HTML page of Python security vulnerabilities
Hi, I wrote a tool to generate an HTML report on Python security vulnerabilities. It takes the following YAML file as input: https://github.com/haypo/python-security/blob/master/vulnerabilities.yml And Python release dates, file written manually from Misc/NEWS: https://github.com/haypo/python-security/blob/master/python_releases.txt The output is the HTML page: http://python-security.readthedocs.io/en/latest/vulnerabilities.html For each vulnerability, you have a description and a list of links.
From a list of commits, the tool computes the fixed Python and the number of days Python was vulnerable.
Can you please check data of my two input files? What do you think of the page? Is it useful? TODO: * fix render_doc.py to support multiple lines in the table * add title to links * find the YAML syntax for "Issue #26657" :-) Current, #xxx is ignored since it's seen as a comment * maybe document in the YAML file how the Disclosure date was chosen Maybe I should add a "vulnerable" column to list Python versions which are vulnerable. If you consider the data useful and the data are double checked, the next step will to announce it. Later, I plan to slowly fill vulnerabilities.yml with recent vulnerabilities, and then with older vulnerabilities. FYI a few months ago, I generated the page manually, but quickly I realized that it's painful to compute all data and also to maintain manually such list. My old page: http://haypo-notes.readthedocs.io/python_security.html Victor
I would find it useful at work. My colleagues seem to like the idea of searching the CVE database for "python" and then blaming them all on the language when 99% are in applications. Having a more accurate page to point them to would be good. I'm sure others would find value in being able to easily minimize upgrades or identify patches, but that doesn't really bother me. But please, automate it as much as you possibly can :) . Last thing I want is for you or anyone else to have to update it manually, not least because that guarantees it'll become outdated. Cheers, Steve Top-posted from my Windows Phone -----Original Message----- From: "Victor Stinner" <victor.stinner@gmail.com> Sent: 2/17/2017 16:28 To: "os.urandom rehab clinic" <security-sig@python.org> Subject: [Security-sig] HTML page of Python security vulnerabilities Hi, I wrote a tool to generate an HTML report on Python security vulnerabilities. It takes the following YAML file as input: https://github.com/haypo/python-security/blob/master/vulnerabilities.yml And Python release dates, file written manually from Misc/NEWS: https://github.com/haypo/python-security/blob/master/python_releases.txt The output is the HTML page: http://python-security.readthedocs.io/en/latest/vulnerabilities.html For each vulnerability, you have a description and a list of links.
From a list of commits, the tool computes the fixed Python and the number of days Python was vulnerable.
Can you please check data of my two input files? What do you think of the page? Is it useful? TODO: * fix render_doc.py to support multiple lines in the table * add title to links * find the YAML syntax for "Issue #26657" :-) Current, #xxx is ignored since it's seen as a comment * maybe document in the YAML file how the Disclosure date was chosen Maybe I should add a "vulnerable" column to list Python versions which are vulnerable. If you consider the data useful and the data are double checked, the next step will to announce it. Later, I plan to slowly fill vulnerabilities.yml with recent vulnerabilities, and then with older vulnerabilities. FYI a few months ago, I generated the page manually, but quickly I realized that it's painful to compute all data and also to maintain manually such list. My old page: http://haypo-notes.readthedocs.io/python_security.html Victor _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
2008-Present http://www.cvedetails.com/product/18230/Python-Python.html?vendor_id=10210 There's a download link, but AFAICT not an API On Friday, February 17, 2017, Victor Stinner <victor.stinner@gmail.com> wrote:
Hi,
I wrote a tool to generate an HTML report on Python security vulnerabilities. It takes the following YAML file as input: https://github.com/haypo/python-security/blob/master/vulnerabilities.yml
And Python release dates, file written manually from Misc/NEWS: https://github.com/haypo/python-security/blob/master/python_releases.txt
The output is the HTML page: http://python-security.readthedocs.io/en/latest/vulnerabilities.html
For each vulnerability, you have a description and a list of links. From a list of commits, the tool computes the fixed Python and the number of days Python was vulnerable.
Can you please check data of my two input files?
What do you think of the page? Is it useful?
TODO:
* fix render_doc.py to support multiple lines in the table * add title to links * find the YAML syntax for "Issue #26657" :-) Current, #xxx is ignored since it's seen as a comment * maybe document in the YAML file how the Disclosure date was chosen
Maybe I should add a "vulnerable" column to list Python versions which are vulnerable.
If you consider the data useful and the data are double checked, the next step will to announce it.
