Bug 750658 (CVE-2011-4103)

Summary: CVE-2011-4103 django-piston: vulnerability in de-serialization of YAML post data could possibly allow remote execution or arbitrary code
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: diegobz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-15 19:24:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2011-11-01 21:46:07 UTC 
A flaw in Piston, a popular REST API framework for Django, was reported [1] in how it handles de-serialization of YAML post data.  It uses the yaml.load method, which is unsafe and in certain circumstances could be used to allow remote execution of arbitrary code.  The updated versions of Piston (0.2.3 and 0.2.2.1) correctly use the yaml.safe_load method which prevents remote code execution.

This does not affect Django itself, but any users who have installed and use the django-piston package on Fedora may be vulnerable.

The upstream patch [2] is in git.

[1] https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
[2] https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543
Comment 1 Vincent Danen 2011-11-02 00:28:02 UTC 
This has been assigned the name CVE-2011-4103:

http://www.openwall.com/lists/oss-security/2011/11/01/10
Comment 2 Kurt Seifried 2014-08-15 19:24:12 UTC 
This has been fixed in Fedora/EPEL:

fedora:19/python-django-piston-0.2.3-7.fc19
fedora:20/python-django-piston-0.2.3-8.fc20
fedora:epel:6/django-piston-0.2.3-1.el6
fedora:epel:6/python-django-piston-0.2.3-5.el6