Description of problem: Django's JSON serialization does not handle escaping of any characters to make them safe for injecting into HTML. This allows an attacker who can provide part of a JSON-serializable object to craft a string that can break out of a <script> tag and create its own, injecting a custom script. To fix this, we escape '<', '>', and '&' characters in the resulting string, preventing a </script> from executing. Version-Release number of selected component (if applicable): python-djblets-0.8.2-1.fc21 python-djblets-0.7.29-1.fc20 How reproducible: Every time Steps to Reproduce: 1. User can change their display name to "</script><script> alert(1)</script>" 2. Browse a page where this user was the submitter Actual results: Script is executed Expected results: User's name should be sanitized Additional info: Issue is public, due to it having been reported on upstream's public bug tracker. Upstream bug report: https://code.google.com/p/reviewboard/issues/detail?id=3406 Upstream patch: Djblets 0.7.x: https://reviews.reviewboard.org/r/5944/diff Djblets 0.8.x: https://reviews.reviewboard.org/r/5945/diff
I do not yet have the real name of the reporter to credit.
One additional note: this vulnerability is present on Fedora 19, 20, Rawhide and EPEL 6 (EPEL 7 does not yet have a successful build of Djblets)
Upstream has requested CVEs be issued for this and BZ #1105560. My personal opinion is that they can probably be treated as a single CVE.
(In reply to Stephen Gallagher from comment #3) > Upstream has requested CVEs be issued for this and BZ #1105560. My personal > opinion is that they can probably be treated as a single CVE. Thanks, Stephen. They would require two CVEs due to there being two reporters (unless this XSS is reported by the same person, but it doesn't seem so). Have they gotten CVE assignments yet? Requested from MITRE?
(In reply to Vincent Danen from comment #4) > (In reply to Stephen Gallagher from comment #3) > > Upstream has requested CVEs be issued for this and BZ #1105560. My personal > > opinion is that they can probably be treated as a single CVE. > > Thanks, Stephen. They would require two CVEs due to there being two > reporters (unless this XSS is reported by the same person, but it doesn't > seem so). > > Have they gotten CVE assignments yet? Requested from MITRE? No, upstream has requested that we assign CVEs for them (as Red Hat is the only entity performing security response with which they have a relationship).
python-djblets-0.7.30-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/python-djblets-0.7.30-2.fc20
python-djblets-0.7.30-2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/python-djblets-0.7.30-2.fc19
Package python-djblets-0.7.30-2.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing python-djblets-0.7.30-2.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7223/python-djblets-0.7.30-2.fc20 then log in and leave karma (feedback).
python-djblets-0.7.30-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-djblets-0.7.30-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.