|Summary:||CVE-2013-4409 python-djblets: unsanitized eval() vulnerability|
|Product:||[Other] Security Response||Reporter:||Stephen Gallagher <sgallagh>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Version:||unspecified||CC:||jrusnack, security-response-team, sgallagh|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2016-01-26 15:15:21 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1018001, 1018002|
Description Stephen Gallagher 2013-10-08 11:44:19 UTC
=== Summary === Occasionally objects would be transmitted as a repr() of an object instead of a JSON serialization. In order to restore this representation to python code while parsing the JSON, Djblets would use the eval() routine to execute them, leading to a risk of executing arbitrary code in the Review Board process. === Affected Deployments === All Djblets deployments (and therefore all existing Review Board deployments) are vulnerable to this flaw. === Scope === A remote attacker might be able to construct a JSON request containing malicious python code that could be executed within the mod_wsgi process on the server. It is unknown to what extent it could cause damage, but denial-of-service at the minimum. === Resolution === Djblets will now use the literal_eval() routine instead of the eval() routine when run on platforms with Python 2.6 or later. The literal_eval() routine will sanitize the results such that only assignments of literal variables is permitted, as opposed to arbitrary python code execution. Special note: If Djblets is installed on a platform running Python 2.5 or earlier, this code will fall back to the earlier, less-secure eval() routine. Djblets upstream strongly recommends migrating such deployments to a more recent version of Python. It is noted that the primary consumer of this library - Review Board - is not believed to be vulnerable to this issue, as there are other safeguards in place. However, it is possible that other unknown consumers of this library are at risk. === Acknowledgements === Christian Hammond, lead upstream developer of Review Board is credited with discovering and correcting this vulnerability. === Embargo Information === Upstream has coordinated with packagers of various distributions and cloud application vendors to lift the embargo on Thursday, October 8, 2013. This BZ should become public at that time. Upstream has requested that Red Hat please coordinate the issuance of a CVE for this vulnerability.
Comment 1 Vincent Danen 2013-10-08 14:34:55 UTC
Embargo lifts Thursday October 10th.
Comment 2 Murray McAllister 2013-10-10 23:54:30 UTC
Created python-djblets tracking bugs for this issue: Affects: fedora-all [bug 1018001] Affects: epel-6 [bug 1018002]
Comment 3 Murray McAllister 2013-10-11 00:02:31 UTC
Comment 4 Fedora Update System 2013-10-29 03:39:55 UTC
ReviewBoard-1.7.16-2.fc19, python-djblets-0.7.21-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-10-29 03:43:40 UTC
ReviewBoard-1.7.16-2.fc18, python-djblets-0.7.21-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-11-01 21:09:38 UTC
python-djblets-0.7.21-1.el6, ReviewBoard-1.7.16-2.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-11-10 06:46:37 UTC
ReviewBoard-1.7.16-2.fc20, python-djblets-0.7.21-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Vincent Danen 2013-12-24 20:23:24 UTC
Acknowledgements: Red Hat would like to thank the Review Board project for reporting this issue. Upstream acknowledges Frederik Braun from Mozilla as the original reporter.