Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 521324 (2014-0480) - <dev-python/django-{1.4.15,1.5.10,1.6.7}: multiple vulnerabilities (CVE-2014-{0480,0481,0482,0483})
Summary: <dev-python/django-{1.4.15,1.5.10,1.6.7}: multiple vulnerabilities (CVE-2014-...
Status: RESOLVED FIXED
Alias: 2014-0480
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-27 15:46 UTC by Agostino Sarubbo
Modified: 2014-12-13 18:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-27 15:46:02 UTC
From ${URL} :

Today the Django team is issuing multiple releases -- Django 1.4.14, Django 1.5.9, Django 1.6.6, and Django 1.7 release candidate 3 -- as part of our security process. These releases are now available on PyPI and our download page.

These releases address an issue with reverse() generating external URLs; a denial of service involving file uploads; a potential session hijacking issue in the remote-user middleware; and a data leak in the administrative interface. We encourage all users of 
Django to upgrade as soon as possible.

Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
Django includes the helper function django.core.urlresolvers.reverse, typically used to generate a URL from a reference to a view function or URL pattern name. However, when presented with input beginning with two forward-slash characters (//), reverse() could 
generate scheme-relative URLs to other hosts, allowing an attacker who is aware of unsafe use of reverse() (i.e., in a situation where an end user can control the target of a redirect, to take a common example) to generate links to sites of their choice, enabling 
phishing and other attacks.

To remedy this, URL reversing now ensures that no URL starts with two slashes (//), replacing the second slash with its URL encoded counterpart (%2F). This approach ensures that semantics stay the same, while making the URL relative to the domain and not to the 
scheme.

Thanks to Florian Apolloner for reporting this issue.

Issue: file upload denial of service (CVE-2014-0481)
In the default configuration, when Django's file upload handling system is presented with a file that would have the same on-disk path and name as an existing file, it attempts to generate a new unique filename by appending an underscore and an integer to the end 
of the (as stored on disk) filename, incrementing the integer (i.e., _1, _2, etc.) until it has generated a name which does not conflict with any existing file.

An attacker with knowledge of this can exploit the sequential behavior of filename generation by uploading many tiny files which all share a filename; Django will, in processing them, generate ever-increasing numbers of os.stat() calls as it attempts to generate 
a unique filename. As a result, even a relatively small number of such uploads can significantly degrade performance.

To remedy this, Django's file-upload system will no longer use sequential integer names to avoid filename conflicts on disk; instead, a short random alphanumeric string will be appended, removing the ability to reliably generate many repeatedly-conflicting 
filenames.

Thanks to David Wilson for reporting this issue.

Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
Django provides a middleware -- django.contrib.auth.middleware.RemoteUserMiddleware -- and an authentication backend, django.contrib.auth.backends.RemoteUserBackend, which use the REMOTE_USER header for authentication purposes.

In some circumstances, use of this middleware and backend could result in one user receiving another user's session, if a change to the REMOTE_USER header occurred without corresponding logout/login actions.

To remedy this, the middleware will now ensure that a change to REMOTE_USER without an explicit logout will force a logout and subsequent login prior to accepting the new REMOTE_USER.

Thanks to David Greisen for reporting this issue.

Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)
Django's administrative interface, django.contrib.admin, offers a feature whereby related objects can be displayed for selection in a popup window. The mechanism for this relies on placing values in the URL and querystring which specify the related model to 
display and the field through which the relationship is implemented. This mechanism does perform permission checks at the level of the model class as a whole.

This mechanism did not, however, verify that the specified field actually represents a relationship between models. Thus a user with access to the admin interface, and with sufficient knowledge of model structure and the appropriate URLs, could construct popup 
views which would display the values of non-relationship fields, including fields the application developer had not intended to expose in such a fashion.

To remedy this, the admin interface will now, in addition to its normal permission checks, verify that the specified field does indeed represent a relationship, to a model registered with the admin, and will raise an exception if either condition is not true.

Thanks to Collin Anderson for reporting this issue.

Affected versions
Django master development branch (currently at pre-alpha status)
Django 1.7 (currently at release candidate status)
Django 1.6
Django 1.5
Django 1.4
Resolution
Patches have been applied to Django's master development branch, and to the 1.4, 1.5, 1.6 and 1.7 release branches, which resolve the issues described above. The patches may be obtained directly from the following changesets:

On the development master branch:

master reverse() patch
master file upload patch
master remote-user patch
master admin patch
On the 1.7 release branch:

1.7 reverse() patch
1.7 file upload patch
1.7 remote-user patch
1.7 admin patch
On the 1.6 release branch:

1.6 reverse() patch
1.6 file upload patch
1.6 remote-user patch
1.6 admin patch
On the 1.5 release branch:

1.5 reverse() patch
1.5 file upload patch
1.5 remote-user patch
1.5 admin patch
On the 1.4 release branch:

1.4 reverse() patch
1.4 file upload patch
1.4 remote-user patch
1.4 admin patch
The following new releases have been issued:

