[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset 98820250a3c9c131d3c2d57c4fc5260aebd8aa1d by Miss Islington (bot) 
in branch '3.9':
bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824) (GH-27827)
https://github.com/python/cpython/commit/98820250a3c9c131d3c2d57c4fc5260aebd8aa1d


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread miss-islington 


miss-islington  added the comment:


New changeset 1204dfc89cb3ed5e21dce32aed0339b7569fe1f9 by Miss Islington (bot) 
in branch '3.10':
bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824)
https://github.com/python/cpython/commit/1204dfc89cb3ed5e21dce32aed0339b7569fe1f9


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +26291
pull_request: https://github.com/python/cpython/pull/27826

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +26292
pull_request: https://github.com/python/cpython/pull/27827

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset 0fd66e46b2f472d0d206a185dc8892f4f0347cb6 by Łukasz Langa in 
branch 'main':
bpo-36384: [doc] Mention CVE-2021-29921 fix in 3.8.12 (GH-27824)
https://github.com/python/cpython/commit/0fd66e46b2f472d0d206a185dc8892f4f0347cb6


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset 6ebfe8da6331bfcf54057f6e22a6f353a5621d35 by Łukasz Langa in 
branch '3.8':
[3.8] bpo-36384: [doc] Correct typos in CVE-2021-29921 fix description 
(GH-27825)
https://github.com/python/cpython/commit/6ebfe8da6331bfcf54057f6e22a6f353a5621d35


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread Łukasz Langa 

Change by Łukasz Langa :


--
pull_requests: +26290
pull_request: https://github.com/python/cpython/pull/27825

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread Łukasz Langa 

Change by Łukasz Langa :


--
pull_requests: +26289
pull_request: https://github.com/python/cpython/pull/27824

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-19 Thread Łukasz Langa 

Change by Łukasz Langa :


--
versions: +Python 3.10, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-17 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset 03dd89d62413c4a92831ed1b36e2ae8983bcb2d4 by achraf-mer in branch 
'3.8':
[3.8] bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated 
(GH-25099) (GH-27801)
https://github.com/python/cpython/commit/03dd89d62413c4a92831ed1b36e2ae8983bcb2d4


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-17 Thread Christian Heimes 


Christian Heimes  added the comment:

The CVE was rated 
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H=3.1,
 which is equivalent to a RCE with authentication bypass.

I would rate the issue 
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N=3.1,
 maybe A:L.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-17 Thread Christian Heimes 


Christian Heimes  added the comment:

"CRITICAL" is a ridiculous high assessment for this bug. Somebody ticked all 
the scary boxes in the CVSS form like "total loss of control".

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-17 Thread Łukasz Langa 

Łukasz Langa  added the comment:

I was unaware of the "CRITICAL" base score assigned by NIST to this. Alright, 
let's port this back then. There are a few things the PR will need.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-17 Thread Achraf Merzouki 


Achraf Merzouki  added the comment:

>> it prevents using 3.8 because of this open vulnerability

>What do you mean by this?

>Our understanding is that this is a low-severity CVE because in order for this 
>to be a vulnerability, you'd have to have both:

>1. user access to IP address input; and
>2. control over two addresses sharing numerical representation with leading 
>zeroes: the first resolving when leading zeroes are treated as octal numbers; 
>the second resolving when leading zeroes are treated as decimal numbers.

>Access to both then allows you at best to circumvent IP address-based access 
>control or denial of service. However, access to just 1. allows you to input 
>any IP address to achieve the same goals.

>Hence low-severity.

Even though I agree with you assessment on the root cause of the issue itself, 
it is listed as critical in https://nvd.nist.gov/vuln/detail/CVE-2021-29921, 
which means most commercial scan tools will also flag python 3.8 as critical, 
and this could prevent users from going with python 3.8 on production. (our 
case too)

>> it does not seem to be a breaking change

>It is a bona fide breaking change. Any IP address configuration saved in files 
>or databases which might have used leading zeroes would be rejected by 3.8.12. 
>The same was true for 3.9.5 but since this release series has much higher 
>exposure (still receiving binary installers and regular-cadence bugfixes), it 
>was less controversial to include it.


>If you still feel this ought to be fixed in 3.8, please elaborate.

IMHO I still think this should be solved in 3.8, otherwise there is really no 
other alternative but to upgrade to python 3.9 which is a hassle, since all 
3.8.x are "critically vulnerable", had the CVE in 
https://nvd.nist.gov/vuln/detail/CVE-2021-29921 not been marked as critical, 
then we could have used python 3.8 knowing the two conditions you mentioned 
earlier.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-17 Thread Łukasz Langa 

Łukasz Langa  added the comment:

> it prevents using 3.8 because of this open vulnerability

What do you mean by this?

Our understanding is that this is a low-severity CVE because in order for this 
to be a vulnerability, you'd have to have both:

1. user access to IP address input; and
2. control over two addresses sharing numerical representation with leading 
zeroes: the first resolving when leading zeroes are treated as octal numbers; 
the second resolving when leading zeroes are treated as decimal numbers.

Access to both then allows you at best to circumvent IP address-based access 
control or denial of service. However, access to just 1. allows you to input 
any IP address to achieve the same goals.

Hence low-severity.


> it does not seem to be a breaking change

It is a bona fide breaking change. Any IP address configuration saved in files 
or databases which might have used leading zeroes would be rejected by 3.8.12. 
The same was true for 3.9.5 but since this release series has much higher 
exposure (still receiving binary installers and regular-cadence bugfixes), it 
was less controversial to include it.


