Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Victor Stinner]

Thank you. Now you can admire the beautiful timeline :-)
http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#timeline

Timeline using the disclosure date 2017-02-20 as reference:

2016-01-15 (-402 days): Reported (email sent to the PSRT list)
2017-02-20: Disclosure date (blog post, mail to oss-security)
2017-02-20 (+0 days): Python issue #29606 reported by ecbftw

2017-06-21 1:06 GMT+02:00 Guido van Rossum <gu...@python.org>:
> I think that the first email about this was received from Timothy D. Morgan
> on 1/15/16. You should be able to get confirmation of this from Christian
> Heimes. I think that was a dark year for the PSRT.
>
> On Tue, Jun 20, 2017 at 3:35 PM, Victor Stinner <victor.stin...@gmail.com>
> wrote:
>>
>> Hi,
>>
>> Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass
>> (oss-security advisory)"
>>
>> 2017-02-24 5:36 GMT+01:00 Steven D'Aprano <st...@pearwood.info>:
>> > I am not qualified to judge the merits of this, but it does seem
>> > worrying that (alledgedly) the Python security team hasn't responded for
>> > over 12 months.
>> >
>> > Is anyone able to comment?
>>
>> I don't have the archives of the PSRT mailing list and I'm not sure
>> that I was subscribed when "the" email was sent. Does someone have the
>> date of this email? It's to complete the new entry in my doc:
>>
>> http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
>>
>> I don't want to blame anyone, I just want to collect data to help us
>> to enhance our process to handle security vulnerabilities.
>>
>> FYI I tried to take care of a few security vulnerabilities recently,
>> and as expected, each issue is more tricky than expected :-)
>>
>> While fixing http://bugs.python.org/issue30500 I noticed that urllib
>> accepts newline characters in URLs. I don't know if it's deliberate or
>> not... So I created a new issue http://bugs.python.org/issue30713
>>
>> I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in
>> 2.7 on Windows with Visual Studio 2008. And just when I was done,
>> expat 2.2.1 was released. I have to do the same job again :-)
>>
>> Victor
>> ___
>> Python-Dev mailing list
>> Python-Dev@python.org
>> https://mail.python.org/mailman/listinfo/python-dev
>> Unsubscribe:
>> https://mail.python.org/mailman/options/python-dev/guido%40python.org
>
>
>
>
> --
> --Guido van Rossum (python.org/~guido)
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Guido van Rossum]

I think that the first email about this was received from Timothy D. Morgan
on 1/15/16. You should be able to get confirmation of this from Christian
Heimes. I think that was a dark year for the PSRT.

On Tue, Jun 20, 2017 at 3:35 PM, Victor Stinner <victor.stin...@gmail.com>
wrote:

> Hi,
>
> Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass
> (oss-security advisory)"
>
> 2017-02-24 5:36 GMT+01:00 Steven D'Aprano <st...@pearwood.info>:
> > I am not qualified to judge the merits of this, but it does seem
> > worrying that (alledgedly) the Python security team hasn't responded for
> > over 12 months.
> >
> > Is anyone able to comment?
>
> I don't have the archives of the PSRT mailing list and I'm not sure
> that I was subscribed when "the" email was sent. Does someone have the
> date of this email? It's to complete the new entry in my doc:
> http://python-security.readthedocs.io/vuln/urllib_
> ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
>
> I don't want to blame anyone, I just want to collect data to help us
> to enhance our process to handle security vulnerabilities.
>
> FYI I tried to take care of a few security vulnerabilities recently,
> and as expected, each issue is more tricky than expected :-)
>
> While fixing http://bugs.python.org/issue30500 I noticed that urllib
> accepts newline characters in URLs. I don't know if it's deliberate or
> not... So I created a new issue http://bugs.python.org/issue30713
>
> I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in
> 2.7 on Windows with Visual Studio 2008. And just when I was done,
> expat 2.2.1 was released. I have to do the same job again :-)
>
> Victor
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/
> guido%40python.org
>



-- 
--Guido van Rossum (python.org/~guido)
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Victor Stinner]

Hi,

Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass
(oss-security advisory)"

2017-02-24 5:36 GMT+01:00 Steven D'Aprano <st...@pearwood.info>:
> I am not qualified to judge the merits of this, but it does seem
> worrying that (alledgedly) the Python security team hasn't responded for
> over 12 months.
>
> Is anyone able to comment?

I don't have the archives of the PSRT mailing list and I'm not sure
that I was subscribed when "the" email was sent. Does someone have the
date of this email? It's to complete the new entry in my doc:
http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection

I don't want to blame anyone, I just want to collect data to help us
to enhance our process to handle security vulnerabilities.

