Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Jun 2016 18:45:50 -0400 (EDT)
From: cve-assign@...re.org
To: cbuissar@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I would like to request a CVE for a Python header injection flaw in
> urrlib2/urllib/httplib/http.client.
> 
> HTTPConnection.putheader() allows unsafe characters, which can be used to
> inject additional headers.
> 
> Upstream bug with reproducer :
> https://bugs.python.org/issue22928
> 
> Fixed branches :
> 3.4 / 3.5 : revision 94952 : https://hg.python.org/cpython/rev/bf3e1c9b80e9
> 2.7 : revision 94951 : https://hg.python.org/cpython/rev/1c45047c5102

As far as we can tell, this is best thought of as only one
vulnerability in one piece of code, even though the code is in a
different file (Lib/http/client.py versus Lib/httplib.py) in 3.x
relative to 2.7. Also, urrlib2 in the Subject line is a typo of
urllib2.

In issue22928, the first message seems slightly unsure about whether
it is a vulnerability, but then the vendor confirms that it is a
vulnerability:

>> I'd like to opt to begin with prohibiting newline characters
>> to be present in HTTP headers. Although this issue is not a
>> "hard vulnerability" such as a buffer overflow, it does translate
>> to a potentially equal level of severity

>> Here's a patch addressing the potential vulnerability as reported.

Finally,
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
explains that this is not in the general report category of "this
library omits input validation that is arguably either required or
expected, and therefore real-life applications might be affected if
they offer an unusually large attack surface to untrusted input."
Instead, it is in the category of "this library omits input validation
that is obviously critical during URL parsing, and therefore there are
almost certainly many affected real-life applications." (The former
category often qualifies for CVE IDs, but the decision is much easier
in the latter category.)

Use CVE-2016-5699.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXYyuAAAoJEHb/MwWLVhi2m04P/0qVnpNhWxRL0+fSoaQfUdKJ
60zgH5J1B7SV+6V9JJifrr8uEbK75806XFesrZScj4BmoqhBZsyD3iD+8BxD37Zr
PrscsnFV6Dqixu7W8g04CFhRifdTBCutmOegNuAufWHi+UZ/ajwvonXEN1Vw1LB8
aoPFryqvXjofh4TtU3R1YDFQXQmInyyu4TPmsMDqOaFAg20SSmqIIq/AbH+eqcy4
Yugylwn0S+FuahyQRokYGAyRoLnhqUoJxnLaXe8t3HweiH9DvIdnCaXPGOK9f5Bu
Xdk0DX7HQ6Ub+fhQszJjkk6yefXut9W0w0MbSpLnoHVRKJrCv131HGJ3z6UGbCWR
lcIGXOnYYEE9vQ3fMeRFMI8duThLfkDmMSUZRNr0BrUEucgZKA7FqBNH/TA7TAV5
DTgVSlNEr649LBJwtb0Cd+5rt7FgEjyKlM3uLaMoFUtHQKkf5Fn5wcKevWCoVYF1
bNruk9w9b/AxOhvklQ3+CB/ap0eFkbVCBHbcrAxHXnPAr3F9CWbWS7kaYtTKNnD1
mKRS+BJtkJHmF0TKQGXihwLPhbEBgrkhwZ5mtWsH2R41jAjE9ps4RSvevImcWL8g
MS+AxrD9I1K1T+FKnDWO4NaDaO50lCp/Eka/0WS3msQhK1bWwaE0Ka2Rbbe7p6t6
G8bc27YJeXNkrau8p+qr
=tp8L
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.