Headline
CVE-2022-33124: nvalid IPv6 URL · Issue #6772 · aio-libs/aiohttp
** DISPUTED ** AIOHTTP 3.8.1 can report a “ValueError: Invalid IPv6 URL” outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application.
Describe the bug
URL analysis
To Reproduce
use oss-fuzz
this is the crash
Uploading crash.zip…
Expected behavior
Denial of service
Logs/tracebacks
ValueError: Invalid IPv6 URL Traceback (most recent call last): File "fuzz_http_parser.py", line 32, in TestOneInput File "aiohttp/_http_parser.pyx", line 551, in aiohttp._http_parser.HttpParser.feed_data File "aiohttp/_http_parser.pyx", line 701, in aiohttp._http_parser.cb_on_header_field File "aiohttp/_http_parser.pyx", line 627, in aiohttp._http_parser.HttpRequestParser._on_status_complete File "yarl/_url.py", line 151, in __new__ File "urllib/parse.py", line 464, in urlsplit
==16== ERROR: libFuzzer: fuzz target exited #0 0x7f19d3acfcd1 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x7f19d3a10f58 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5 #2 0x7f19d39f615c in fuzzer::Fuzzer::ExitCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:250:3 #3 0x7f19d37b88a6 (/lib/x86_64-linux-gnu/libc.so.6+0x468a6) #4 0x7f19d37b8a5f in exit (/lib/x86_64-linux-gnu/libc.so.6+0x46a5f) #5 0x7f19d2471df8 in Py_Exit /tmp/Python-3.8.3/Python/pylifecycle.c:2299:5 #6 0x7f19d2476c0b in handle_system_exit /tmp/Python-3.8.3/Python/pythonrun.c:658:9 #7 0x7f19d2476c0b in _PyErr_PrintEx /tmp/Python-3.8.3/Python/pythonrun.c:668:5 #8 0x403ac2 (/out/fuzz_http_parser.pkg+0x403ac2) #9 0x403e57 (/out/fuzz_http_parser.pkg+0x403e57) #10 0x7f19d3796082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #11 0x40249d (/out/fuzz_http_parser.pkg+0x40249d)
Python Version
$ python --version python 3.8.3
aiohttp Version
$ python -m pip show aiohttp latest
multidict Version
$ python -m pip show multidict 5.2
yarl Version
$ python -m pip show yarl 1.7.2
OS
ubuntu
Related component
Server
Additional context
No response
Code of Conduct
- I agree to follow the aio-libs Code of Conduct
Related news
aiohttp v3.8.1 was discovered to contain an invalid IPv6 URL which can lead to a Denial of Service (DoS).