Bug 162818

Summary:	dev-python/django Security Bypass Vulnerabilities
Product:	Gentoo Security	Reporter:	Executioner <keith>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	python, seemant
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/23826/
Whiteboard:	~3?
Package list:		Runtime testing required:	---

Description Executioner 2007-01-19 15:44:36 UTC

Description:
Some vulnerabilities have been reported in Django, which can be exploited by malicious users to bypass certain security restrictions or malicious people to compromise a vulnerable system.

1) The bin/compile-messages.py script does not correctly escape the filename of .po message files. This can be exploited to execute arbitrary shell commands via a maliciously named .po file.

2) The authentication middleware incorrectly caches the "request.user" parameter between requests, which could be exploited to e.g. access pages as another user.

The vulnerabilities are reported in version 0.95. Other versions may also be affected.

Solution:
Fixed in the SVN repository.

http://code.djangoproject.com/changeset/3592
http://code.djangoproject.com/changeset/3754

Reproducible: Didn't try




http://code.djangoproject.com/ticket/2702
http://code.djangoproject.com/changeset/3592
http://code.djangoproject.com/changeset/3754

Comment 1 Tiziano Müller (RETIRED) gentoo-dev

2007-01-21 13:44:18 UTC

Fixed with the revision bump from 0.95 to 0.95-r1: Patches from Debian added as stated in the Changelog.
Thanks for reporting!

Comment 2 Seemant Kulleen (RETIRED) gentoo-dev

2007-01-22 09:12:59 UTC

Django upstream released 0.95.1 and I've added that into portage as well.

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2007-01-22 20:14:56 UTC

closing without GLSA/stable marking, since django has not been marked stable on any arch

thanks Tiziano/Seemant