Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-3444 Django: 1.3.1 and 1.4.0 Denial-of-service via get_image_dimensions()|
|Product:||[Other] Security Response||Reporter:||Kurt Seifried <kseifried>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||apevec, dmalcolm, michel, mrunge, smilner|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-09-12 15:19:06 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||844528, 844529|
Description Kurt Seifried 2012-07-30 22:02:39 EDT
James Bennett of the Django Project reports: Security releases issued Today the Django team is issuing multiple releases -- Django 1.3.2 and Django 1.4.1 -- to remedy security issues reported to us. All users are encouraged to upgrade Django immediately. Denial-of-service via get_image_dimensions() Django's image-handling facilities also include helper methods to determine the dimensions of an image. Currently, the process for this involves reading a 1024-byte chunk from the start of the file, and passing to PIL to determine the dimensions; if insufficient data is provided, further 1024-byte chunks are read until PIL is able to return a definite answer. While this works well for image formats which store enough information in their headers to determine dimensions, it can result in large quantities of read/process cycles for formats which do not. In particular, larger TIFF images can require tens of thousands of such cycles, tying up or timing out worker processes/threads and consuming enough server resources to result in an effective denial-of-service. To mitigate this, the algorithm for determining image dimensions is being changed; the initial attempt will still use a 1024-byte chunk, but the chunk size will be doubled on each successive read. Testing has demonstrated that this reduces time to process TIFF files by multiple orders of magnitude. References: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
Comment 1 Kurt Seifried 2012-07-30 22:04:57 EDT
Created Django tracking bugs for this issue Affects: fedora-all [bug 844528]
Comment 2 Kurt Seifried 2012-07-30 22:05:39 EDT
Created Django tracking bugs for this issue Affects: epel-all [bug 844529]
Comment 3 Fedora Update System 2012-08-10 18:27:14 EDT
Django-1.4.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2012-08-10 18:33:59 EDT
Django-1.3.2-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-08-21 14:35:21 EDT
Django-1.3.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.