Bug 788130 (CVE-2021-31542)

Summary:	<dev-python/django-{2.2.21,3.1.9,3.2.1}: directory-traversal via uploaded files with suitably crafted file names (another one)
Product:	Gentoo Security	Reporter:	Michał Górny <mgorny>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	minor	CC:	ago, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B4 [glsa? cve]
Package list:	dev-python/django-3.1.9 dev-python/django-2.2.21 amd64 arm64 x86	Runtime testing required:	---

Description Michał Górny archtester

2021-05-04 10:11:08 UTC

+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.

Comment 1 Michał Górny archtester

2021-05-04 10:14:16 UTC

Fixed versions:

dev-python/django-3.2.1
dev-python/django-3.1.9
dev-python/django-2.2.21

3.0 branch is EOL, so it'll have to be removed.

Comment 2 NATTkA bot gentoo-dev

2021-05-04 10:16:20 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/django-3.1.9

Comment 3 NATTkA bot gentoo-dev

2021-05-04 12:44:21 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 4 Agostino Sarubbo gentoo-dev

2021-05-06 06:55:31 UTC

ALLARCHES stable. Closing.

Comment 5 Larry the Git Cow gentoo-dev

2021-05-06 07:33:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18e80c1390384fd9da00c8f2f3f6a8a88389ecff

commit 18e80c1390384fd9da00c8f2f3f6a8a88389ecff
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-05-06 07:21:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-05-06 07:33:02 +0000

    dev-python/django: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/788130
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest                |   8 ---
 dev-python/django/django-2.2.20.ebuild    |  93 --------------------------
 dev-python/django/django-3.0.14-r1.ebuild | 106 ------------------------------
 dev-python/django/django-3.1.8-r1.ebuild  |  99 ----------------------------
 dev-python/django/django-3.2.ebuild       |  95 --------------------------
 5 files changed, 401 deletions(-)

Comment 6 Sam James archtester

2021-05-06 07:43:19 UTC

(In reply to Agostino Sarubbo from comment #4)
> ALLARCHES stable. Closing.

Time to fix your scripts ;)

Comment 7 Agostino Sarubbo gentoo-dev

2021-05-06 08:14:24 UTC

(In reply to Sam James from comment #6)
> (In reply to Agostino Sarubbo from comment #4)
> > ALLARCHES stable. Closing.
> 
> Time to fix your scripts ;)

Yes, I noticed that in the last bug where you cc'ed me. It is on my todo list
FTR It happens where allarches is set.
Thanks

Comment 8 Sam James archtester

2021-05-06 08:17:12 UTC

(In reply to Agostino Sarubbo from comment #7)
> (In reply to Sam James from comment #6)
> > (In reply to Agostino Sarubbo from comment #4)
> > > ALLARCHES stable. Closing.
> > 
> > Time to fix your scripts ;)
> 
> Yes, I noticed that in the last bug where you cc'ed me. It is on my todo list
> FTR It happens where allarches is set.
> Thanks

No worries, I wasn’t sure if you saw but it’s not a big deal at all :)

Comment 9 NATTkA bot gentoo-dev

2021-05-09 08:24:22 UTC

Unable to check for sanity:

> no match for package: dev-python/django-3.1.9

Comment 10 Michał Górny archtester

2021-05-09 08:26:36 UTC

cleanup done.

Comment 11 John Helmert III archtester

2021-07-11 02:59:02 UTC

GLSA request filed.