Bug 1130847 – VUL-1: CVE-2019-9948: python,python3,python27: support of the local_file: scheme makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs

Bug 1130847 - (CVE-2019-9948) VUL-1: CVE-2019-9948: python,python3,python27: support of the local_file: scheme makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs

(CVE-2019-9948)
Summary:	VUL-1: CVE-2019-9948: python,python3,python27: support of the local_file: sch...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/226977/
Whiteboard:	CVSSv3:SUSE:CVE-2019-9948:3.3:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-03-28 13:44 UTC by Karol Babioch
Modified:	2022-06-10 08:40 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2019-03-28 13:44:11 UTC

CVE-2019-9948

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes
it easier for remote attackers to bypass protection mechanisms that blacklist
file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948
http://www.securityfocus.com/bid/107549
https://bugs.python.org/issue35907
https://github.com/python/cpython/pull/11842

Comment 3 Swamp Workflow Management 2019-04-15 19:10:08 UTC

SUSE-SU-2019:14018-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    python-2.6.9-40.24.1, python-base-2.6.9-40.24.1, python-doc-2.6-8.40.24.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    python-2.6.9-40.24.1, python-base-2.6.9-40.24.1, python-doc-2.6-8.40.24.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-2.6.9-40.24.1, python-base-2.6.9-40.24.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    python-2.6.9-40.24.1, python-base-2.6.9-40.24.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 4 Swamp Workflow Management 2019-04-17 19:10:06 UTC

SUSE-SU-2019:0972-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.14-7.11.1, python-doc-2.7.14-7.11.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.14-7.11.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.14-7.11.1, python-base-2.7.14-7.11.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 5 Swamp Workflow Management 2019-04-25 19:10:01 UTC

openSUSE-SU-2019:1273-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
openSUSE Leap 15.0 (src):    python-2.7.14-lp150.6.10.1

Comment 6 Swamp Workflow Management 2019-06-06 19:12:28 UTC

SUSE-SU-2019:1439-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
SUSE OpenStack Cloud 7 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    python-base-2.7.13-28.26.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    python-base-2.7.13-28.26.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-base-2.7.13-28.26.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python-base-2.7.13-28.26.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP3 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1
SUSE Enterprise Storage 5 (src):    python-2.7.13-28.26.1
SUSE Enterprise Storage 4 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE CaaS Platform ALL (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1
SUSE CaaS Platform 3.0 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1
OpenStack Cloud Magnum Orchestration 7 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2019-06-18 23:13:26 UTC

openSUSE-SU-2019:1580-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
openSUSE Leap 42.3 (src):    python-2.7.13-27.15.1, python-base-2.7.13-27.15.1, python-doc-2.7.13-27.15.1

Comment 9 Swamp Workflow Management 2020-01-24 20:13:52 UTC

SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Robert Frohl 2020-09-30 08:38:35 UTC

released

Comment 12 OBSbugzilla Bot 2022-02-06 22:30:42 UTC

This is an autogenerated message for OBS integration:
This bug (1130847) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 13 OBSbugzilla Bot 2022-02-09 19:10:50 UTC

This is an autogenerated message for OBS integration:
This bug (1130847) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python

Comment 14 OBSbugzilla Bot 2022-06-10 08:40:44 UTC

This is an autogenerated message for OBS integration:
This bug (1130847) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python