From ${URL} : == XSS Vulnerability in Djblets json_dumps() == Description of problem: Django's JSON serialization does not handle escaping of any characters to make them safe for injecting into HTML. This allows an attacker who can provide part of a JSON-serializable object to craft a string that can break out of a <script> tag and create its own, injecting a custom script. To fix this, we escape '<', '>', and '&' characters in the resulting string, preventing a </script> from executing. Version-Release number of selected component (if applicable): python-djblets-0.8.2-1.fc21 python-djblets-0.7.29-1.fc20 How reproducible: Every time Steps to Reproduce: 1. User can change their display name to "</script><script> alert(1)</script>" 2. Browse a page where this user was the submitter Actual results: Script is executed Expected results: User's name should be sanitized Additional info: Issue is public, due to it having been reported on upstream's public bug tracker. Upstream bug report: https://code.google.com/p/reviewboard/issues/detail?id=3406 Upstream patch: Djblets 0.7.x: https://reviews.reviewboard.org/r/5944/diff Djblets 0.8.x: https://reviews.reviewboard.org/r/5945/diff I do not yet have the real name of the reporter to credit. == XSS Vulnerability in Djblets gravatar templates == Description of problem: The generated gravatar HTML wasn't handling escaping of the display name of the user, allowing an attacker to choose a name that would close out the <img> tag and inject a <script> tag. By switching to Django's format_html(), we can guarantee safe escaping of content. Version-Release number of selected component (if applicable): python-djblets-0.8.2-1.fc21 python-djblets-0.7.29-1.fc20 How reproducible: Every time Steps to Reproduce: 1. User can change their display name to "</script><script> alert(1)</script>" 2. Configure this user for a Gravatar image 3. Browse to any page displaying the gravatar image Actual results: The script executes Expected results: The username should be properly sanitized and prevent XSS execution. Additional info: Issue is public now as the fix has now been committed to upstream git. Credit for the discovery of this vulnerability should be given to Christian Hammond of Bean Bag, Inc. (author of Review Board). This issue is present in the python-djblets package on Fedora 19, 20, Rawhide and EPEL 6 (EPEL 7 has not yet had a successful build). Upstream patch: Djblets 0.7.x: https://reviews.reviewboard.org/r/5947/diff/ Djblets 0.8.x: https://reviews.reviewboard.org/r/5946/diff/ @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Version-Release number of selected component (if applicable): python-djblets-0.8.2-1.fc21 python-djblets-0.7.29-1.fc20 ~/cvsPortage/gentoo-x86/dev-python/redis-py $ eix Djblets * dev-python/Djblets Available versions: (~)0.7.28 {PYTHON_TARGETS="python2_6 python2_7"} Homepage: http://github.com/djblets/djblets Description: A collection of useful extensions for Djang eeeer, we don't even have those in portage. Is this applicable at all? Did you check for these versions, aside from they likely should be in portage?
(In reply to Ian Delaney from comment #1) > Version-Release number of selected component (if applicable): > python-djblets-0.8.2-1.fc21 > python-djblets-0.7.29-1.fc20 > > ~/cvsPortage/gentoo-x86/dev-python/redis-py $ eix Djblets > * dev-python/Djblets > Available versions: (~)0.7.28 {PYTHON_TARGETS="python2_6 python2_7"} > Homepage: http://github.com/djblets/djblets > Description: A collection of useful extensions for Djang > > > eeeer, we don't even have those in portage. Is this applicable at all? Did > you check for these versions, aside from they likely should be in portage? they reproduced on what they have. If nobody knows the bug, for sure it affects the next versions unless the code has been removed.
(In reply to Agostino Sarubbo from comment #2) > > they reproduced on what they have. If nobody knows the bug, for sure it > affects the next versions unless the code has been removed. ago, afaict this package is unbumpable. I bumped it to 0.7.28 in April when it's deps made it viable but it's NOT EVEN my package, so feel free to chase up the actual listed maintainer. The salient point here is that it's not officially a python herd package. If you care to know how and why, do so in irc, not here
could you guys bump to 0.7.30, and should fix this bug (see following release notes) version 0.7.30 final (6-June-2014): * Security: * Fixed a XSS issue in the gravatars code. Users could construct a name that would allow for injecting JavaScript in the page. That name is now properly escaped. * Fixed a XSS issue in json_dumps. JSON payloads constructed based on user input and then injected into a page could result in custom JavaScript being injected into the page. Additional escaping is now performed to ensure this does not happen.
CVE-2014-3994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3994): Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.
I don't have the time / need to handle this package in a approriate manner (no longer using reviewboard), so I walk off on this package. I'll update metadata.xml accordingly.
(In reply to Michael Weber from comment #6) I've just added the 0.7.30 version to tree but there is a dependency conflict. Djblets depends on dev-python/django-1.5 and >=dev-python/django-pipeline-1.2.24. all versions of dev-python/django-pipeline are of 1.3 and later which need >=dev-python/django-1.5. So this package is broken due the removal of old enough dev-python/django-pipeline (1.2.x, I assume).
CVE-2014-3995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3995): Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name.
(In reply to Michael Weber from comment #7) > (In reply to Michael Weber from comment #6) > > I've just added the 0.7.30 version to tree but there is a dependency > conflict. > Djblets depends on dev-python/django-1.5 and > >=dev-python/django-pipeline-1.2.24. > all versions of dev-python/django-pipeline are of 1.3 and later which need > >=dev-python/django-1.5. > > So this package is broken due the removal of old enough > dev-python/django-pipeline (1.2.x, I assume). right the Djblets.egg-info/requires.txt indeed says django-pipeline==1.2.24 however in the context of the versions history of django-pipeline this may well be a typo and ought read 1.3.24 which is a recent release. Either way, another dev has used the Djblets-0.7.30 as a dep of reviewboard 1.x series and says it's fine. Also the entry for 0.7.30 has in it >=dev-python/django-pipeline-1.2.24 not =dev-python/django-pipeline-1.2.24 ~/cvsPortage/gentoo-x86/dev-python/Djblets $ ebuild Djblets-0.7.31.ebuild clean install * python2_7: running distutils-r1_run_phase distutils-r1_python_install_all >>> Completed installing Djblets-0.7.31 into /mnt/gen2/TmpDir/portage/dev-python/Djblets-0.7.31/image/ django-pipeline is a rdep and afaiac we rely on graaf's assurance that it doesn't shatter reviewboard-1 series (he has running) indicating it's fine at runtime. *Djblets-0.7.31 (21 Sep 2014) 21 Sep 2014; Ian Delaney <idella4@gentoo.org> +Djblets-0.7.31.ebuild, -Djblets-0.7.28.ebuild: bump; ebuild based on graaf's verion in his overlay, see Bug 512668, remove affected prior version I suggest you go the full monty and do a stabling of this and finally close this bug
removed
Package removed per previous comments. GLSA needed?
Package removed from tree per [1]. [1]: https://archives.gentoo.org/gentoo-dev/message/67240888bb49c83e26731062d29042e8
