Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 279720

Summary: <dev-python/django-1.0.3: Disclosure of private files (CVE-2009-2659)
Product: Gentoo Security Reporter: Matt Summers (RETIRED) <quantumsummers>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: mbartoszkiewicz, python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.djangoproject.com/weblog/2009/jul/28/security/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
here is the updated ebuild, with fixes now that tests are included in the release tarball once again.
none
diff none

Description Matt Summers (RETIRED) gentoo-dev 2009-07-30 17:42:02 UTC
Some vulnerabilities in the development server have prompted this release. The issues relate specifically to handling static media files.

Reproducible: Always
Comment 1 Matt Summers (RETIRED) gentoo-dev 2009-07-30 17:42:55 UTC
Created attachment 199673 [details]
here is the updated ebuild, with fixes now that tests are included in the release tarball once again.

enjoy
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-30 18:20:14 UTC
Matt, thanks for the report. Python team, please proceed.
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-07-31 00:30:46 UTC
(In reply to comment #1)

Please attach unidiff patches instead of whole ebuilds.
Comment 4 Matt Summers (RETIRED) gentoo-dev 2009-07-31 15:03:25 UTC
Created attachment 199749 [details]
diff

including fix for upstream tarball name change, and removal of tests workaround as they are now, correctly, included in the release.

Thanks to Arfrever for the assist.
Comment 5 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-02 19:30:53 UTC
Fixed.
Comment 6 MichaƂ Bartoszkiewicz 2009-08-03 02:25:18 UTC
Parentheses in RDEPEND in the ebuild in the tree seem to be wrong:
    sqlite? ( || (
        >=dev-lang/python-2.5[sqlite] )
        ( dev-python/pysqlite:2 <dev-lang/python-2.5 )
    )
(and similar for test in DEPEND)
I think there should be no parenthesis after >=dev-lang/python-2.5[sqlite] -- now portage wants to install python-2.4 and pysqlite in addition to python-2.6 I have already installed.
Comment 7 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-03 05:10:50 UTC
(In reply to comment #6)

Fixed.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-05 11:34:08 UTC
CVE-2009-2659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2659):
  The Admin media handler in core/servers/basehttp.py in Django 1.0 and
  0.96 does not properly map URL requests to expected "static media
  files," which allows remote attackers to conduct directory traversal
  attacks and read arbitrary files via a crafted URL.