:42 CET

Fedora has issued an advisory today (March 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R5VYSYKEKVZEVEBIWAADGDXG4Y3EWCQ3/

The issue is fixed upstream in 3.1.0:
https://github.com/httpie/httpie/security/advisories/GHSA-9w4w-cpc8-h2fq

Mageia 8 is also affected.

David Walser 2022-03-18 03:49:53 CET

Status comment: (none) => Fixed upstream in 3.1.0
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-03-18 08:40:48 CET

Assigning this globally because different people have dealt with it.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2022-03-19 15:08:53 CET

New version pushed in mga8/9:

src:
    - httpie-3.1.0-1.mga8

Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 3.1.0 => (none)

Comment 3 sturmvogel 2022-03-19 16:09:41 CET

Hmmmm

Sorry, the following package cannot be selected:

- httpie-3.1.0-1.mga8.noarch (due to unsatisfied python3.8dist(charset-normalizer)[>= 2])

Comment 4 sturmvogel 2022-03-19 16:12:56 CET

Seems that python3-requests-2.25.1-1.mga8 and it's deps also need an update then...

Comment 5 sturmvogel 2022-03-19 16:25:52 CET

..and/or python3-pygments-2.7.4-1.1.mga8

Comment 6 sturmvogel 2022-03-19 16:50:11 CET

There is something really strange. On cauldron httpie pulls completely different dependencies.

- httpie-3.1.0-1.mga9.noarch
- python3-defusedxml-0.7.1-2.mga9.noarch
- python3-multidict-6.0.2-1.mga9.x86_64 -> not installed on MGA8 with httpie-2
- python3-requests+security-2.27.1-1.mga9.noarch -> not installed on MGA8 with httpie-2
- python3-requests-toolbelt-0.9.1-6.mga9.noarch -> not installed on MGA8 with httpie-2

David Walser 2022-03-19 18:08:02 CET

Keywords: (none) => feedback

Comment 7 sturmvogel 2022-10-29 13:18:31 CEST

Wow...224 days later and still no progress and broken.

Under cauldron:
- httpie-3.2.1-1.mga9.noarch.rpm cannot be installed via MCC because of missing deps
- it can be installed via terminal as it ask there to chose between two meta/task packages


Under Mageia 8:
- httpie-3.1.0-1.mga8.noarch cannot be installed via MCC because of missing deps

[root@test ~]# LC_ALL=C urpmi httpie
A requested package cannot be installed:
httpie-3.1.0-1.mga8.noarch (due to unsatisfied python3.8dist(charset-normalizer)[>= 2])
Continue installation anyway? (Y/n) 


Is there still some life here?

sturmvogel 2022-10-29 13:23:57 CEST

Assignee: qa-bugs => pkg-bugs
Keywords: feedback => (none)

David Walser 2022-10-29 23:38:03 CEST

Status comment: (none) => Dependency problem in update candidate

Comment 8 David GEIGER 2023-06-03 07:43:39 CEST


New packages in 8/Core/Updates_testing:
=========================
python3-charset-normalizer-3.0.1-1.mga8.noarch.rpm


From SRPMS:
python-charset-normalizer-3.0.1-1.mga8.src.rpm

CC: (none) => geiger.david68210

Comment 9 David GEIGER 2023-06-03 07:44:07 CEST

Assigning to QA

Assignee: pkg-bugs => qa-bugs

David Walser 2023-06-03 18:58:18 CEST

Status comment: Dependency problem in update candidate => (none)

Comment 10 Herman Viaene 2023-06-05 09:37:32 CEST

What has to be tested now ? only python3-charset-normalizer-3.0.1-1.mga8.noarch.rpm or that plus some version of httpie???

CC: (none) => herman.viaene

Comment 11 David Walser 2023-06-05 14:37:56 CEST

httpie, now that it's installable.

