Summary: | dev-python/Djblets: two xss (CVE-2014-{3994,3995}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | xmw |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/06/06/23 | ||
Whiteboard: | ~4 [glsa?] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() Version-Release number of selected component (if applicable): python-djblets-0.8.2-1.fc21 python-djblets-0.7.29-1.fc20 ~/cvsPortage/gentoo-x86/dev-python/redis-py $ eix Djblets * dev-python/Djblets Available versions: (~)0.7.28 {PYTHON_TARGETS="python2_6 python2_7"} Homepage: http://github.com/djblets/djblets Description: A collection of useful extensions for Djang eeeer, we don't even have those in portage. Is this applicable at all? Did you check for these versions, aside from they likely should be in portage? (In reply to Ian Delaney from comment #1) > Version-Release number of selected component (if applicable): > python-djblets-0.8.2-1.fc21 > python-djblets-0.7.29-1.fc20 > > ~/cvsPortage/gentoo-x86/dev-python/redis-py $ eix Djblets > * dev-python/Djblets > Available versions: (~)0.7.28 {PYTHON_TARGETS="python2_6 python2_7"} > Homepage: http://github.com/djblets/djblets > Description: A collection of useful extensions for Djang > > > eeeer, we don't even have those in portage. Is this applicable at all? Did > you check for these versions, aside from they likely should be in portage? they reproduced on what they have. If nobody knows the bug, for sure it affects the next versions unless the code has been removed. (In reply to Agostino Sarubbo from comment #2) > > they reproduced on what they have. If nobody knows the bug, for sure it > affects the next versions unless the code has been removed. ago, afaict this package is unbumpable. I bumped it to 0.7.28 in April when it's deps made it viable but it's NOT EVEN my package, so feel free to chase up the actual listed maintainer. The salient point here is that it's not officially a python herd package. If you care to know how and why, do so in irc, not here could you guys bump to 0.7.30, and should fix this bug (see following release notes) version 0.7.30 final (6-June-2014): * Security: * Fixed a XSS issue in the gravatars code. Users could construct a name that would allow for injecting JavaScript in the page. That name is now properly escaped. * Fixed a XSS issue in json_dumps. JSON payloads constructed based on user input and then injected into a page could result in custom JavaScript being injected into the page. Additional escaping is now performed to ensure this does not happen. CVE-2014-3994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3994): Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name. I don't have the time / need to handle this package in a approriate manner (no longer using reviewboard), so I walk off on this package. I'll update metadata.xml accordingly. (In reply to Michael Weber from comment #6) I've just added the 0.7.30 version to tree but there is a dependency conflict. Djblets depends on dev-python/django-1.5 and >=dev-python/django-pipeline-1.2.24. all versions of dev-python/django-pipeline are of 1.3 and later which need >=dev-python/django-1.5. So this package is broken due the removal of old enough dev-python/django-pipeline (1.2.x, I assume). CVE-2014-3995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3995): Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name. (In reply to Michael Weber from comment #7) > (In reply to Michael Weber from comment #6) > > I've just added the 0.7.30 version to tree but there is a dependency > conflict. > Djblets depends on dev-python/django-1.5 and > >=dev-python/django-pipeline-1.2.24. > all versions of dev-python/django-pipeline are of 1.3 and later which need > >=dev-python/django-1.5. > > So this package is broken due the removal of old enough > dev-python/django-pipeline (1.2.x, I assume). right the Djblets.egg-info/requires.txt indeed says django-pipeline==1.2.24 however in the context of the versions history of django-pipeline this may well be a typo and ought read 1.3.24 which is a recent release. Either way, another dev has used the Djblets-0.7.30 as a dep of reviewboard 1.x series and says it's fine. Also the entry for 0.7.30 has in it >=dev-python/django-pipeline-1.2.24 not =dev-python/django-pipeline-1.2.24 ~/cvsPortage/gentoo-x86/dev-python/Djblets $ ebuild Djblets-0.7.31.ebuild clean install * python2_7: running distutils-r1_run_phase distutils-r1_python_install_all >>> Completed installing Djblets-0.7.31 into /mnt/gen2/TmpDir/portage/dev-python/Djblets-0.7.31/image/ django-pipeline is a rdep and afaiac we rely on graaf's assurance that it doesn't shatter reviewboard-1 series (he has running) indicating it's fine at runtime. *Djblets-0.7.31 (21 Sep 2014) 21 Sep 2014; Ian Delaney <idella4@gentoo.org> +Djblets-0.7.31.ebuild, -Djblets-0.7.28.ebuild: bump; ebuild based on graaf's verion in his overlay, see Bug 512668, remove affected prior version I suggest you go the full monty and do a stabling of this and finally close this bug removed Package removed per previous comments. GLSA needed? Package removed from tree per [1]. [1]: https://archives.gentoo.org/gentoo-dev/message/67240888bb49c83e26731062d29042e8 |