Bug 1195432 – VUL-1: CVE-2022-23607: python-treq: treq's request methods and `treq.client.HTTPClient` constructor do not bind cookies to a domain

Bug 1195432 - (CVE-2022-23607) VUL-1: CVE-2022-23607: python-treq: treq's request methods and `treq.client.HTTPClient` constructor do not bind cookies to a domain

(CVE-2022-23607)
Summary:	VUL-1: CVE-2022-23607: python-treq: treq's request methods and `treq.client.H...

Status:	IN_PROGRESS

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.3
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/322342/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-02-02 11:53 UTC by Carlos López
Modified:	2022-08-24 07:17 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-02-02 11:53:28 UTC

CVE-2022-23607

treq is an HTTP library inspired by requests but written on top of Twisted's
Agents. Treq's request methods (`treq.get`, `treq.post`, etc.) and
`treq.client.HTTPClient` constructor accept cookies as a dictionary. Such
cookies are not bound to a single domain, and are therefore sent to *every*
domain ("supercookies"). This can potentially cause sensitive information to
leak upon an HTTP redirect to a different domain., e.g. should
`https://example.com` redirect to `http://cloudstorageprovider.com` the latter
will receive the cookie `session`. Treq 2021.1.0 and later bind cookies given to
request methods (`treq.request`, `treq.get`, `HTTPClient.request`,
`HTTPClient.get`, etc.) to the origin of the *url* parameter. Users are advised
to upgrade. For users unable to upgrade Instead of passing a dictionary as the
*cookies* argument, pass a `http.cookiejar.CookieJar` instance with properly
domain- and scheme-scoped cookies in it.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23607
https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc

Comment 1 Carlos López 2022-02-02 12:23:48 UTC

Affected:
 - openSUSE:Backports:SLE-15-SP3
 - openSUSE:Backports:SLE-15-SP4
 - openSUSE:Factory

The fix [0] was introduced with version 22.1.0

[0] https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2

Comment 2 OBSbugzilla Bot 2022-02-03 16:50:03 UTC

This is an autogenerated message for OBS integration:
This bug (1195432) was mentioned in
https://build.opensuse.org/request/show/951348 Factory / python-treq

Comment 3 Matej Cepl 2022-08-18 20:42:27 UTC

(In reply to Carlos López from comment #1)
>  - openSUSE:Backports:SLE-15-SP4

It is not in this channel at all?

Comment 4 Carlos López 2022-08-18 22:22:52 UTC

(In reply to Matej Cepl from comment #3)
> (In reply to Carlos López from comment #1)
> >  - openSUSE:Backports:SLE-15-SP4
> 
> It is not in this channel at all?

It used to be there, I even have a local copy of the repo. But yes, only openSUSE:Backports:SLE-15-SP3 would need submission now.

Comment 5 OBSbugzilla Bot 2022-08-20 08:40:02 UTC

This is an autogenerated message for OBS integration:
This bug (1195432) was mentioned in
https://build.opensuse.org/request/show/998294 Backports:SLE-15-SP3 / python-treq

Comment 6 Swamp Workflow Management 2022-08-24 07:17:46 UTC

openSUSE-SU-2022:10098-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195432
CVE References: CVE-2022-23607
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-treq-20.3.0-bp153.2.3.1