Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 543754 (CVE-2015-2316)

Summary: <dev-python/django-1.{4.20,6.11,7,7}: multiple vulnerabilities DOS & XSS (CVE-2015-{2316,2317})
Product: Gentoo Security Reporter: Justin Lecher (RETIRED) <jlec>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Justin Lecher (RETIRED) gentoo-dev 2015-03-19 07:40:46 UTC
In accordance with our security release policy, the Django team is issuing multiple releases -- Django 1.4.20, 1.6.11, 1.7.7 and 1.8c1. These releases are now available on PyPI and our download page. These releases address several security issues detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated.

Django 1.8 is now at release candidate stage. This marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, 1.8 final will be issued on or around April 1. Any delays will be communicated on the django-developers mailing list thread.

Denial-of-service possibility with strip_tags()

Last year django.utils.html.strip_tags was changed to work iteratively. The problem is that the size of the input it's processing can increase on each iteration which results in an infinite loop in strip_tags(). This issue only affects versions of Python that haven't received a bugfix in HTMLParser; namely Python < 2.7.7 and 3.3.5. Some operating system vendors have also backported the fix for the Python bug into their packages of earlier versions.

To remedy this issue, strip_tags() will now return the original input if it detects the length of the string it's processing increases. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape.

Thanks Andrey Babak for reporting the issue.

This issue has been assigned the identifier CVE-2015-2316.

Mitigated possible XSS attack via user-supplied redirect URLs

Django relies on user input in some cases (e.g. django.contrib.auth.views.login and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.utils.http.is_safe_url()) accepted URLs with leading control characters and so considered URLs like \x08javascript:... safe. This issue doesn't affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there. Browsers we tested also treat URLs prefixed with control characters such as %08//example.com as relative paths so redirection to an unsafe target isn't a problem either.

However, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack as some browsers such as Google Chrome ignore control characters at the start of a URL in an anchor href.

Thanks Daniel Chatfield for reporting the issue.

This issue has been assigned the identifier CVE-2015-2317.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-03-19 07:44:40 UTC
+*django-1.4.20 (19 Mar 2015)
+*django-1.6.11 (19 Mar 2015)
+*django-1.7.7 (19 Mar 2015)
+
+  19 Mar 2015; Justin Lecher <jlec@gentoo.org> +django-1.4.20.ebuild,
+  +django-1.6.11.ebuild, +django-1.7.7.ebuild, -django-1.7.6.ebuild:
+  Version Bump, fixes CVE-2015-231{6,7} bug #543754
+
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-03-19 07:45:24 UTC
@arches please stable,

dev-python/django-1.4.20
dev-python/django-1.6.11
Comment 3 Andreas Schürch gentoo-dev 2015-03-19 19:15:58 UTC
x86 done.
Comment 4 Agostino Sarubbo gentoo-dev 2015-03-24 09:12:41 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2015-03-24 09:20:38 UTC
+  24 Mar 2015; Justin Lecher <jlec@gentoo.org> -django-1.4.19.ebuild,
+  -django-1.6.10.ebuild:
+  Clean up after sec stabilization, bug #543754
+
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-03-28 17:23:51 UTC
Arches, Thank you for your work.
GLSA Vote: No
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-04-11 04:11:29 UTC
CVE-2015-2317 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2317):
  The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x
  before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly
  validate URLs, which allows remote attackers to conduct cross-site scripting
  (XSS) attacks via a control character in a URL, as demonstrated by a
  \x08javascript: URL.

CVE-2015-2316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2316):
  The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x
  before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python,
  allows remote attackers to cause a denial of service (infinite loop) by
  increasing the length of the input string.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 20:08:37 UTC
GLSA vote: no.

Closing as [noglsa]