If you still feel this ought to be fixed in 3.8, please elaborate.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-17 Thread Roundup Robot 


Change by Roundup Robot :


--
nosy: +python-dev
nosy_count: 17.0 -> 18.0
pull_requests: +26269
pull_request: https://github.com/python/cpython/pull/27801

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-08-17 Thread Achraf Merzouki 


Achraf Merzouki  added the comment:

Can we backport the security fix from this issue 
https://bugs.python.org/issue36384#msg392684 to version 3.8
The comment explicitly says that it was decided to not include in 3.8, I am not 
sure this is best, since it prevents using 3.8 because of this open 
vulnerability, and it does not seem to be a breaking change or too hard to port.

--
components:  -Documentation
nosy: +achraf.merzouki
versions: +Python 3.8 -Python 3.10, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-25 Thread STINNER Victor 


STINNER Victor  added the comment:

> I think the only thing I'd improve would be to mention that this issue is the 
> one that introduced the bug, otherwise it looks a bit weird.

Ok, done: 
https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html#timeline

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-25 Thread George-Cristian Bîrzan 

George-Cristian Bîrzan  added the comment:

I think the only thing I'd improve would be to mention that this issue is the 
one that introduced the bug, otherwise it looks a bit weird.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-25 Thread STINNER Victor 

STINNER Victor  added the comment:

George-Cristian Bîrzan: "The timeline there is wrong."

Fixed: 
https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html#timeline

The strange part is "2019-03-20 (-741 days): Python issue bpo-36384 reported by 
Joel Croteau".

The problem is that this issue was "reused" for two different things: the 
initial change and the vulnerability.

Maybe I can removed the reference to the bpo to remove it from the timeline 
(and put it in links).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-25 Thread George-Cristian Bîrzan 

George-Cristian Bîrzan  added the comment:

The timeline there is wrong. This issue's creation time isn't the disclosure 
time, it's when the bug was introduced. The disclosure was on 30th of May, when 
I emailed secur...@python.org and Christian Heimes commented here and made 
https://github.com/python/cpython/pull/25099. Even though Serhiy Storchaka 
commented that this could be a security issue back when the issue was new, the 
date would be 30th of March 2019, not 20th.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-25 Thread STINNER Victor 


STINNER Victor  added the comment:

I created 
https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html 
to track this vulnerability.

Python 3.8 is left unchanged (accept leading zeros). Python 3.7 and older are 
not affected.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-25 Thread Pablo Galindo Salgado 


Pablo Galindo Salgado  added the comment:

I'm closing this, if someone thinks something is missing, please, reopen

--
nosy: +pablogsal
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-21 Thread Ned Deily 


Ned Deily  added the comment:

Is there anything more to be done for this issue or can it be closed?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-02 Thread Christian Heimes 

Christian Heimes  added the comment:

Łukasz, thanks for pushing the PR over the finish line!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-02 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset 5374fbc31446364bf5f12e5ab88c5493c35eaf04 by Miss Islington (bot) 
in branch '3.9':
bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099) 
(GH-25815)
https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-02 Thread miss-islington 


Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 14.0 -> 15.0
pull_requests: +24501
pull_request: https://github.com/python/cpython/pull/25815

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-02 Thread Łukasz Langa 

Łukasz Langa  added the comment:


New changeset 60ce8f0be6354ad565393ab449d8de5d713f35bc by Christian Heimes in 
branch 'master':
bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099)
https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-02 Thread Łukasz Langa 

Change by Łukasz Langa :


--
versions:  -Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-02 Thread Łukasz Langa 

Łukasz Langa  added the comment:

Due to the relative obscurity of the bug and potential disruption of the fix, I 
decided not to include it in 3.8.

However, Michał's argument about 3.10 not being released for another five 
months is resonating with me and so we will be backporting the change to 3.9.5, 
to be released tomorrow. Victor's argument about opt-ins being a bad way to fix 
security also makes sense, although let me point out that we've made decisions 
the other way in the past as well, for instance with hash randomization.

In any case, the issue will be solved in Python 3.10.0 Beta 1 and Python 3.9.5. 
Having the fixed behavior "in 3.9.5 and newer" makes for easy mechanical checks 
whether a given version is affected.

--
assignee: docs@python -> 

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-05-01 Thread Michał Górny 

Michał Górny  added the comment:

> If it takes years for users to get to 3.10, we should reevaluate our 
> release cycle, not whether we aggressively break maintenance releases.

I don't really understand how that would help.  The problem is that users have 
major inertia for switching to newer Python versions.  A part of it is that a 
lot of people just don't care about deprecation warnings, and don't fix stuff 
until it's actually broken.  In the end, your projects are blocked from using 
new major Python version by broken dependencies with long release cycles.

I can't imagine deliberately leaving 3.8 and 3.9 vulnerable when 3.10 isn't 
going to reach final release in the next half year.  Gentoo stable is only 
switching to 3.9 next month.  I'm pretty sure some of our (few) corporate users 
are still on 3.7 or earlier.  Then, there are projects that literally include a 
vulnerable copy of Python 2.7 to get around distributions removing it.

I dare say this has less breakage potential than the &/; change.  It should be 
fixed on all affected versions.  If you don't do that, distributions will have 
to patch it anyway, and this will only lead to incompatibility between 
different Python package vendors.

--
nosy: +mgorny

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36384] [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal

2021-04-30 Thread STINNER Victor 


STINNER Victor  added the comment:

The CVE-2021-29921 was assigned to this vulnerability.

--
title: ipaddress Should not reject IPv4 addresses with leading zeroes as 
ambiguously octal -> [security] CVE-2021-29921: ipaddress Should not reject 
IPv4 addresses with leading zeroes as ambiguously octal

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com