Comment 12 Herman Viaene 2023-06-06 10:47:20 CEST

Tried to install the httpie and the python mentioned above, drawing in another python package. That should be no problem, but ....
1 installation transactions failed

There was a problem during the installation:

python3.8dist(requests[socks]) >= 2.22 is needed by httpie-3.1.0-1.mga8.noarch

Comment 13 Thomas Andrews 2023-06-06 15:02:58 CEST

Confirmed in a VirtualBox mga8-64 Plasma guest where httpie was not previously installed. Using qarepo, I obtained the two packages from this update, then tried to install httpie:

The following 12 packages are going to be installed:

- httpie-3.1.0-1.mga8.noarch
- python3-cffi-1.14.4-1.mga8.x86_64
- python3-charset-normalizer-3.0.1-1.mga8.noarch
- python3-cryptography-3.3.1-1.1.mga8.x86_64
- python3-defusedxml-0.6.0-3.mga8.noarch
- python3-multidict-4.7.6-1.mga8.x86_64
- python3-OpenSSL-20.0.0-1.mga8.noarch
- python3-ply-3.11-5.mga8.noarch
- python3-pycparser-2.20-1.mga8.noarch
- python3-pygments-2.7.4-1.1.mga8.noarch
- python3-requests+security-2.25.1-1.mga8.noarch
- python3-requests-toolbelt-0.9.1-3.mga8.noarch

But the install failed with the same message that Herman saw.

CC: (none) => andrewsfarm

David Walser 2023-06-06 16:08:54 CEST

Keywords: (none) => feedback

Comment 14 David GEIGER 2023-06-08 02:42:08 CEST

Strange because the package python3-requests+socks is in mga8:

$ urpmq --provides python3-requests+socks-2.25.1-1.mga8.noarch.rpm 
python-requests+socks[== 2.25.1-1.mga8]
python3-requests+socks[== 2.25.1-1.mga8]
python3.8-requests+socks[== 2.25.1-1.mga8]
python3.8dist(requests[socks])[== 2.25.1]
python3dist(requests[socks])[== 2.25.1]

Comment 15 Thomas Andrews 2023-06-08 04:57:32 CEST

Rpmdrake shows python3-requests+socks as there, but for some reason it isn't selecting it as a dependency of httpie. Choosing it, and its dependency python3-pysocks, allows the httpie installation to complete.

Comment 16 David GEIGER 2023-06-08 19:18:13 CEST

Please try with next  httpie-3.1.0-1.1.mga8 update!

Comment 17 Thomas Andrews 2023-06-09 00:56:27 CEST

That did it. I restored the Vbox guest, and tried again. This time I got this list:

The following 8 packages are going to be installed:

- httpie-3.1.0-1.1.mga8.noarch
- python3-charset-normalizer-3.0.1-1.mga8.noarch
- python3-defusedxml-0.6.0-3.mga8.noarch
- python3-multidict-4.7.6-1.mga8.x86_64
- python3-pygments-2.7.4-1.1.mga8.noarch
- python3-pysocks-1.7.1-2.mga8.noarch
- python3-requests+socks-2.25.1-1.mga8.noarch
- python3-requests-toolbelt-0.9.1-3.mga8.noarch

I don't know why the difference from comment 13. I only know there were no installation issues this time.

Adapting a procedure from https://bugs.mageia.org/show_bug.cgi?id=25764#c3 (Thank you, Claire):

$ http -v mageia.org
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: mageia.org
User-Agent: HTTPie/3.1.0



HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 207
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 08 Jun 2023 22:38:35 GMT
Keep-Alive: timeout=5, max=100
Location: https://www.mageia.org/
Server: Apache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.mageia.org/">here</a>.</p>
</body></html>

And the https command:

$ https -v mageia.org
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: mageia.org
User-Agent: HTTPie/3.1.0



HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 207
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 08 Jun 2023 22:39:15 GMT
Keep-Alive: timeout=5, max=100
Location: https://www.mageia.org/
Server: Apache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.mageia.org/">here</a>.</p>
</body></html>

Looks good to me. Validating.

Keywords: feedback => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Comment 18 Dave Hodgins 2023-06-15 00:25:31 CEST

Advisory committed to svn as ...
type: security
subject: Updated httpie packages fix security vulnerability
CVE:
 - CVE-2022-24737
src:
  8:
   core:
     - httpie-3.1.0-1.1.mga8
     - python-charset-normalizer-3.0.1-1.mga8
description: |
  Cookie exposure to third parties (CVE-2022-24737)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30188
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R5VYSYKEKVZEVEBIWAADGDXG4Y3EWCQ3/

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 19 Mageia Robot 2023-06-15 09:28:33 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0196.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.