Ubuntu
python3.8 package

3.8.10-0ubuntu1~20.04.16 broke IPv6 zone parsing

Bug #2103454 reported by James Falcon
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python3.8 (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned

Bug Description

It appears 3.8.10-0ubuntu1~20.04.16 fixed https://github.com/python/cpython/issues/105704 . However, in doing so, it also broke IPv6 zone parsing.

The following used to work on focal:
>>> from urllib.parse import urlparse
>>> urlparse('http://[fe80::1ff:fe23:4567:890a%25eth0]/')

But now, we get:
(focal-amd64)james@cow:/build/cloud-init-M2qWdO/cloud-init-24.4.1$ dpkg -l | grep python3.8
ii libpython3.8-minimal:amd64 3.8.10-0ubuntu1~20.04.16 amd64 Minimal subset of the Python language (version 3.8)
ii libpython3.8-stdlib:amd64 3.8.10-0ubuntu1~20.04.16 amd64 Interactive high-level object-oriented language (standard library, version 3.8)
ii python3.8 3.8.10-0ubuntu1~20.04.16 amd64 Interactive high-level object-oriented language (version 3.8)
ii python3.8-minimal 3.8.10-0ubuntu1~20.04.16 amd64 Minimal subset of the Python language (version 3.8)
(focal-amd64)james@cow:/build/cloud-init-M2qWdO/cloud-init-24.4.1$ python3
Python 3.8.10 (default, Mar 11 2025, 17:45:31)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import urlparse
>>> urlparse('http://[fe80::1ff:fe23:4567:890a%25eth0]/')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.8/urllib/parse.py", line 385, in urlparse
    splitresult = urlsplit(url, scheme, allow_fragments)
  File "/usr/lib/python3.8/urllib/parse.py", line 495, in urlsplit
    _check_bracketed_netloc(netloc)
  File "/usr/lib/python3.8/urllib/parse.py", line 444, in _check_bracketed_netloc
    _check_bracketed_host(hostname)
  File "/usr/lib/python3.8/urllib/parse.py", line 453, in _check_bracketed_host
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
  File "/usr/lib/python3.8/ipaddress.py", line 53, in ip_address
    raise ValueError('%r does not appear to be an IPv4 or IPv6 address' %
ValueError: 'fe80::1ff:fe23:4567:890a%25eth0' does not appear to be an IPv4 or IPv6 address

Compared to python tip (with the CVE fix) this works as expected:
$ python3
Python 3.14.0a6+ (heads/main:a09c2b2ba64, Mar 17 2025, 13:25:19) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import urlparse
>>> urlparse('http://[fe80::1ff:fe23:4567:890a%25eth0]/')
ParseResult(scheme='http', netloc='[fe80::1ff:fe23:4567:890a%25eth0]', path='/', params='', query='', fragment='')
>>>
>>> urlparse('http://prefix.[v1.example]/') # show that CVE is fixed
Traceback (most recent call last):
  File "<python-input-2>", line 1, in <module>
    urlparse('http://prefix.[v1.example]/') # show that CVE is fixed
    ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/james/.pyenv/versions/3.14-dev/lib/python3.14/urllib/parse.py", line 395, in urlparse
    scheme, netloc, url, params, query, fragment = _urlparse(url, scheme, allow_fragments)
                                                   ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/james/.pyenv/versions/3.14-dev/lib/python3.14/urllib/parse.py", line 400, in _urlparse
    scheme, netloc, url, query, fragment = _urlsplit(url, scheme, allow_fragments)
                                           ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/james/.pyenv/versions/3.14-dev/lib/python3.14/urllib/parse.py", line 525, in _urlsplit
    _check_bracketed_netloc(netloc)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "/home/james/.pyenv/versions/3.14-dev/lib/python3.14/urllib/parse.py", line 450, in _check_bracketed_netloc
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL
>>>

CVE References

Revision history for this message
James Falcon (falcojr) wrote :

At the very least, this will result in IPv6 openstack instances failing to boot:
https://github.com/canonical/cloud-init/blob/main/cloudinit/sources/DataSourceOpenStack.py#L78

I think this needs to be treated as a critical issue.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagged with regression-security and subscribed the security team to this bug report.

tags: added: regression-security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I can confirm this regression and will upload a package with the problematic patches reverted to the security team PPA for building in a few minutes.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Package is now building in the security team PPA here, and will be released as soon as the builds are done:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python3.8 - 3.8.10-0ubuntu1~20.04.17

---------------
python3.8 (3.8.10-0ubuntu1~20.04.17) focal-security; urgency=medium

  * SECURITY REGRESSION: IPv6 parsing issue (LP: #2103454)
    - debian/patches/CVE-2025-0938*.patch: Disable patches until further
      investigation

 -- Marc Deslauriers <email address hidden> Mon, 17 Mar 2025 15:35:05 -0400

Changed in python3.8 (Ubuntu Focal):
status: New → Fix Released
Marc Deslauriers (mdeslaur)
Changed in python3.8 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.