Date: Thu, 16 Jun 2016 18:45:50 -0400 (EDT) From: cve-assign@...re.org To: cbuissar@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I would like to request a CVE for a Python header injection flaw in > urrlib2/urllib/httplib/http.client. > > HTTPConnection.putheader() allows unsafe characters, which can be used to > inject additional headers. > > Upstream bug with reproducer : > https://bugs.python.org/issue22928 > > Fixed branches : > 3.4 / 3.5 : revision 94952 : https://hg.python.org/cpython/rev/bf3e1c9b80e9 > 2.7 : revision 94951 : https://hg.python.org/cpython/rev/1c45047c5102 As far as we can tell, this is best thought of as only one vulnerability in one piece of code, even though the code is in a different file (Lib/http/client.py versus Lib/httplib.py) in 3.x relative to 2.7. Also, urrlib2 in the Subject line is a typo of urllib2. In issue22928, the first message seems slightly unsure about whether it is a vulnerability, but then the vendor confirms that it is a vulnerability: >> I'd like to opt to begin with prohibiting newline characters >> to be present in HTTP headers. Although this issue is not a >> "hard vulnerability" such as a buffer overflow, it does translate >> to a potentially equal level of severity >> Here's a patch addressing the potential vulnerability as reported. Finally, http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html explains that this is not in the general report category of "this library omits input validation that is arguably either required or expected, and therefore real-life applications might be affected if they offer an unusually large attack surface to untrusted input." Instead, it is in the category of "this library omits input validation that is obviously critical during URL parsing, and therefore there are almost certainly many affected real-life applications." (The former category often qualifies for CVE IDs, but the decision is much easier in the latter category.) Use CVE-2016-5699. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXYyuAAAoJEHb/MwWLVhi2m04P/0qVnpNhWxRL0+fSoaQfUdKJ 60zgH5J1B7SV+6V9JJifrr8uEbK75806XFesrZScj4BmoqhBZsyD3iD+8BxD37Zr PrscsnFV6Dqixu7W8g04CFhRifdTBCutmOegNuAufWHi+UZ/ajwvonXEN1Vw1LB8 aoPFryqvXjofh4TtU3R1YDFQXQmInyyu4TPmsMDqOaFAg20SSmqIIq/AbH+eqcy4 Yugylwn0S+FuahyQRokYGAyRoLnhqUoJxnLaXe8t3HweiH9DvIdnCaXPGOK9f5Bu Xdk0DX7HQ6Ub+fhQszJjkk6yefXut9W0w0MbSpLnoHVRKJrCv131HGJ3z6UGbCWR lcIGXOnYYEE9vQ3fMeRFMI8duThLfkDmMSUZRNr0BrUEucgZKA7FqBNH/TA7TAV5 DTgVSlNEr649LBJwtb0Cd+5rt7FgEjyKlM3uLaMoFUtHQKkf5Fn5wcKevWCoVYF1 bNruk9w9b/AxOhvklQ3+CB/ap0eFkbVCBHbcrAxHXnPAr3F9CWbWS7kaYtTKNnD1 mKRS+BJtkJHmF0TKQGXihwLPhbEBgrkhwZ5mtWsH2R41jAjE9ps4RSvevImcWL8g MS+AxrD9I1K1T+FKnDWO4NaDaO50lCp/Eka/0WS3msQhK1bWwaE0Ka2Rbbe7p6t6 G8bc27YJeXNkrau8p+qr =tp8L -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.