Bug 1105551 - CVE-2014-3994 python-djblets: XSS Vulnerability in Djblets json_dumps() [fedora-all]
Summary: CVE-2014-3994 python-djblets: XSS Vulnerability in Djblets json_dumps() [fedo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-djblets
Version: 20
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1105560 CVE-2014-3994
TreeView+ depends on / blocked
 
Reported: 2014-06-06 11:40 UTC by Stephen Gallagher
Modified: 2014-06-17 23:26 UTC (History)
1 user (show)

Fixed In Version: python-djblets-0.7.30-2.fc19
Clone Of:
Environment:
Last Closed: 2014-06-17 23:24:10 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Stephen Gallagher 2014-06-06 11:40:18 UTC
Description of problem:

Django's JSON serialization does not handle escaping of any characters
to make them safe for injecting into HTML. This allows an attacker who
can provide part of a JSON-serializable object to craft a string that
can break out of a <script> tag and create its own, injecting a custom
script.

To fix this, we escape '<', '>', and '&' characters in the resulting
string, preventing a </script> from executing.

Version-Release number of selected component (if applicable):
python-djblets-0.8.2-1.fc21
python-djblets-0.7.29-1.fc20

How reproducible:
Every time


Steps to Reproduce:
1. User can change their display name to "</script><script> alert(1)</script>"
2. Browse a page where this user was the submitter

Actual results:
Script is executed

Expected results:
User's name should be sanitized

Additional info:
Issue is public, due to it having been reported on upstream's public bug tracker.

Upstream bug report: https://code.google.com/p/reviewboard/issues/detail?id=3406

Upstream patch:
Djblets 0.7.x: https://reviews.reviewboard.org/r/5944/diff
Djblets 0.8.x: https://reviews.reviewboard.org/r/5945/diff

Comment 1 Stephen Gallagher 2014-06-06 11:41:15 UTC
I do not yet have the real name of the reporter to credit.

Comment 2 Stephen Gallagher 2014-06-06 11:42:06 UTC
One additional note: this vulnerability is present on Fedora 19, 20, Rawhide and EPEL 6 (EPEL 7 does not yet have a successful build of Djblets)

Comment 3 Stephen Gallagher 2014-06-06 12:18:02 UTC
Upstream has requested CVEs be issued for this and BZ #1105560. My personal opinion is that they can probably be treated as a single CVE.

Comment 4 Vincent Danen 2014-06-06 16:43:12 UTC
(In reply to Stephen Gallagher from comment #3)
> Upstream has requested CVEs be issued for this and BZ #1105560. My personal
> opinion is that they can probably be treated as a single CVE.

Thanks, Stephen.  They would require two CVEs due to there being two reporters (unless this XSS is reported by the same person, but it doesn't seem so).

Have they gotten CVE assignments yet?  Requested from MITRE?

Comment 6 Stephen Gallagher 2014-06-06 17:29:19 UTC
(In reply to Vincent Danen from comment #4)
> (In reply to Stephen Gallagher from comment #3)
> > Upstream has requested CVEs be issued for this and BZ #1105560. My personal
> > opinion is that they can probably be treated as a single CVE.
> 
> Thanks, Stephen.  They would require two CVEs due to there being two
> reporters (unless this XSS is reported by the same person, but it doesn't
> seem so).
> 
> Have they gotten CVE assignments yet?  Requested from MITRE?

No, upstream has requested that we assign CVEs for them (as Red Hat is the only entity performing security response with which they have a relationship).

Comment 10 Fedora Update System 2014-06-09 19:43:49 UTC
python-djblets-0.7.30-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/python-djblets-0.7.30-2.fc20

Comment 11 Fedora Update System 2014-06-09 19:44:00 UTC
python-djblets-0.7.30-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/python-djblets-0.7.30-2.fc19

Comment 12 Fedora Update System 2014-06-10 03:13:13 UTC
Package python-djblets-0.7.30-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing python-djblets-0.7.30-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7223/python-djblets-0.7.30-2.fc20
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2014-06-17 23:24:10 UTC
python-djblets-0.7.30-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2014-06-17 23:26:18 UTC
python-djblets-0.7.30-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.