[3.8] python2: Multiple vulnerabilities (CVE-2018-14647, CVE-2019-9636, CVE-2019-9948)
CVE-2018-14647: Missing salt initialization in _elementtree.c module
A flaw was found in python’s _elementtree.c module, a wrapper for
libexpat XML parser. xml.etree C accelerator don’t call
XML_SetHashSalt(), failing to properly
initiate the random hash seed from a good CSPRNG source and making hash
collision attacks with carefully crafted XML data easier.
Fixed In Version:
python 3.7.1, python 3.6.7, python 2.7.16
References:
https://bugs.python.org/issue34623
Patch:
https://github.com/python/cpython/commit/18b20bad75b4ff0486940fba4ec680e96e70f3a2
CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
Improper Handling of Unicode Encoding (with an incorrect netloc) during
NFKC normalization.
The impact is: Information disclosure (credentials, cookies, etc. that
are cached against a given hostname). The components are:
urllib.parse.urlsplit, urllib.parse.urlparse.
The attack vector is: A specially crafted URL could be incorrectly
parsed to locate cookies or authentication data and send that
information to a different host than
when parsed correctly.
References:
https://bugs.python.org/issue36216
https://nvd.nist.gov/vuln/detail/CVE-2019-9636
Patch:
https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5
CVE-2019-9948: local_file allows remote attackers to bypass protection mechanisms
urllib in Python 2.x through 2.7.16 supports the local_file: scheme,
which makes it easier for remote attackers to bypass
protection mechanisms that blacklist file: URIs, as demonstrated by
triggering a urllib.urlopen(‘local_file:///etc/passwd’) call.
References:
https://bugs.python.org/issue35907
https://github.com/python/cpython/pull/11842
(from redmine: issue id 10294, created on 2019-04-18)
- Relations:
- parent #10291