Bug 844526 (CVE-2012-3444)

Summary: CVE-2012-3444 Django: 1.3.1 and 1.4.0 Denial-of-service via get_image_dimensions()
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, dmalcolm, michel, mrunge, smilner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120730,reported=20120730,source=internet,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,fedora-all/Django=affected,epel-all/Django=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-12 15:19:06 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 844528, 844529    
Bug Blocks:    

Description Kurt Seifried 2012-07-30 22:02:39 EDT
James Bennett of the Django Project reports:

Security releases issued

Today the Django team is issuing multiple releases -- Django 1.3.2 and
Django 1.4.1 -- to remedy security issues reported to us.

All users are encouraged to upgrade Django immediately.
 
Denial-of-service via get_image_dimensions()

Django's image-handling facilities also include helper methods to
determine the dimensions of an image. Currently, the process for this
involves reading a 1024-byte chunk from the start of the file, and
passing to PIL to determine the dimensions; if insufficient data is
provided, further 1024-byte chunks are read until PIL is able to
return a definite answer.

While this works well for image formats which store enough information
in their headers to determine dimensions, it can result in large
quantities of read/process cycles for formats which do not. In
particular, larger TIFF images can require tens of thousands of such
cycles, tying up or timing out worker processes/threads and consuming
enough server resources to result in an effective denial-of-service.

To mitigate this, the algorithm for determining image dimensions is
being changed; the initial attempt will still use a 1024-byte chunk,
but the chunk size will be doubled on each successive read. Testing
has demonstrated that this reduces time to process TIFF files by
multiple orders of magnitude.


References:

https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
Comment 1 Kurt Seifried 2012-07-30 22:04:57 EDT
Created Django tracking bugs for this issue

Affects: fedora-all [bug 844528]
Comment 2 Kurt Seifried 2012-07-30 22:05:39 EDT
Created Django tracking bugs for this issue

Affects: epel-all [bug 844529]
Comment 3 Fedora Update System 2012-08-10 18:27:14 EDT
Django-1.4.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2012-08-10 18:33:59 EDT
Django-1.3.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-08-21 14:35:21 EDT
Django-1.3.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.