Django 1.7 release candidate 3 (download Django 1.7c3 | 1.7c3 checksums)
Django 1.6.6 (download Django 1.6.6 | 1.6.6 checksums)
Django 1.5.9 (download Django 1.5.9 | 1.5.9 checksums)
Django 1.4.14 (download Django 1.4.14 | 1.4.14 checksums)
General notes regarding security reporting
As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2014-09-01 05:07:39 UTC
new versions added, please proceed
Comment 2 Agostino Sarubbo gentoo-dev 2014-09-02 07:35:00 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-09-02 07:35:17 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-03 20:30:03 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA Vote: Yes
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-09-03 20:50:46 UTC
CVE-2014-0483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0483):
  The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x
  before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does
  not check if a field represents a relationship between models, which allows
  remote authenticated users to obtain sensitive information via a to_field
  parameter in a popup action to an admin change form page, as demonstrated by
  a /admin/auth/user/?pop=1&t=password URI.

CVE-2014-0482 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0482):
  The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before
  1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release
  candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend,
  allows remote authenticated users to hijack web sessions via vectors related
  to the REMOTE_USER header.

CVE-2014-0481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0481):
  The default configuration for the file upload handling system in Django
  before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before
  release candidate 3 uses a sequential file name generation process when a
  file with a conflicting name is uploaded, which allows remote attackers to
  cause a denial of service (CPU consumption) by unloading a multiple files
  with the same name.

CVE-2014-0480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0480):
  The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before
  1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not
  properly validate URLs, which allows remote attackers to conduct phishing
  attacks via a // (slash slash) in a URL, which triggers a scheme-relative
  URL to be generated.
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2014-09-04 14:26:33 UTC
  04 Sep 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.13.ebuild,
  -django-1.5.8.ebuild, -django-1.6.5.ebuild:
  drop vulnerable versions wrt Bug #521324
Comment 7 Kristian Fiskerstrand gentoo-dev Security 2014-09-04 18:14:56 UTC
GLSA Vote(In reply to Ian Delaney from comment #6)
>   04 Sep 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.13.ebuild,
>   -django-1.5.8.ebuild, -django-1.6.5.ebuild:
>   drop vulnerable versions wrt Bug #521324

Thank you for cleanup.

GLSA Vote: Yes. 

New GLSA Request filed.
Comment 8 Arfrever Frehtes Taifersar Arahesis 2014-09-06 05:45:20 UTC
https://www.djangoproject.com/weblog/2014/sep/02/release-17-final/ :

"Bugfix releases

... today we are issuing bugfix releases in the 1.4, 1.5 and 1.6 series, which correct some bugs which existed after the most recent security releases.

Today's releases are:

    Django 1.4.15 (download 1.4.15 | 1.4.15 checksums)
    Django 1.5.10 (download 1.5.10 | 1.5.10 checksums)
    Django 1.6.7 (download 1.6.7 | 1.6.7 checksums)"
Comment 9 Arfrever Frehtes Taifersar Arahesis 2014-09-06 07:13:05 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #8)

Detailed explanation of regression:
https://code.djangoproject.com/ticket/23329
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2014-09-09 06:49:51 UTC
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #8)
> https://www.djangoproject.com/weblog/2014/sep/02/release-17-final/ :
> 
> "Bugfix releases
> 
> ... today we are issuing bugfix releases in the 1.4, 1.5 and 1.6 series,
> which correct some bugs which existed after the most recent security
> releases.
> 
> Today's releases are:
> 
>     Django 1.4.15 (download 1.4.15 | 1.4.15 checksums)
>     Django 1.5.10 (download 1.5.10 | 1.5.10 checksums)
>     Django 1.6.7 (download 1.6.7 | 1.6.7 checksums)"

*django-1.6.7 (09 Sep 2014)
*django-1.4.15 (09 Sep 2014)
*django-1.5.10 (09 Sep 2014)

  09 Sep 2014; Ian Delaney <idella4@gentoo.org> +django-1.4.15.ebuild,
  +django-1.5.10.ebuild, +django-1.6.7.ebuild, django-9999.ebuild:
  bumps
Comment 11 Ian Delaney (RETIRED) gentoo-dev 2014-09-10 13:31:23 UTC
Need to do them again. Please proceed
Comment 12 Agostino Sarubbo gentoo-dev 2014-09-13 17:24:41 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-09-13 17:24:58 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Ian Delaney (RETIRED) gentoo-dev 2014-09-17 13:03:06 UTC
  17 Sep 2014; Ian Delaney <idella4@gentoo.org> -django-1.4.14.ebuild,
  -django-1.5.9.ebuild, -django-1.6.6.ebuild, django-1.6.7.ebuild,
  django-1.7.ebuild:
  syntax fix, drop vulnerable versions wrt Bug #521324
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-17 15:02:21 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 16 Sean Amoss gentoo-dev Security 2014-12-03 01:10:31 UTC
GLSA vote: yes. 

GLSA drafted and ready for peer-review.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 18:35:22 UTC
This issue was resolved and addressed in
 GLSA 201412-22 at http://security.gentoo.org/glsa/glsa-201412-22.xml
by GLSA coordinator Sean Amoss (ackle).