Bug 222029 - dev-python/django < 0.96.2 XSS (CVE-2008-2302)
Bug#: 222029 (CVE-2008-2302) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: trivial Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: nelchael@gentoo.org
Component: Vulnerabilities
URL:  http://www.djangoproject.com/weblog/2008/may/14/security/
Summary: dev-python/django < 0.96.2 XSS (CVE-2008-2302)
Keywords:  
Status Whiteboard: ~4 [noglsa]
Opened: 2008-05-14 07:50 0000
Description:   Opened: 2008-05-14 07:50 0000 
Description of vulnerability

The Django administration application will, when accessed by a user who is not
sufficiently authenticated, display a login form and ask the user to provide
the necessary credentials before displaying the requested page. This form will
be submitted to the URL the user attempted to access, by supplying the current
request path as the value of the form's "action" attribute.

The value of the request path was not being escaped, creating an opportunity
for a cross-site scripting (XSS) attack by leading a user to a URL which
contained URL-encoded HTML and/or JavaScript in the request path.
Affected versions

    * Django development trunk
    * Django 0.96
    * Django 0.95
    * Django 0.91

Resolution

The login form has been changed to escape the request path before use as the
form's submission action.

The relevant changesets for affected versions of Django are:

    * Django development trunk: Changeset 7521
    * Django 0.96: Changeset 7527
    * Django 0.95: Changeset 7528
    * Django 0.91: Changeset 7529

The following releases have been issued based on the above changesets:

    * Django 0.96.2
    * Django 0.95.3
    * Django 0.91.2

All users of affected versions of Django are strongly encouraged to apply the
relevant patch or upgrade to the relevant patched release as soon as possible.

------- Comment #1 From Pierre-Yves Rofes 2008-05-14 09:32:37 0000 ------- 
Python herd, please bump as necessary

------- Comment #2 From Krzysiek Pawlik 2008-05-21 07:38:12 0000 ------- 
Bumping it won't be as easy as it seems: in 0.96.2 tarball some directories are
missing (like extras, examples). I've filled a bug upstream about that, but it
got closed as WONTFIX: http://code.djangoproject.com/ticket/7273, last comment
from that bug:

> Actually, the 0.96.1 tarball was generated by an svn export, while 0.96.2 was 
> generated by using the setup.py script. What this means, really, is that the 
> setup.py script was borked (a known issue), but unfortunately I don't think we 
> can do much about it; the bugfixes branches are really only for critical 
> security fixes.

So the Django code should come from 0.96.2, and the rest from 0.96.1 or use
0.96.1 tarball with a patch.

------- Comment #3 From Krzysiek Pawlik 2008-05-26 06:40:07 0000 ------- 
Created an attachment (id=154317) [details]
django-0.96.1-to-0.96.2.ebuild.patch

This is a patch for 0.96.1 ebuild to create 0.96.2: it has both versions in
SRC_URI and uses the missing directories from 0.96.1.

------- Comment #4 From Robert Buchholz 2008-05-26 17:56:42 0000 ------- 
Krzysiek, feel free to commit the attached patch to CVS. Or do you need
additional review?

------- Comment #5 From Krzysiek Pawlik 2008-05-26 18:17:16 0000 ------- 
Done:

------------------------------------------------------------------------------
Version bump to fix security bug, see bug #222029.
(Portage version: 2.1.5.2)
------------------------------------------------------------------------------

------- Comment #6 From Robert Buchholz 2008-05-26 18:19:36 0000 ------- 
Thanks, closing without stabling and GLSA.