Bug 1874492 (CVE-2020-24584)

Summary: CVE-2020-24584 django: permission escalation in intermediate-level directories of the file system cache on Python 3.7+
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bbuckingham, bcourt, bkearney, btotty, dbecker, hhudgeon, hvyas, jal233, jjoyce, jschluet, kbasil, lhh, lpeer, lzap, mburns, mhroncok, michel, mmccune, mrunge, nmoumoul, puebele, rchan, rdopiera, rhos-maint, rjerrido, sclewis, sgallagh, slavek.kabrda, slinaber, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 3.1.1, Django 3.0.10, Django 2.2.16 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django. The intermediate-level directories of the file system cache had the system's standard umask rather than `0o077` (no group or others permissions). The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-28 14:40:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1874493, 1874494, 1874495, 1874496    
Bug Blocks: 1874498    

Description Guilherme de Almeida Suckevicz 2020-09-01 13:39:43 UTC 
On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than ``0o077`` (no group or others permissions).

Reference:
https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Comment 1 Guilherme de Almeida Suckevicz 2020-09-01 13:40:23 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1874495]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1874493]
Affects: fedora-all [bug 1874494]
Affects: openstack-rdo [bug 1874496]
Comment 2 Riccardo Schirone 2020-09-03 07:23:14 UTC 
Upstream fix:
https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71
Comment 7 Sage McTaggart 2020-09-25 21:30:01 UTC 
External References:

https://www.djangoproject.com/weblog/2020/sep/01/security-releases
Comment 9 Hardik Vyas 2020-09-28 13:10:29 UTC 
Statement:

This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration.

* Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X.
* Red Hat Ceph Storage 2 and 3 uses Python 2.X
* Red Hat Gluster Storage 3 uses Python 2.X
Comment 10 Product Security DevOps Team 2020-09-28 14:40:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-24584