FYI I tried to take care of a few security vulnerabilities recently,
and as expected, each issue is more tricky than expected :-)

While fixing http://bugs.python.org/issue30500 I noticed that urllib
accepts newline characters in URLs. I don't know if it's deliberate or
not... So I created a new issue http://bugs.python.org/issue30713

I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in
2.7 on Windows with Visual Studio 2008. And just when I was done,
expat 2.2.1 was released. I have to do the same job again :-)

Victor
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Christian Heimes]

On 2017-02-24 11:01, Antoine Pitrou wrote:
> On Thu, 23 Feb 2017 23:51:45 -0800
> Benjamin Peterson  wrote:
>>
>> Like all CPython developers, the Python security team are all
>> volunteers. That combined with the fact that dealing with security
>> issues is one of the least fun programming tasks means issues are
>> sometimes dropped.
>>
>> Perhaps some organization with a stake Python security would like to
>> financially support Python security team members.
>>
>> As for this, particular issue, we should determine if there's a tracker
>> issue yet and continue discussion there.
> 
> Just for the record, I find the mailing-list scheme used by PSRT quite
> difficult to deal with.  For many people it's easy to lose track of
> e-mails received more than one week ago, so the necessary followup to
> security issues received by e-mail suffers.
> 
> It's a bit sad that regular issues benefit from a full-fledged
> Roundup instance to allow for easy tracking of open issues (including
> comments and proposed fixes), but security issues are restricted to such
> a primitive communication setup which makes it so difficult to get work
> done.
> 
> AFAIK, other projects have full-fledged private bug trackers for their
> security issues (or access-restricted sections in the main bug tracker,
> where the software supports it).

Amen!

Antoine's and Benjamin's reply are the gist of my security talk at the
last language summit, https://lwn.net/Articles/691308/ . A dedicated bug
tracker or embargoed tickets would help the most. It would also make it
much easier to track and measure our response time.

A paid position would also help with the organizational overhead.
Personally, I'm good in finding and fixing security issues. The actual
communication, reporting and press releases are not my strength.

Victor's incredible work on
http://python-security.readthedocs.io/vulnerabilities.html is going to
help, too.

Christian
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[tritium-list]

Ask the infrastructure team for a tracker instance.  That would probably be
more fruitful of an outlet than in the thread of this one issue.  (I'm not
trying to be flippant, I think a private issue tracker for vulnerabilities
is a really good idea, I just don't think that bemoaning the lack of one in
a thread about an FTP issue is likely to get much done.)

> -Original Message-
> From: Python-Dev [mailto:python-dev-bounces+tritium-
> list=sdamon@python.org] On Behalf Of Antoine Pitrou
> Sent: Friday, February 24, 2017 5:02 AM
> To: python-dev@python.org
> Subject: Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass
> (oss-security advisory)
> 
> On Thu, 23 Feb 2017 23:51:45 -0800
> Benjamin Peterson <benja...@python.org> wrote:
> >
> > Like all CPython developers, the Python security team are all
> > volunteers. That combined with the fact that dealing with security
> > issues is one of the least fun programming tasks means issues are
> > sometimes dropped.
> >
> > Perhaps some organization with a stake Python security would like to
> > financially support Python security team members.
> >
> > As for this, particular issue, we should determine if there's a tracker
> > issue yet and continue discussion there.
> 
> Just for the record, I find the mailing-list scheme used by PSRT quite
> difficult to deal with.  For many people it's easy to lose track of
> e-mails received more than one week ago, so the necessary followup to
> security issues received by e-mail suffers.
> 
> It's a bit sad that regular issues benefit from a full-fledged
> Roundup instance to allow for easy tracking of open issues (including
> comments and proposed fixes), but security issues are restricted to such
> a primitive communication setup which makes it so difficult to get work
> done.
> 
> AFAIK, other projects have full-fledged private bug trackers for their
> security issues (or access-restricted sections in the main bug tracker,
> where the software supports it).
> 
> Regards
> 
> Antoine.
> 
> 
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/tritium-
> list%40sdamon.com

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Antoine Pitrou]

On Thu, 23 Feb 2017 23:51:45 -0800
Benjamin Peterson  wrote:
> 
> Like all CPython developers, the Python security team are all
> volunteers. That combined with the fact that dealing with security
> issues is one of the least fun programming tasks means issues are
> sometimes dropped.
> 
> Perhaps some organization with a stake Python security would like to
> financially support Python security team members.
> 
> As for this, particular issue, we should determine if there's a tracker
> issue yet and continue discussion there.

Just for the record, I find the mailing-list scheme used by PSRT quite
difficult to deal with.  For many people it's easy to lose track of
e-mails received more than one week ago, so the necessary followup to
security issues received by e-mail suffers.

It's a bit sad that regular issues benefit from a full-fledged
Roundup instance to allow for easy tracking of open issues (including
comments and proposed fixes), but security issues are restricted to such
a primitive communication setup which makes it so difficult to get work
done.

