=== Summary ===
Occasionally objects would be transmitted as a repr() of an object
instead of a JSON serialization. In order to restore this
representation to python code while parsing the JSON, Djblets would
use the eval() routine to execute them, leading to a risk of executing
arbitrary code in the Review Board process.
=== Affected Deployments ===
All Djblets deployments (and therefore all existing Review Board
deployments) are vulnerable to this flaw.
=== Scope ===
A remote attacker might be able to construct a JSON request containing
malicious python code that could be executed within the mod_wsgi
process on the server. It is unknown to what extent it could cause
damage, but denial-of-service at the minimum.
=== Resolution ===
Djblets will now use the literal_eval() routine instead of the eval()
routine when run on platforms with Python 2.6 or later. The
literal_eval() routine will sanitize the results such that only
assignments of literal variables is permitted, as opposed to arbitrary
python code execution.
Special note: If Djblets is installed on a platform running
Python 2.5 or earlier, this code will fall back to the earlier,
less-secure eval() routine. Djblets upstream strongly recommends
migrating such deployments to a more recent version of Python.
It is noted that the primary consumer of this library - Review Board - is not believed to be vulnerable to this issue, as there are other safeguards in place. However, it is possible that other unknown consumers of this library are at risk.
=== Acknowledgements ===
Christian Hammond, lead upstream developer of Review Board is credited
with discovering and correcting this vulnerability.
=== Embargo Information ===
Upstream has coordinated with packagers of various distributions and cloud application vendors to lift the embargo on Thursday, October 8, 2013. This BZ should become public at that time.
Upstream has requested that Red Hat please coordinate the issuance of a CVE for this vulnerability.
Embargo lifts Thursday October 10th.
Created python-djblets tracking bugs for this issue:
Affects: fedora-all [bug 1018001]
Affects: epel-6 [bug 1018002]
ReviewBoard-1.7.16-2.fc19, python-djblets-0.7.21-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
ReviewBoard-1.7.16-2.fc18, python-djblets-0.7.21-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
python-djblets-0.7.21-1.el6, ReviewBoard-1.7.16-2.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
ReviewBoard-1.7.16-2.fc20, python-djblets-0.7.21-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Red Hat would like to thank the Review Board project for reporting this issue. Upstream acknowledges Frederik Braun from Mozilla as the original reporter.