Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 788130 (CVE-2021-31542) - <dev-python/django-{2.2.21,3.1.9,3.2.1}: directory-traversal via uploaded files with suitably crafted file names (another one)
Summary: <dev-python/django-{2.2.21,3.1.9,3.2.1}: directory-traversal via uploaded fil...
Status: CONFIRMED
Alias: CVE-2021-31542
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-04 10:11 UTC by Michał Górny
Modified: 2021-07-11 02:59 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/django-3.1.9 dev-python/django-2.2.21 amd64 arm64 x86
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-04 10:11:08 UTC
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-04 10:14:16 UTC
Fixed versions:

dev-python/django-3.2.1
dev-python/django-3.1.9
dev-python/django-2.2.21

3.0 branch is EOL, so it'll have to be removed.
Comment 2 NATTkA bot gentoo-dev 2021-05-04 10:16:20 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-05-04 12:44:21 UTC Comment hidden (obsolete)
Comment 4 Agostino Sarubbo gentoo-dev 2021-05-06 06:55:31 UTC
ALLARCHES stable. Closing.
Comment 5 Larry the Git Cow gentoo-dev 2021-05-06 07:33:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18e80c1390384fd9da00c8f2f3f6a8a88389ecff

commit 18e80c1390384fd9da00c8f2f3f6a8a88389ecff
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-05-06 07:21:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-05-06 07:33:02 +0000

    dev-python/django: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/788130
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest                |   8 ---
 dev-python/django/django-2.2.20.ebuild    |  93 --------------------------
 dev-python/django/django-3.0.14-r1.ebuild | 106 ------------------------------
 dev-python/django/django-3.1.8-r1.ebuild  |  99 ----------------------------
 dev-python/django/django-3.2.ebuild       |  95 --------------------------
 5 files changed, 401 deletions(-)
Comment 6 Sam James archtester gentoo-dev Security 2021-05-06 07:43:19 UTC
(In reply to Agostino Sarubbo from comment #4)
> ALLARCHES stable. Closing.

Time to fix your scripts ;)
Comment 7 Agostino Sarubbo gentoo-dev 2021-05-06 08:14:24 UTC
(In reply to Sam James from comment #6)
> (In reply to Agostino Sarubbo from comment #4)
> > ALLARCHES stable. Closing.
> 
> Time to fix your scripts ;)

Yes, I noticed that in the last bug where you cc'ed me. It is on my todo list
FTR It happens where allarches is set.
Thanks
Comment 8 Sam James archtester gentoo-dev Security 2021-05-06 08:17:12 UTC
(In reply to Agostino Sarubbo from comment #7)
> (In reply to Sam James from comment #6)
> > (In reply to Agostino Sarubbo from comment #4)
> > > ALLARCHES stable. Closing.
> > 
> > Time to fix your scripts ;)
> 
> Yes, I noticed that in the last bug where you cc'ed me. It is on my todo list
> FTR It happens where allarches is set.
> Thanks

No worries, I wasn’t sure if you saw but it’s not a big deal at all :)
Comment 9 NATTkA bot gentoo-dev 2021-05-09 08:24:22 UTC
Unable to check for sanity:

> no match for package: dev-python/django-3.1.9
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-09 08:26:36 UTC
cleanup done.
Comment 11 John Helmert III gentoo-dev Security 2021-07-11 02:59:02 UTC
GLSA request filed.