Bug 1549777 (CVE-2018-7536)

Summary: CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, augol, bcourt, bkearney, cbillett, chrisw, jakub.dornak, jal233, jjoyce, jmatthew, jschluet, kbasil, lhh, lpeer, mariel, markmc, mburns, mhroncok, michel, mmccune, mrike, mrunge, ohadlevy, rbryant, rchan, rhos-maint, sclewis, security-response-team, sgallagh, sisharma, slinaber, slong, srevivo, ssaha, tdecacqu, tomckay, tsanders, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 2.0.3, Django 1.11.11, Django 1.8.19 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:41:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1549905, 1549906, 1551895, 1551896, 1551897, 1551898, 1551899, 1551900, 1551901, 1552177, 1552178, 1552179, 1552307, 1554694, 1557374, 1557395, 1557396    
Bug Blocks: 1549781    

Description Pedro Sampaio 2018-02-27 19:59:49 UTC 
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and
``urlizetrunc`` template filters
===========================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two
regular expressions (one regular expression for Django 1.8). The
``urlize()``
function is used to implement the ``urlize`` and ``urlizetrunc`` template
filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that
behaves similarly.
Comment 5 Adam Mariš 2018-03-06 16:13:39 UTC 
Acknowledgments:

Name: the Django project
Comment 6 Adam Mariš 2018-03-06 16:13:57 UTC 
External References:

https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
Comment 7 Adam Mariš 2018-03-06 16:17:00 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1552178]
Affects: epel-7 [bug 1552179]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1552177]
Comment 13 Andrej Nemec 2018-05-14 15:19:51 UTC 
Statement:

This issue affects the versions of django as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 14 errata-xmlrpc 2018-10-16 15:20:55 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
Comment 18 errata-xmlrpc 2019-01-16 17:11:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0051 https://access.redhat.com/errata/RHSA-2019:0051
Comment 19 errata-xmlrpc 2019-01-16 17:52:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0082 https://access.redhat.com/errata/RHSA-2019:0082
Comment 20 errata-xmlrpc 2019-02-04 07:43:40 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265