Bug#981271: buster-pu: package python-bottle/0.12.15-2+deb10u1

Utkarsh Gupta Thu, 28 Jan 2021 07:12:16 -0800

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal


Hello,

python-bottle was affected by CVE-2020-28473, where the package was
vulnerable to Web Cache Poisoning by using a vector called parameter
cloaking.

This has been fixed in Sid, Bullseye, and Stretch (& Jessie).
Here's the debdiff for buster-pu:

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<

diff -Nru python-bottle-0.12.15/debian/changelog
python-bottle-0.12.15/debian/changelog
--- python-bottle-0.12.15/debian/changelog    2019-03-27
05:13:08.000000000 +0530
+++ python-bottle-0.12.15/debian/changelog    2021-01-28
20:22:22.000000000 +0530
@@ -1,3 +1,10 @@
+python-bottle (0.12.15-2+deb10u1) buster; urgency=high
+
+  * Non-maintainer upload by the Security team.
+  * Do not split query strings on `;` anymore. (Fixes: CVE-2020-28473)
+
+ -- Utkarsh Gupta <utka...@debian.org>  Thu, 28 Jan 2021 20:22:22 +0530
+
 python-bottle (0.12.15-2) unstable; urgency=medium

   * Update tox dependency (Closes: #924836)
diff -Nru python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
--- python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
1970-01-01 05:30:00.000000000 +0530
+++ python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
2021-01-28 20:21:24.000000000 +0530
@@ -0,0 +1,25 @@
+From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001
+From: Marcel Hellkamp <m...@gsites.de>
+Date: Wed, 11 Nov 2020 19:24:29 +0100
+Subject: [PATCH] Do not split query strings on `;` anymore.
+
+Using `;` as a separator instead of `&` was allowed a long time ago,
+but is now obsolete and actually invalid according to the 2014 W3C
+recommendations. Even if this change is technically backwards-incompatible,
+no real-world application should depend on broken behavior. If you REALLY
+need this functionality, monkey-patch the _parse_qsl() function.
+---
+ bottle.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/bottle.py
++++ b/bottle.py
+@@ -2577,7 +2577,7 @@
+
+ def _parse_qsl(qs):
+     r = []
+-    for pair in qs.replace(';','&').split('&'):
++    for pair in qs.split('&'):
+         if not pair: continue
+         nv = pair.split('=', 1)
+         if len(nv) != 2: nv.append('')
diff -Nru python-bottle-0.12.15/debian/patches/series
python-bottle-0.12.15/debian/patches/series
--- python-bottle-0.12.15/debian/patches/series    2019-03-27
05:13:08.000000000 +0530
+++ python-bottle-0.12.15/debian/patches/series    2021-01-28
20:21:33.000000000 +0530
@@ -1,2 +1,3 @@
 0001-Remove-bottle.py-from-scripts.patch
 0002-Add-CLI-manpage.patch
+CVE-2020-28473.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<

- u

---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#981271: buster-pu: package python-bottle/0.12.15-2+deb10u1

Reply via email to