Later, I plan to slowly fill vulnerabilities.yml with recent vulnerabilities, and then with older vulnerabilities.
FYI a few months ago, I generated the page manually, but quickly I realized that it's painful to compute all data and also to maintain manually such list. My old page: http://haypo-notes.readthedocs.io/python_security.html
Victor _______________________________________________ Security-SIG mailing list Security-SIG@python.org <javascript:;> https://mail.python.org/mailman/listinfo/security-sig
Hi, I fixed all FIXME and "completed" the list: http://python-security.readthedocs.io/en/latest/vulnerabilities.html IMHO the main missing information is the severity, but sadly I'm not aware of any methodology in Python to choose a severity. Maybe we would use the CVE severity when available? Currently, the worst score is 881 days to fix a vulnerability. Many "unlimited read" vulnerability got a bad score like that. CVE-2013-1752 (smtplib) Issue #16041: poplib: unlimited readline() from connection. Issue #16043:Add a default limit for the amount of data xmlrpclib.gzip_decode will return. Fixed In: 2.7.9 (806 days): 2014-12-10, commit faad6bb (2014-12-06, 802 days) 3.2.6 (746 days): 2014-10-11, commit eaca861 (2014-09-30, 735 days) 3.4.3 (881 days): 2015-02-23, commit eaca861 (2014-09-30, 735 days) Victor
Ok, I completed my list of get almost all of the 30 known CVE. Right now, my list has 40 vulnerabilities. Remaining issues: cookielib and rgbimg/imageop. cookielib https://hackerone.com/reports/26647 https://bugs.python.org/issue25228 http://bugs.python.org/issue22796 rgbimg, imageop: CVE-2009-4134, CVE-2010-3493, CVE-2010-1449 - name: "CVE-2010-1450" summary: > rgbimg and imageop buffer overflows links: - http://bugs.python.org/issue8678 - https://bugzilla.redhat.com/show_bug.cgi?id=541698 disclosure: "2009-11-26 (Red Hat bz#541698 reported)" cvss-score: "7.5" # imageop module was removed in Python 3 ignore-python3: true fixed-in: - 93ebfb154456daa841aa223bd296422787b3074c # 2.6 description: > Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function. Reported by Marc Schoenefeld. Victor
I completed my list: the 30 CVE are now listed on my page! Well, except of two special cases: * CVE-2016-1494: vulnerability in the 3rd party module "python-rsa" * CVE-2015-5652: sys.path on Windows -- not fixed See also my notes on sys.path: http://python-security.readthedocs.io/#misc The last major vulnerability not documented yet is cookielib which has a long story. I don't know yet how to summarize it as individual "vulnerabilities". https://hackerone.com/reports/26647 https://bugs.python.org/issue16611 #16611: BaseCookie now parses 'secure' and 'httponly' flags. https://bugs.python.org/issue22796 Regression in Python 3.2 cookie parsing https://bugs.python.org/issue25228 Support for httponly/secure cookies reintroduced lax parsing behavior https://code.djangoproject.com/ticket/26158 cookie parsing fails with python 3.x if request contains unnamed cookie Victor
Hi, Minor update on http://python-security.readthedocs.io/vulnerabilities.html : I enhanced render_doc.py script to download issue title, author and date from bugs.python.org. It allows to remove more lines from vulnerabilities.yaml, so each YAML entry is now shorter and human mistakes are less likely! Note: Sadly, it seems like Roundup XML-RPC API requires to pass a user + password in the URL to get the author of the first message of an issue, whereas this information is public if you look at the HTML page. Victor 2017-02-22 1:11 GMT+01:00 Victor Stinner <victor.stinner@gmail.com>:
I completed my list: the 30 CVE are now listed on my page! Well, except of two special cases:
* CVE-2016-1494: vulnerability in the 3rd party module "python-rsa" * CVE-2015-5652: sys.path on Windows -- not fixed
See also my notes on sys.path: http://python-security.readthedocs.io/#misc
The last major vulnerability not documented yet is cookielib which has a long story. I don't know yet how to summarize it as individual "vulnerabilities".
https://hackerone.com/reports/26647
https://bugs.python.org/issue16611 #16611: BaseCookie now parses 'secure' and 'httponly' flags. https://bugs.python.org/issue22796 Regression in Python 3.2 cookie parsing https://bugs.python.org/issue25228 Support for httponly/secure cookies reintroduced lax parsing behavior https://code.djangoproject.com/ticket/26158 cookie parsing fails with python 3.x if request contains unnamed cookie
Victor
participants (3)
-
Steve Dower -
Victor Stinner -
Wes Turner