Bug 1549777 (CVE-2018-7536) - CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'
Summary: CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'u...
Status: NEW
Alias: CVE-2018-7536
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180306,repor...
Keywords: Security
Depends On: 1557374 1557395 1549905 1549906 1551895 1551896 1551897 1551898 1551899 1551900 1551901 1552177 1552178 1552179 1552307 1554694 1557396
Blocks: 1549781
TreeView+ depends on / blocked
 
Reported: 2018-02-27 19:59 UTC by Pedro Sampaio
Modified: 2019-05-21 10:00 UTC (History)
39 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2927 None None None 2018-10-16 15:21 UTC
Red Hat Product Errata RHSA-2019:0051 None None None 2019-01-16 17:11 UTC
Red Hat Product Errata RHSA-2019:0082 None None None 2019-01-16 17:52 UTC
Red Hat Product Errata RHSA-2019:0265 None None None 2019-02-04 07:43 UTC

Description Pedro Sampaio 2018-02-27 19:59:49 UTC
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and
``urlizetrunc`` template filters
===========================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two
regular expressions (one regular expression for Django 1.8). The
``urlize()``
function is used to implement the ``urlize`` and ``urlizetrunc`` template
filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that
behaves similarly.

Comment 5 Adam Mariš 2018-03-06 16:13:39 UTC
Acknowledgments:

Name: the Django project

Comment 6 Adam Mariš 2018-03-06 16:13:57 UTC
External References:

https://www.djangoproject.com/weblog/2018/mar/06/security-releases/

Comment 7 Adam Mariš 2018-03-06 16:17:00 UTC
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1552178]
Affects: epel-7 [bug 1552179]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1552177]

Comment 13 Andrej Nemec 2018-05-14 15:19:51 UTC
Statement:

This issue affects the versions of django as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 14 errata-xmlrpc 2018-10-16 15:20:55 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927

Comment 18 errata-xmlrpc 2019-01-16 17:11:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0051 https://access.redhat.com/errata/RHSA-2019:0051

Comment 19 errata-xmlrpc 2019-01-16 17:52:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0082 https://access.redhat.com/errata/RHSA-2019:0082

Comment 20 errata-xmlrpc 2019-02-04 07:43:40 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265


Note You need to log in before you can comment on or make changes to this bug.