Arch Linux Security Advisory ASA-201906-17

Severity: High
Date : 2019-06-18
CVE-ID : CVE-2019-9636
Package : python
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-977

Summary

The package python before version 3.7.3-1 is vulnerable to information
disclosure.

Resolution

Upgrade to 3.7.3-1.

pacman -Syu “python>=3.7.3-1”

The problem has been fixed upstream in version 3.7.3.

Workaround

None.

Description

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by
improper Handling of Unicode Encoding (with an incorrect netloc) during
NFKC normalization. A specially crafted URL could be incorrectly parsed
by urllib.parse.urlsplit and urllib.parse.urlparse to locate cookies or
authentication data and send that information to a different host than
when parsed correctly.

Impact

A remote attacker is able to use a specially crafted URL to locate and
disclose cookies or authentication data.

References

https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
https://security.archlinux.org/CVE-2019-9636