Bug 768240 (CVE-2021-3281)

Summary:	<dev-python/django-{2.2.18,3.0.12,3.1.6}: Directory traversal (CVE-2021-3281)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=771627
Whiteboard:	B4 [glsa? cve]
Package list:		Runtime testing required:	---

Description Sam James archtester

2021-02-01 15:36:30 UTC

"CVE-2021-3281: Potential directory-traversal via archive.extract()

The django.utils.archive.extract() function, used by startapp --template and startproject --template, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments."

Fixed in: 3.1.6, 3.0.12, and 2.2.18

Comment 1 Sam James archtester

2021-02-13 17:57:47 UTC

amd64 arm arm64 x86 (ALLARCHES) done

all arches done

Comment 2 Larry the Git Cow gentoo-dev

2021-02-13 20:15:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70cd8f0b94f8277ce84ea0502ce83a243d6167c9

commit 70cd8f0b94f8277ce84ea0502ce83a243d6167c9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-13 18:41:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-13 20:15:29 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/768240
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest                        |   8 --
 dev-python/django/django-2.2.17.ebuild            |  95 --------------------
 dev-python/django/django-3.0.11.ebuild            | 103 ----------------------
 dev-python/django/django-3.1.4.ebuild             |  95 --------------------
 dev-python/django/django-3.1.5.ebuild             |  95 --------------------
 dev-python/django/files/django-gettext-0.21.patch |  39 --------
 6 files changed, 435 deletions(-)

Comment 3 John Helmert III archtester

2021-07-11 02:58:59 UTC

GLSA request filed.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:24:15 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:32:42 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:40:36 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:48:46 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:04:41 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 18:12:59 UTC

Package list is empty or all packages have requested keywords.