Bug 985348 – VUL-0: CVE-2016-5699: python,python3: http protocol steam injection attack

Bug 985348 - (CVE-2016-5699) VUL-0: CVE-2016-5699: python,python3: http protocol steam injection attack

(CVE-2016-5699)
Summary:	VUL-0: CVE-2016-5699: python,python3: http protocol steam injection attack

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assigned To:	Jan Matejek
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170244/
Whiteboard:	CVSSv2:SUSE:CVE-2016-5699:5.0:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-06-17 09:31 UTC by Marcus Meissner
Modified:	2022-02-13 11:14 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-17 09:31:09 UTC

via oss-sec

From: Cedric Buissart <cbuissar@redhat.com>
Subject: [oss-security] CVE request: Python HTTP header injection in urrlib2/urllib/httplib/http.client

Hi,

I would like to request a CVE for a Python header injection flaw in
urrlib2/urllib/httplib/http.client.

HTTPConnection.putheader() allows unsafe characters, which can be used to
inject additional headers.

Upstream bug with reproducer :
https://bugs.python.org/issue22928

Comment 1 Marcus Meissner 2016-06-17 09:31:23 UTC

Reproducible on all python versions I tested : 2.4, 2.6, 2.7, 3.4 and 3.5

Fixed branches :
3.4 / 3.5 : revision 94952 : https://hg.python.org/cpython/rev/bf3e1c9b80e9
2.7 : revision 94951 : https://hg.python.org/cpython/rev/1c45047c5102

Comment 2 Marcus Meissner 2016-06-17 09:31:55 UTC

From: Tim <tim-security@sentinelchicken.org>

Thank you Cedric!

Here are the additional details I promised:
  http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

The gist of it is that protocol injection can occur not only if an
application sets a header based on user-supplied values, but also if
the application ever tries to fetch a URL specified by an attacker
(SSRF case) OR if the application ever accesses any malicious web
server (redirection case).  URLs of the following form allow
injection into the HTTP stream:

  http://127.0.0.1%0d%0aX-injected:%20header%0d%0ax-leftover:%20:12345/foo
  http://localhost%00%0d%0ax-bar:%20:12345/foo

More details in the blog post, of course.

Best regards,
tim

Comment 3 Marcus Meissner 2016-06-17 09:32:34 UTC

From Mitre:

> I would like to request a CVE for a Python header injection flaw in
> urrlib2/urllib/httplib/http.client.
> 
> HTTPConnection.putheader() allows unsafe characters, which can be used to
> inject additional headers.
> 
> Upstream bug with reproducer :
> https://bugs.python.org/issue22928
> 
> Fixed branches :
> 3.4 / 3.5 : revision 94952 : https://hg.python.org/cpython/rev/bf3e1c9b80e9
> 2.7 : revision 94951 : https://hg.python.org/cpython/rev/1c45047c5102

As far as we can tell, this is best thought of as only one
vulnerability in one piece of code, even though the code is in a
different file (Lib/http/client.py versus Lib/httplib.py) in 3.x
relative to 2.7. Also, urrlib2 in the Subject line is a typo of
urllib2.

In issue22928, the first message seems slightly unsure about whether
it is a vulnerability, but then the vendor confirms that it is a
vulnerability:

>> I'd like to opt to begin with prohibiting newline characters
>> to be present in HTTP headers. Although this issue is not a
>> "hard vulnerability" such as a buffer overflow, it does translate
>> to a potentially equal level of severity

>> Here's a patch addressing the potential vulnerability as reported.

Finally,
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
explains that this is not in the general report category of "this
library omits input validation that is arguably either required or
expected, and therefore real-life applications might be affected if
they offer an unusually large attack surface to untrusted input."
Instead, it is in the category of "this library omits input validation
that is obviously critical during URL parsing, and therefore there are
almost certainly many affected real-life applications." (The former
category often qualifies for CVE IDs, but the decision is much easier
in the latter category.)

Use CVE-2016-5699.

Comment 4 Jan Matejek 2016-06-17 11:25:34 UTC

we should be good in Tumbleweed with python 2.7.10 and python3 3.5.1, both of which list the issue as fixed

SLE12 has a pending ECO for python3 3.4.5 which also has the issue fixed; in older SLEs, python3 is not maintained

python 2 in all distros looks affected.

for openSUSEs, i propose to update to 2.7.12, due for release next friday (or 2.7.11 if we can't wait)
for SLEs, i'll submit patches.

