urllib FTP protocol stream injection

FTP protocol stream injection via malicious URLs.

• Disclosure date: 2017-02-20 (blog post, mail to oss-security)
• Reported at: 2016-01-15 (email sent to the PSRT list)
• Reported by: Timothy D. Morgan (Blindspot)

Fixed In

• Python 2.7.14 (2017-09-17) fixed by commit e5eae47 (branch 2.7) (2017-07-26)
• Python 3.3.7 (2017-09-19) fixed by commit a4e774f (branch 3.3) (2017-07-26)
• Python 3.4.7 (2017-08-09) fixed by commit 2a5a26c (branch 3.4) (2017-07-27)
• Python 3.5.4 (2017-08-08) fixed by commit 19b2890 (branch 3.5) (2017-07-26)
• Python 3.6.3 (2017-10-03) fixed by commit 8c2d4cf (branch 3.6) (2017-07-26)
• Python 3.7.0 (2018-06-28) fixed by commit 2b1e6e9 (branch 3.7) (2017-07-22)

Python issue

(ftplib) A remote attacker could possibly attack by containing the newline characters.

• Python issue: bpo-30119
• Creation date: 2017-04-20
• Reporter: Dong-hee Na

Timeline

Timeline using the disclosure date 2017-02-20 as reference:

• 2016-01-15 (-402 days): Reported (email sent to the PSRT list)
• 2017-02-20: Disclosure date (blog post, mail to oss-security)
• 2017-04-20 (+59 days): Python issue bpo-30119 reported by Dong-hee Na
• 2017-07-22 (+152 days): commit 2b1e6e9 (branch 3.7)
• 2017-07-26 (+156 days): commit 19b2890 (branch 3.5)
• 2017-07-26 (+156 days): commit 8c2d4cf (branch 3.6)
• 2017-07-26 (+156 days): commit a4e774f (branch 3.3)
• 2017-07-26 (+156 days): commit e5eae47 (branch 2.7)
• 2017-07-27 (+157 days): commit 2a5a26c (branch 3.4)
• 2017-08-08 (+169 days): Python 3.5.4 released
• 2017-08-09 (+170 days): Python 3.4.7 released
• 2017-09-17 (+209 days): Python 2.7.14 released
• 2017-09-19 (+211 days): Python 3.3.7 released
• 2017-10-03 (+225 days): Python 3.6.3 released
• 2018-06-28: Python 3.7.0 released

Links

• http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
• http://www.openwall.com/lists/oss-security/2017/02/20/1
• https://bugzilla.redhat.com/show_bug.cgi?id=1478916