CVE-2022-0391

Name	CVE-2022-0391
Description	A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3575-1, ELA-950-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy (PTS)	jessie	2.4.0+dfsg-3	vulnerable
	stretch	5.6.0+dfsg-4	vulnerable
	buster	7.0.0+dfsg-3	vulnerable
	bullseye	7.3.3+dfsg-2	vulnerable
pypy3 (PTS)	buster	7.0.0+dfsg-3	vulnerable
	bullseye	7.3.5+dfsg-2+deb11u2	vulnerable
	bullseye (security)	7.3.5+dfsg-2+deb11u3	vulnerable
	bookworm	7.3.11+dfsg-2+deb12u2	fixed
	sid, trixie	7.3.17+dfsg-2	fixed
python2.7 (PTS)	jessie, jessie (lts)	2.7.9-2-ds1-1+deb8u12	fixed
	stretch (security)	2.7.13-2+deb9u6	vulnerable
	stretch (lts), stretch	2.7.13-2+deb9u9	fixed
	buster (security), buster, buster (lts)	2.7.16-2+deb10u4	fixed
	bullseye	2.7.18-8+deb11u1	fixed
python3.4 (PTS)	jessie, jessie (lts)	3.4.2-1+deb8u18	vulnerable
python3.5 (PTS)	stretch (security)	3.5.3-1+deb9u5	vulnerable
	stretch (lts), stretch	3.5.3-1+deb9u10	vulnerable
python3.7 (PTS)	buster, buster (lts)	3.7.3-2+deb10u8	vulnerable
	buster (security)	3.7.3-2+deb10u7	vulnerable
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
pypy	source	jessie	(unfixed)	end-of-life
pypy	source	(unstable)	(unfixed)
pypy3	source	(unstable)	7.3.6+dfsg-1
python2.7	source	jessie	2.7.9-2-ds1-1+deb8u11		ELA-950-1
python2.7	source	stretch	2.7.13-2+deb9u8		ELA-950-1
python2.7	source	buster	2.7.16-2+deb10u3		DLA-3575-1
python2.7	source	bullseye	2.7.18-8+deb11u1
python2.7	source	(unstable)	(unfixed)
python3.4	source	(unstable)	(unfixed)
python3.5	source	(unstable)	(unfixed)
python3.7	source	(unstable)	(unfixed)
python3.9	source	(unstable)	3.9.7-1

Notes

[bullseye] - python3.9 <no-dsa> (Minor issue)
[buster] - python3.7 <ignored> (Minor issue, different approach to sanitization; regressions reports)
[bullseye] - pypy3 <no-dsa> (Minor issue)
[buster] - pypy3 <no-dsa> (Minor issue)
https://bugs.python.org/issue43882
Regressions reported for django, boto-core and cloud-init
Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1)
Followup for 3.10.x: https://github.com/python/cpython/commit/24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705 (v3.10.0b2)
Fixed by: https://github.com/python/cpython/commit/491fde0161d5e527eeff8586dd3972d7d3a631a7 (v3.9.5)
Followup for 3.9.x: https://github.com/python/cpython/commit/8a595744e696a0fb92dccc5d4e45da41571270a1 (v3.9.6)
Fixed by: https://github.com/python/cpython/commit/515a7bc4e13645d0945b46a8e1d9102b918cd407 (v3.8.11)
Fixed by: https://github.com/python/cpython/commit/f4dac7ec55477a6c5d965e594e74bd6bda786903 (v3.7.11)
Fixed by: https://github.com/python/cpython/commit/6c472d3a1d334d4eeb4a25eba7bf3b01611bf667 (v3.6.14)
[jessie] - python3.4 <ignored> (Risk of regressions, and patch doesn't fix the issue completely due to original url still containing 'unsafe' characters)
[stretch] - python3.5 <ignored> (Minor issue, different approach to sanitization; regressions reports)