Bug 1016601 (CVE-2013-4409)

Summary: CVE-2013-4409 python-djblets: unsanitized eval() vulnerability
Product: [Other] Security Response Reporter: Stephen Gallagher <sgallagh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, security-response-team, sgallagh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-26 15:15:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1018001, 1018002    
Bug Blocks: 1016713    

Description Stephen Gallagher 2013-10-08 11:44:19 UTC
=== Summary ===
Occasionally objects would be transmitted as a repr() of an object
instead of a JSON serialization. In order to restore this
representation to python code while parsing the JSON, Djblets would
use the eval() routine to execute them, leading to a risk of executing
arbitrary code in the Review Board process.

=== Affected Deployments ===
All Djblets deployments (and therefore all existing Review Board
deployments) are vulnerable to this flaw.

=== Scope ===
A remote attacker might be able to construct a JSON request containing
malicious python code that could be executed within the mod_wsgi
process on the server. It is unknown to what extent it could cause
damage, but denial-of-service at the minimum.

=== Resolution ===
Djblets will now use the literal_eval() routine instead of the eval()
routine when run on platforms with Python 2.6 or later. The
literal_eval() routine will sanitize the results such that only
assignments of literal variables is permitted, as opposed to arbitrary
python code execution.

Special note: If Djblets is installed on a platform running
Python 2.5 or earlier, this code will fall back to the earlier,
less-secure eval() routine. Djblets upstream strongly recommends
migrating such deployments to a more recent version of Python.

It is noted that the primary consumer of this library - Review Board - is not believed to be vulnerable to this issue, as there are other safeguards in place. However, it is possible that other unknown consumers of this library are at risk.

=== Acknowledgements ===
Christian Hammond, lead upstream developer of Review Board is credited
with discovering and correcting this vulnerability.

=== Embargo Information ===
Upstream has coordinated with packagers of various distributions and cloud application vendors to lift the embargo on Thursday, October 8, 2013. This BZ should become public at that time.

Upstream has requested that Red Hat please coordinate the issuance of a CVE for this vulnerability.

Comment 1 Vincent Danen 2013-10-08 14:34:55 UTC
Embargo lifts Thursday October 10th.

Comment 2 Murray McAllister 2013-10-10 23:54:30 UTC
Created python-djblets tracking bugs for this issue:

Affects: fedora-all [bug 1018001]
Affects: epel-6 [bug 1018002]

Comment 4 Fedora Update System 2013-10-29 03:39:55 UTC
ReviewBoard-1.7.16-2.fc19, python-djblets-0.7.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-10-29 03:43:40 UTC
ReviewBoard-1.7.16-2.fc18, python-djblets-0.7.21-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-11-01 21:09:38 UTC
python-djblets-0.7.21-1.el6, ReviewBoard-1.7.16-2.el6.1 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-11-10 06:46:37 UTC
ReviewBoard-1.7.16-2.fc20, python-djblets-0.7.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Vincent Danen 2013-12-24 20:23:24 UTC

Red Hat would like to thank the Review Board project for reporting this issue. Upstream acknowledges Frederik Braun from Mozilla as the original reporter.