Comment 6 Bernhard Wiedemann 2016-07-01 14:01:29 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/405901 Factory / python

Comment 7 Bernhard Wiedemann 2016-07-01 18:00:35 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/405973 13.2+42.1 / python

Comment 8 Swamp Workflow Management 2016-07-27 17:09:32 UTC

openSUSE-SU-2016:1885-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 964182,984751,985177,985348
CVE References: CVE-2016-0772,CVE-2016-5636,CVE-2016-5699
Sources used:
openSUSE Leap 42.1 (src):    python-2.7.12-23.1, python-base-2.7.12-23.1, python-doc-2.7.12-23.1
openSUSE 13.2 (src):    python-2.7.12-3.1, python-base-2.7.12-3.1, python-doc-2.7.12-3.1

Comment 10 Swamp Workflow Management 2016-08-19 12:25:13 UTC

SUSE-SU-2016:2106-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 984751,985177,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    python-base-2.7.9-24.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    python-base-2.7.9-24.2
SUSE Linux Enterprise Server 12-SP1 (src):    python-2.7.9-24.1, python-base-2.7.9-24.2, python-doc-2.7.9-24.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    python-2.7.9-24.1, python-base-2.7.9-24.2

Comment 11 Swamp Workflow Management 2016-08-19 17:12:45 UTC

openSUSE-SU-2016:2120-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 935856,951166,983582,984751,985177,985348,989523
CVE References: CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
openSUSE Leap 42.1 (src):    python3-3.4.5-8.1, python3-base-3.4.5-8.1, python3-doc-3.4.5-8.1
openSUSE 13.2 (src):    python3-3.4.5-4.4.1, python3-base-3.4.5-4.4.1, python3-doc-3.4.5-4.4.1

Comment 12 Bernhard Wiedemann 2016-08-26 14:00:57 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/423094 42.2 / python3

Comment 13 Swamp Workflow Management 2016-09-01 14:15:46 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-09-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63016

Comment 14 Swamp Workflow Management 2016-09-09 10:10:29 UTC

SUSE-SU-2016:2270-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 984751,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1, python-doc-2.6-8.39.1
SUSE Linux Enterprise Server 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1, python-doc-2.6-8.39.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1

Comment 15 Marcus Meissner 2016-09-28 12:36:09 UTC

released the relevant parts now I think

Comment 16 Swamp Workflow Management 2016-10-26 16:26:40 UTC

SUSE-SU-2016:2653-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 951166,983582,984751,985177,985348,989523,991069
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    python3-base-3.4.5-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1

Comment 17 Swamp Workflow Management 2016-11-18 15:08:43 UTC

SUSE-SU-2016:2859-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 951166,983582,984751,985177,985348,989523,991069
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    python3-base-3.4.5-19.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1
SUSE Linux Enterprise Server 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1

Comment 19 Swamp Workflow Management 2019-02-01 20:09:56 UTC

SUSE-SU-2019:0223-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1122191,984751,985177,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2019-5010
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    python-2.7.9-16.7.1, python-base-2.7.9-16.7.2, python-doc-2.7.9-16.7.2

Comment 25 Swamp Workflow Management 2020-01-16 14:18:38 UTC

SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Swamp Workflow Management 2020-01-21 20:21:21 UTC

openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1

Comment 27 Swamp Workflow Management 2020-01-24 20:20:55 UTC

SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 38 OBSbugzilla Bot 2020-11-27 16:45:46 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36

Comment 40 OBSbugzilla Bot 2020-12-01 18:25:55 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36

Comment 42 OBSbugzilla Bot 2020-12-05 17:35:40 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36

Comment 43 OBSbugzilla Bot 2020-12-05 19:15:53 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36

Comment 46 OBSbugzilla Bot 2020-12-17 18:16:03 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 47 OBSbugzilla Bot 2021-10-06 14:45:40 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 48 OBSbugzilla Bot 2021-10-22 08:46:02 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 49 OBSbugzilla Bot 2022-02-06 22:31:25 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 50 OBSbugzilla Bot 2022-02-09 19:11:40 UTC

This is an autogenerated message for OBS integration:
This bug (985348) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python