Bug 1179685 (CVE-2015-0222)

Summary: CVE-2015-0222 Django: database denial of service with ModelMultipleChoiceField
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, lhh, lpeer, markmc, mrunge, rbryant, sclewis, security-response-team, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 1.7.3, Django 1.6.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-14 10:39:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1181951, 1181952    
Bug Blocks: 1179508    
Attachments:
Description Flags
mmc-dos-1.6.x.patch
none
mmc-dos-1.7.x.patch
none
mmc-dos-master.patch none

Description Martin Prpič 2015-01-07 10:35:36 UTC 
The Django project reports the following issue:

"""
Given a form that uses ``ModelMultipleChoiceField`` and ``show_hidden_initial=True`` (not a documented API), it was possible for a user to cause an unreasonable number of SQL queries by submitting duplicate values for the field's data. The validation logic in ``ModelMultipleChoiceField`` now deduplicates submitted values to address this issue.
"""

This issue is resolved in the upstream versions 1.7.3 and 1.6.10.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.
Comment 1 Martin Prpič 2015-01-07 10:36:07 UTC 
Created attachment 977200 [details]
mmc-dos-1.6.x.patch
Comment 2 Martin Prpič 2015-01-07 10:36:09 UTC 
Created attachment 977201 [details]
mmc-dos-1.7.x.patch
Comment 3 Martin Prpič 2015-01-07 10:36:12 UTC 
Created attachment 977202 [details]
mmc-dos-master.patch
Comment 4 Martin Prpič 2015-01-14 07:28:28 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1181951]
Affects: epel-7 [bug 1181952]
Comment 5 Martin Prpič 2015-01-14 07:30:00 UTC 
External References:

https://www.djangoproject.com/weblog/2015/jan/13/security/
Comment 6 Fedora Update System 2015-01-26 02:32:37 UTC 
python-django-1.6.10-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-01-27 03:00:25 UTC 
python-django14-1.4.18-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-01-27 03:06:01 UTC 
python-django-1.6.10-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-02-05 19:01:51 UTC 
python-django-1.6.10-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Matthias Runge 2016-06-14 10:39:14 UTC 
all related bzs have been closed already.