AFAIK, other projects have full-fledged private bug trackers for their
security issues (or access-restricted sections in the main bug tracker,
where the software supports it).

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Martin Panter]

On 24 February 2017 at 07:51, Benjamin Peterson  wrote:
> As for this, particular issue, we should determine if there's a tracker
> issue yet and continue discussion there.

That would be .
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Benjamin Peterson]

On Thu, Feb 23, 2017, at 20:36, Steven D'Aprano wrote:
> I haven't seen any response to the following alleged security 
> vulnerability.
> 
> I am not qualified to judge the merits of this, but it does seem 
> worrying that (alledgedly) the Python security team hasn't responded for 
> over 12 months.

Like all CPython developers, the Python security team are all
volunteers. That combined with the fact that dealing with security
issues is one of the least fun programming tasks means issues are
sometimes dropped.

Perhaps some organization with a stake Python security would like to
financially support Python security team members.

As for this, particular issue, we should determine if there's a tracker
issue yet and continue discussion there.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[Steven D'Aprano]

I haven't seen any response to the following alleged security 
vulnerability.

I am not qualified to judge the merits of this, but it does seem 
worrying that (alledgedly) the Python security team hasn't responded for 
over 12 months.

Is anyone able to comment?


Thanks,


Steve


On Mon, Feb 20, 2017 at 09:01:21PM +, nos...@curso.re wrote:
> Hello,
> 
> I have just noticed that an FTP injection advisory has been made public
> on the oss-security list.
> 
> The author says that he an exploit exists but it won't be published
> until the code is patched
> 
> You may be already aware, but it would be good to understand what is the
> position of the core developers about this.
> 
> The advisory is linked below (with some excerpts in this message):
> 
> http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
> 
>Protocol injection flaws like this have  been an area of research of  mine
>for the past few couple  of years and as it  turns out, this FTP  protocol
>injection allows  one  to  fool  a victim's  firewall  into  allowing  TCP
>connections from  the Internet  to  the vulnerable  host's system  on  any
>"high" port  (1024-65535).  A  nearly identical  vulnerability  exists  in
>Python's urllib2 and urllib  libraries. In the case  of Java, this  attack
>can be carried out  against desktop users even  if those desktop users  do
>not have the Java browser plugin enabled.
>As of 2017-02-20, the vulnerabilities discussed here have not been patched
>by the associated vendors,  despite advance warning and  ample time to  do
>so.
>[...]
>Python's built-in URL fetching library (urllib2 in Python 2 and urllib  in
>Python 3) is vulnerable to  a nearly identical protocol stream  injection,
>but this injection appears  to be limited to  attacks via directory  names
>specified in the URL.
>[...]
>The Python  security  team  was  notified  in  January  2016.  Information
>provided included an outline of  the possibility of FTP/firewall  attacks.
>Despite repeated follow-ups, there  has been no  apparent action on  their
>part.
> 
> Best regards,
> 
> -- Stefano
> 
> P.S.
> I am posting from gmane, I hope that this is OK.
> 
> ___
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: 
> https://mail.python.org/mailman/options/python-dev/steve%40pearwood.info
> 
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

[nospam]

Hello,

I have just noticed that an FTP injection advisory has been made public
on the oss-security list.

The author says that he an exploit exists but it won't be published
until the code is patched

You may be already aware, but it would be good to understand what is the
position of the core developers about this.

The advisory is linked below (with some excerpts in this message):

http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

   Protocol injection flaws like this have  been an area of research of  mine
   for the past few couple  of years and as it  turns out, this FTP  protocol
   injection allows  one  to  fool  a victim's  firewall  into  allowing  TCP
   connections from  the Internet  to  the vulnerable  host's system  on  any
   "high" port  (1024-65535).  A  nearly identical  vulnerability  exists  in
   Python's urllib2 and urllib  libraries. In the case  of Java, this  attack
   can be carried out  against desktop users even  if those desktop users  do
   not have the Java browser plugin enabled.
   As of 2017-02-20, the vulnerabilities discussed here have not been patched
   by the associated vendors,  despite advance warning and  ample time to  do
   so.
   [...]
   Python's built-in URL fetching library (urllib2 in Python 2 and urllib  in
   Python 3) is vulnerable to  a nearly identical protocol stream  injection,
   but this injection appears  to be limited to  attacks via directory  names
   specified in the URL.
   [...]
   The Python  security  team  was  notified  in  January  2016.  Information
   provided included an outline of  the possibility of FTP/firewall  attacks.
   Despite repeated follow-ups, there  has been no  apparent action on  their
   part.

Best regards,

-- Stefano

P.S.
I am posting from gmane, I hope that this is OK.

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com