python-oauthlib: CVE-2022-36087: DoS when attacker provide malicious IPV6 URI

Debian Bug report logs - #1019710
python-oauthlib: CVE-2022-36087: DoS when attacker provide malicious IPV6 URI

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-oauthlib: CVE-2022-36087: DoS when attacker provide malicious IPV6 URI

Date: Tue, 13 Sep 2022 22:14:26 +0200

Source: python-oauthlib
Version: 3.2.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for python-oauthlib.

CVE-2022-36087[0]:
| OAuthLib is an implementation of the OAuth request-signing logic for
| Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker
| providing malicious redirect uri can cause denial of service. An
| attacker can also leverage usage of `uri_validate` functions depending
| where it is used. OAuthLib applications using OAuth4.0 provider
| support or use directly `uri_validate` are affected by this issue.
| Version 3.2.1 contains a patch. There are no known workarounds.

Note, that while it is claimed to be fixed in 3.2.1, the two commits
in [1] and [2] are not included in 3.2.1. There is a simple test case
to show the issue as well in the commit expanding the unittests.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-36087
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36087
[1] https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7
[2] https://github.com/oauthlib/oauthlib/commit/e514826eea15f2b62bbc13da407b71552ef5ff4c
[3] https://github.com/oauthlib/oauthlib/commit/5d85c61998692643dd9d17e05d2646e06ce391e8

Regards,
Salvatore

Message #10 received at 1019710@bugs.debian.org (full text, mbox, reply):

From: Daniele Tricoli <eriol@mornie.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1019710@bugs.debian.org

Subject: Re: Bug#1019710: python-oauthlib: CVE-2022-36087: DoS when attacker provide malicious IPV6 URI

Date: Wed, 14 Sep 2022 10:37:08 +0200

Hello Salvatore,
many thanks for the report!

On 13/09/2022 22:14, Salvatore Bonaccorso wrote:
> Source: python-oauthlib
> Version: 3.2.0-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for python-oauthlib.
> 
> CVE-2022-36087[0]:
> | OAuthLib is an implementation of the OAuth request-signing logic for
> | Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker
> | providing malicious redirect uri can cause denial of service. An
> | attacker can also leverage usage of `uri_validate` functions depending
> | where it is used. OAuthLib applications using OAuth4.0 provider
> | support or use directly `uri_validate` are affected by this issue.
> | Version 3.2.1 contains a patch. There are no known workarounds.
> 
> Note, that while it is claimed to be fixed in 3.2.1, the two commits
> in [1] and [2] are not included in 3.2.1. There is a simple test case
> to show the issue as well in the commit expanding the unittests.

I'm preparing a new upload for python-oauthlib and I will include also 
the two commits you mentioned. Thanks!

Regards,

-- 
Daniele Tricoli
https://mornie.org

Send a report that this bug log contains spam.