Bug 1016601 (CVE-2013-4409) - CVE-2013-4409 python-djblets: unsanitized eval() vulnerability
Summary: CVE-2013-4409 python-djblets: unsanitized eval() vulnerability
Alias: CVE-2013-4409
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1018001 1018002
Blocks: 1016713
TreeView+ depends on / blocked
Reported: 2013-10-08 11:44 UTC by Stephen Gallagher
Modified: 2023-05-12 22:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-01-26 15:15:21 UTC

Attachments (Terms of Use)

Description Stephen Gallagher 2013-10-08 11:44:19 UTC
=== Summary ===
Occasionally objects would be transmitted as a repr() of an object
instead of a JSON serialization. In order to restore this
representation to python code while parsing the JSON, Djblets would
use the eval() routine to execute them, leading to a risk of executing
arbitrary code in the Review Board process.

=== Affected Deployments ===
All Djblets deployments (and therefore all existing Review Board
deployments) are vulnerable to this flaw.

=== Scope ===
A remote attacker might be able to construct a JSON request containing
malicious python code that could be executed within the mod_wsgi
process on the server. It is unknown to what extent it could cause
damage, but denial-of-service at the minimum.

=== Resolution ===
Djblets will now use the literal_eval() routine instead of the eval()
routine when run on platforms with Python 2.6 or later. The
literal_eval() routine will sanitize the results such that only
assignments of literal variables is permitted, as opposed to arbitrary
python code execution.

Special note: If Djblets is installed on a platform running
Python 2.5 or earlier, this code will fall back to the earlier,
less-secure eval() routine. Djblets upstream strongly recommends
migrating such deployments to a more recent version of Python.

It is noted that the primary consumer of this library - Review Board - is not believed to be vulnerable to this issue, as there are other safeguards in place. However, it is possible that other unknown consumers of this library are at risk.

=== Acknowledgements ===
Christian Hammond, lead upstream developer of Review Board is credited
with discovering and correcting this vulnerability.

=== Embargo Information ===
Upstream has coordinated with packagers of various distributions and cloud application vendors to lift the embargo on Thursday, October 8, 2013. This BZ should become public at that time.

Upstream has requested that Red Hat please coordinate the issuance of a CVE for this vulnerability.

Comment 1 Vincent Danen 2013-10-08 14:34:55 UTC
Embargo lifts Thursday October 10th.

Comment 2 Murray McAllister 2013-10-10 23:54:30 UTC
Created python-djblets tracking bugs for this issue:

Affects: fedora-all [bug 1018001]
Affects: epel-6 [bug 1018002]

Comment 4 Fedora Update System 2013-10-29 03:39:55 UTC
ReviewBoard-1.7.16-2.fc19, python-djblets-0.7.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-10-29 03:43:40 UTC
ReviewBoard-1.7.16-2.fc18, python-djblets-0.7.21-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-11-01 21:09:38 UTC
python-djblets-0.7.21-1.el6, ReviewBoard-1.7.16-2.el6.1 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-11-10 06:46:37 UTC
ReviewBoard-1.7.16-2.fc20, python-djblets-0.7.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Vincent Danen 2013-12-24 20:23:24 UTC

Red Hat would like to thank the Review Board project for reporting this issue. Upstream acknowledges Frederik Braun from Mozilla as the original reporter.

Note You need to log in before you can comment on or make changes to this bug.