SB2019050638 - Exposed dangerous method or function in python2-tkinter (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Exposed dangerous method or function (CVE-ID: CVE-2019-9948)

CWE-ID: CWE-749 - Exposed Dangerous Method or Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to urllib implementation in Python 2.x supports the local_file: scheme. An attacker with ability to control input data, such as URL, can bypass protection mechanisms that blacklist file: URIs and view contents of arbitrary file on the system.

PoC:

urllib.urlopen('local_file:///etc/passwd')

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=fa23adfbfb1cbac13db3251e811e4e0773e8b6b8
• https://git.alpinelinux.org/aports/commit/?id=5372bc29f308df62681eb2d705259cd5cc9b5448
• https://git.alpinelinux.org/aports/commit/?id=c01f27f5016fb801d36ffea67177a9f2f6b6f784
• https://git.alpinelinux.org/aports/commit/?id=881a54816216d011d1d27286df2693851c86caef
• https://git.alpinelinux.org/aports/commit/?id=40a4951871b0a2e718de6a07e0772730fc280d06
• https://git.alpinelinux.org/aports/commit/?id=e9bd8a37793b2737c60e8aabb4e30540de6420cc
• https://git.alpinelinux.org/aports/commit/?id=9c34a237cf52d34f870ec322b8a00a19f72b4616
• https://git.alpinelinux.org/aports/commit/?id=63295e4a667669a5dadf360d6a5e0d3ca67af2c1
• https://git.alpinelinux.org/aports/commit/?id=9b8d163f3a9143f9623a5320355ce9901a8f0feb
• https://git.alpinelinux.org/aports/commit/?id=2757235ef94f59233d2dc36eff13adabb4b91306
• https://git.alpinelinux.org/aports/commit/?id=7c21d88133f9983684374fb245b39b92e0bef5b8