urllib FTP protocol stream injection

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

FTP protocol stream injection via malicious URLs.

Dates:

• Disclosure date: 2017-02-20 (blog post, mail to oss-security)
• Reported at: 2016-01-15 (email sent to the PSRT list)
• Reported by: Timothy D. Morgan (Blindspot)

Fixed In

• Python 2.7.14 (2017-09-16) fixed by commit e5eae47 (branch 2.7) (2017-07-26)
• Python 3.3.7 (2017-09-19) fixed by commit a4e774f (branch 3.3) (2017-07-26)
• Python 3.4.7 (2017-08-09) fixed by commit 2a5a26c (branch 3.4) (2017-07-27)
• Python 3.5.4 (2017-08-07) fixed by commit 19b2890 (branch 3.5) (2017-07-26)
• Python 3.6.3 (2017-10-03) fixed by commit 8c2d4cf (branch 3.6) (2017-07-26)
• Python 3.7.0 (2018-06-27) fixed by commit 2b1e6e9 (branch 3.7) (2017-07-22)

Python issue

(ftplib) A remote attacker could possibly attack by containing the newline characters.

• Python issue: bpo-30119
• Creation date: 2017-04-20
• Reporter: Dong-hee Na

Timeline

Timeline using the disclosure date 2017-02-20 as reference:

• 2016-01-15 (-402 days): Reported (email sent to the PSRT list)
• 2017-02-20: Disclosure date (blog post, mail to oss-security)
• 2017-04-20 (+59 days): Python issue bpo-30119 reported by Dong-hee Na
• 2017-07-22 (+152 days): commit 2b1e6e9 (branch 3.7)
• 2017-07-26 (+156 days): commit 19b2890 (branch 3.5)
• 2017-07-26 (+156 days): commit 8c2d4cf (branch 3.6)
• 2017-07-26 (+156 days): commit a4e774f (branch 3.3)
• 2017-07-26 (+156 days): commit e5eae47 (branch 2.7)
• 2017-07-27 (+157 days): commit 2a5a26c (branch 3.4)
• 2017-08-07 (+168 days): Python 3.5.4 released
• 2017-08-09 (+170 days): Python 3.4.7 released
• 2017-09-16 (+208 days): Python 2.7.14 released
• 2017-09-19 (+211 days): Python 3.3.7 released
• 2017-10-03 (+225 days): Python 3.6.3 released
• 2018-06-27: Python 3.7.0 released

Links

• http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
• http://www.openwall.com/lists/oss-security/2017/02/20/1
• https://bugzilla.redhat.com/show_bug.cgi?id=1478916