python3.7: CVE-2019-9636: urlsplit does not handle NFKC normalization

Debian Bug report logs - #924072
python3.7: CVE-2019-9636: urlsplit does not handle NFKC normalization

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python3.7: CVE-2019-9636: urlsplit does not handle NFKC normalization

Date: Sat, 09 Mar 2019 11:15:12 +0100

Source: python3.7
Version: 3.7.2-3
Severity: important
Tags: security upstream
Forwarded: https://bugs.python.org/issue36216
Control: clone -1 -2
Control: found -1 3.7.2-2
Control: reassign -2 src:python2.7 2.7.16-1
Control: retitle -2 python2.7: CVE-2019-9636: urlsplit does not handle NFKC normalization
Control: found -2 2.7.16~rc1-1
Control: found -2 2.7.13-2+deb9u3
Control: found -2 2.7.13-2

Hi,

The following vulnerability was published for python3.7.

CVE-2019-9636[0]:
| Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
| Improper Handling of Unicode Encoding (with an incorrect netloc) during
| NFKC normalization. The impact is: Information disclosure (credentials,
| cookies, etc. that are cached against a given hostname). The components
| are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector
| is: A specially crafted URL could be incorrectly parsed to locate
| cookies or authentication data and send that information to a different
| host than when parsed correctly.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9636
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636
[1] https://bugs.python.org/issue36216
[2] https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5 (2.7.x)
[3] https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be (3.7.x)

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #16 received at 924072-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>

To: 924072-close@bugs.debian.org

Subject: Bug#924072: fixed in python3.7 3.7.3~rc1-1

Date: Wed, 13 Mar 2019 12:19:57 +0000

Source: python3.7
Source-Version: 3.7.3~rc1-1

We believe that the bug you reported is fixed in the latest version of
python3.7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924072@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated python3.7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 13 Mar 2019 12:01:15 +0100
Source: python3.7
Architecture: source
Version: 3.7.3~rc1-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Closes: 924072
Changes:
 python3.7 (3.7.3~rc1-1) unstable; urgency=medium
 .
   * Python 3.7.3 release candidate 1.
   * CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
     normalize to separators. Closes: #924072.
   * Use a build profile for libbluetooth-dev (<!pkg.python3.7.nobluetooth>).
Checksums-Sha1:
 1555adc813e73bcba2d8c4d362bbdaf5b7589b59 3464 python3.7_3.7.3~rc1-1.dsc
 32663d679846802f6173ba77581b642fe5ee00e4 17106464 python3.7_3.7.3~rc1.orig.tar.xz
 c370b1b0652b4d154e18001e006034a73f1c3e4b 209784 python3.7_3.7.3~rc1-1.debian.tar.xz
 54869574471d465d9602e76b315b5b5ab50806cf 9454 python3.7_3.7.3~rc1-1_source.buildinfo
Checksums-Sha256:
 025f09abc026f1d6a6e4524b5926a39e41cf2c9a1e931999655fedc4c793c67d 3464 python3.7_3.7.3~rc1-1.dsc
 d184af1fc8a1559f5cea0ea99bbfa5b34ce410033775eeacd9b90cd1eb756f72 17106464 python3.7_3.7.3~rc1.orig.tar.xz
 7e014c5f6c1c7116663494e71e2ea389cd3ec2cee73ddf19cf0940b381dd09ca 209784 python3.7_3.7.3~rc1-1.debian.tar.xz
 4100ba3f0b39ad196746ad0b1a01421bf9db0480b5a1e61820f8fb131f90f685 9454 python3.7_3.7.3~rc1-1_source.buildinfo
Files:
 ae2004fc7657281422a531ba92b247bf 3464 python optional python3.7_3.7.3~rc1-1.dsc
 0f829f6257e32e6fa807f26bc7db4018 17106464 python optional python3.7_3.7.3~rc1.orig.tar.xz
 2e7633daf7468fc51543636d67c428ce 209784 python optional python3.7_3.7.3~rc1-1.debian.tar.xz
 ca41efe838dcf3e14a18daeb96e07f59 9454 python optional python3.7_3.7.3~rc1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAlyI8YcQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9ZyqD/4q64hbixtD/nxFS+eoJ0Fc9hoNG68a7OQ/
+HTnB+boxuuMdaHYLxYz1cfMZTz2JrGhiV9KhnAmbqS7hW1M3qzl0tuFbzkWd3tm
S+DX7ya128Iilvk9vnsEITYJ1OUEOjSRMdU5JiEh8+bc47I5x69T4261J+jCobRu
dwpv71IBqbsofkLqJE64iCkoM0RiOwYhaIGL8JoInwNuerL7KiliHGE7CfO1He7j
UC8Z1P+9zza8GN8E69i5mzQ8XnhHhUmrwH6MYKvd2jK+y8maq+PHBd0RNqigsxSG
IPsIkY8ldk/mRFTeMkubZO+pjiypnrb3uz97JDr3Dy6JXDSbkTQ6k8G3IBzNtdhV
DFIO8AHnlVPCixj7cKzT8yW9aKVsBiMKbE7Bx7YUy2FpNUK5NY7BVmKzj2i/YQhq
Shw6RHDSn7wo6z8seGYMiI1VpMieRFzUS3JhlpvftwNm0LFvOS5mMYRlYZdjsCbB
BJlu5hC7XghpwZKb0dP4uNiR2cmnjBb4LxgvXQaH6YRewZ1FCmgnedSCK7P5jm98
RJPosjSEfesDVvm+eEOTk+q7EBP6ijKeg/OSf0fDIctAuIokfV6xuy8cHjZl8HH7
9rbT4fIW95Z/5RrdH/KWzNDE4hoc/nfaVtH0K2eT6teBBXNLMqpfSAwjZXUsSWB0
8U3+kOpLYQ==
=YqI4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.