Python 2 Security Vulnerability (CVE) Updates

There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.

A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int(“text”), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like ‘\r’ and ‘\n’ in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary
expressions, such as ones that use the Python exec method. A lambda expression could also be used.

Pillow before 9.0.1 allows attackers to delete files because spaces in
temporary pathnames are mishandled.

In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/
TiffDecode.c.

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression
Denial of Service (ReDoS) via the getrgb function.

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a
negative-offset memcpy with an invalid size.

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an
out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

An issue was discovered in Pillow before 8.1.1. There is an out-ofbounds read
in SGIRleDecode.c.

Pillow before 8.1.1 allows attackers to cause a denial of service (memory
consumption) because the reported size of a contained image is not properly checked for a BLP
container, and thus an attempted memory allocation can be very large.

Pillow before 8.1.1 allows attackers to cause a denial of service (memory
consumption) because the reported size of a contained image is not properly checked for an ICNS
container, and thus an attempted memory allocation can be very large.

Pillow before 8.1.1 allows attackers to cause a denial of service (memory
consumption) because the reported size of a contained image is not properly checked for an ICO
container, and thus an attempted memory allocation can be very large.

In libexpat through 2.4.9, there is a use-after free caused by overeager
destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

libexpat before 2.4.9 has a use-after-free in the doContent function in
xmlparse.c.

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some circumstances. This could reveal
sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of
“in place” encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not
support OCB based cipher suites for TLS and DTLS, they are both unaffected.

In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell
metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was
fixed it was not discovered that there are other places in the script where the file names of
certificates being hashed were possibly passed to a command executed through the shell. This script
is distributed by some operating systems in a manner where it is automatically executed. On such
operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash
command line tool.

The c_rehash script does not properly sanitise shell metacharacters to prevent
command injection. This script is distributed by some operating systems in a manner where it is
automatically executed. On such operating systems, an attacker could execute arbitrary commands with
the privileges of the script. Use of the c_rehash script is considered obsolete and should be
replaced by the OpenSSL rehash command line tool.

A flaw was found in SQLite’s SELECT query functionality (src/select.c). This
flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to
cause a denial of service or possible code execution by triggering a use-after-free. The highest
threat from this vulnerability is to system availability.

The BN_mod_sqrt() function, which computes a modular square root, contains a
bug that can cause it to loop forever for non-prime moduli. Internally this function is used when
parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic
curve parameters with a base point encoded in compressed form. It is possible to trigger the
infinite loop by crafting a certificate that has invalid explicit curve parameters. Since
certificate parsing happens prior to verification of the certificate signature, any process that
parses an externally supplied certificate may thus be subject to a denial of service attack.

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in
storeRawNames.

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert
namespace-separator characters into namespace URIs.

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of
encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow
an attacker to pass controlled parameters directly into a convert function to trigger a buffer
overflow in Convert.c.

An issue was discovered in Pillow before 8.2.0. There is an out-ofbounds read
in J2kDecode, in j2ku_gray_i.

An issue was discovered in Pillow before 8.2.0. There is an out-ofbounds read
in J2kDecode, in j2ku_graya_la.

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to
denial of service when performing syntax highlighting of a Standard ML (SML) source file, as
demonstrated by input that only contains the “exception” keyword.

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the
signature_algorithms extension (where it was present in the initial ClientHello), but includes a
signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash
and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation
enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue.
All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to
OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected
1.1.1-1.1.1j).

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version
1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve
parameters was added as an additional strict check. An error in the implementation of this check
meant that the result of a previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check that non-CA certificates must not
be able to issue other certificates. If a “purpose” has been configured then there is a subsequent
opportunity for checks that the certificate is a valid CA. All of the named “purpose” values
implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain
will still be rejected even when the strict flag has been used. A purpose is set by default in
libssl client and server certificate verification routines, but it can be overridden or removed by
an application. In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate
verification or, in the case of TLS client or server applications, override the default purpose.
OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade
to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected
1.1.1h-1.1.1j).

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data contained within an X509
certificate. However it fails to correctly handle any errors that may occur while parsing the issuer
field (which might occur if the issuer field is maliciously constructed). This may subsequently
result in a NULL pointer deref and a crash leading to a potential denial of service attack. The
function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications
are only vulnerable if they use this function directly and they use it on certificates that may have
been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue.
Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are
affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public
updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y
(Affected 1.0.2-1.0.2x).

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
overflow the output length argument in some cases where the input length is close to the maximum
permissable length for an integer on the platform. In such cases the return value from the function
call will be 1 (indicating success), but the output length value will be negative. This could cause
applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this
issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below
are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public
updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y
(Affected 1.0.2-1.0.2x).

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and
IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an
application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface
objects, and this attacker can cause many dictionary entries to be created.

NOTE: ipaddress is a backported Python 2 library from Python 3 core and is vulnerable to the issue
described. ActiveState has forked this version and fixed it. Source is available in our public
Github repository.

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds
write when there are many selectors.