Bug 1874485 (CVE-2020-24583)

Summary: CVE-2020-24583 django: incorrect permissions on intermediate-level directories on Python 3.7+
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bbuckingham, bcourt, bkearney, btotty, dbecker, hhudgeon, hvyas, jal233, jjoyce, jschluet, kbasil, lhh, lpeer, lzap, mburns, mhroncok, michel, mmccune, mrunge, nmoumoul, puebele, rchan, rdopiera, rhos-maint, rjerrido, sclewis, sgallagh, slavek.kabrda, slinaber, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 3.1.1, Django 3.0.10, Django 2.2.16 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django. The `FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not applied to intermediate-level directories created when uploading files or to intermediate-level collected static directories when using the `collectstatic` management command. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-28 14:40:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1874486, 1874487, 1874488, 1874489, 1874924    
Bug Blocks: 1874498    

Description Guilherme de Almeida Suckevicz 2020-09-01 13:37:04 UTC 
On Python 3.7+, ``FILE_UPLOAD_DIRECTORY_PERMISSIONS`` mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the ``collectstatic`` management command.

Reference:
https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Comment 1 Guilherme de Almeida Suckevicz 2020-09-01 13:37:42 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1874488]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1874486]
Affects: fedora-all [bug 1874487]
Affects: openstack-rdo [bug 1874489]
Comment 2 Riccardo Schirone 2020-09-02 14:50:24 UTC 
Upstream fix:
https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9
Comment 4 Riccardo Schirone 2020-09-03 07:20:21 UTC 
This only affects Django running on Python 3.7+ due to some changes in how os.makedirs behaves. From the Python documentation, "Changed in version 3.7: The mode argument [of os.makedirs] no longer affects the file permission bits of newly-created intermediate-level directories.". For this reason, users of os.makedirs, like Django, should set the umask accordingly if they want the intermediate-level directories to have the proper permissions.
Comment 9 Sage McTaggart 2020-09-25 21:32:47 UTC 
External References:

https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Comment 11 Hardik Vyas 2020-09-28 13:09:42 UTC 
Statement:

This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration.

* Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X.
* Red Hat Ceph Storage 2 and 3 uses Python 2.X
* Red Hat Gluster Storage 3 uses Python 2.X
Comment 12 Product Security DevOps Team 2020-09-28 14:40:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-24583