Bug 13504 - python-djblets new security issues CVE-2014-3994 and CVE-2014-3995
Summary: python-djblets new security issues CVE-2014-3994 and CVE-2014-3995
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/602701/
Whiteboard: has_procedure mga4-32-ok mga4-64-ok a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-06-09 20:06 CEST by David Walser
Modified: 2014-11-21 19:05 CET (History)
5 users (show)

See Also:
Source RPM: python-djblets-0.7.28-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-06-09 20:06:26 CEST
Two XSS security issues have been fixed upstream in python-djblets:
http://openwall.com/lists/oss-security/2014/06/06/23

They have been assigned CVEs:
http://openwall.com/lists/oss-security/2014/06/07/4

Upstream patches are linked in the first post.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-09 20:06:47 CEST

CC: (none) => makowski.mageia, shlomif
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-06-18 22:18:22 CEST
Fedora has issued an advisory for this on June 10:
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134416.html

They fixed it by upgrading to 0.7.30.

URL: (none) => http://lwn.net/Vulnerabilities/602701/

Comment 2 David Walser 2014-07-08 23:48:57 CEST
Looking at the patch Fedora added in F20, we may need something similar:
http://pkgs.fedoraproject.org/cgit/python-djblets.git/plain/FED01-Fix-dependencies.patch?h=f20

However, we currently can't satisfy the django-pipeline requirement as we only have 1.3.x packaged (I'm guessing for django 1.5) and not a parallel 1.2.x (which I guess would be for django 1.4).  Which begs the question of does this package currently even work :o)
Comment 3 Philippe Makowski 2014-08-22 16:57:07 CEST
Since ReviewBoard no longer depend on Django14, here what we can do :
in Cauldron Mga5 :
 - update python-djblets to 0.8.8 and make it depend on django (16)

In Mga4
 - update python-djblets to 0.7.30 and let it depend on django14 and make it depend on python-django14-pipeline version 1.2.24
 - in python-django-pipeline (version 1.3.15) add a sub package python-django14-pipeline with version 1.2.24  and add a conflict between python-django-pipeline and python-django14-pipeline
Comment 4 Philippe Makowski 2014-08-22 19:40:22 CEST
Correction :

 In Mga4
  - update python-djblets to 0.7.30 and let it depend on django14 and
 make it depend on python-django14-pipeline version 1.2.24
  - in python-djblets  add a sub package python-django14-pipeline with version 1.2.24  and add a conflict between python-django-pipeline and python-django14-pipeline
Comment 5 Philippe Makowski 2014-09-06 11:08:40 CEST
here the last news :
In Mga4
  - updated python-djblets to 0.7.30 and let it depend on django14 and
 make it depend on python-django14-pipeline version 1.2.24
  - in python-djblets  add a sub package python-django14-pipeline with version 1.2.24  and add a conflict between python-django-pipeline and python-django14-pipeline

python-djblets-0.7.30-1.1.mga4 (build avalaible in 4/testing

In Cauldron
- updated python-djblets to 0.8.9
 python-djblets-0.8.9-1.mga5 (don't build)

But there is a problem with our latests django at build time
so Cauldron don't build, and I needed to use python-django14 < 1.4.14 under mga4

the build error is (http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140906085840.philippem.valstar.4704):

running build_media
Traceback (most recent call last):
  File "contrib/internal/build-media.py", line 24, in <module>
    ret = call_command('collectstatic', interactive=False, verbosity=2)
  File "/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line 95, in call_command
    raise CommandError("Unknown command: %r" % name)
django.core.management.base.CommandError: Unknown command: 'collectstatic'


I suspect that the latest Django security fix lead to this error.
I let Nicolas to check this with python-djblets upstream team.
Comment 6 Philippe Makowski 2014-10-09 21:31:02 CEST
according to upstream "We are not known to be compatible with Django 1.7. It is likely you will hit some significant problems. Please downgrade to 1.6."

So we have a problem, we can't upgrade python-djblets to 0.8.9 in Mga5 Cauldron

I will do then the same in mga5 than in mga4 :
 - updated python-djblets to 0.7.30 and let it depend on django14 and
 make it depend on python-django14-pipeline version 1.2.24
  - in python-djblets  add a sub package python-django14-pipeline with version 1.2.24  and add a conflict between python-django-pipeline and python-django14-pipeline
Comment 7 Philippe Makowski 2014-10-12 12:18:31 CEST
Need a freeze push for python-djblets-0.7.31 in mga5
Comment 8 Philippe Makowski 2014-10-13 20:52:24 CEST
python-djblets-0.7.31-1.mga5 build success
So I think we can proceed :

Advisory:
========================

Updated python-djblets packages fixe two XSS vulnerabilities in Djblets (CVE-2014-3994 and CVE-2014-3995)

References:

 - https://bugzilla.redhat.com/show_bug.cgi?id=1106845
 - http://openwall.com/lists/oss-security/2014/06/06/23
 - http://openwall.com/lists/oss-security/2014/06/07/4

========================

Updated packages in core/updates_testing:
========================
python-djblets-0.7.30-1.1.mga4

from SRPMS:

python-djblets-0.7.30-1.1.mga4

Assignee: mageia => qa-bugs

Comment 9 David Walser 2014-10-13 21:17:09 CEST
Thanks Philippe!  This was really a complex one.

Advisory:
========================

Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py
in Djblets before 0.7.30 for Django, as used in Review Board, allows remote
attackers to inject arbitrary web script or HTML via a JSON object, as
demonstrated by the name field when changing a user name (CVE-2014-3994).

Cross-site scripting (XSS) vulnerability in
gravatars/templatetags/gravatars.py in Djblets before 0.7.30 Django allows
remote attackers to inject arbitrary web script or HTML via a user display
name (CVE-2014-3995).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3995
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134416.html

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 10 Lewis Smith 2014-11-05 21:41:56 CET
Trying to get started on this great unknown, I think that the background is thus: ReviewBoard is a *commercial* code reviewing program. Djblets is a bundle of Python thingies which emerge from ReviewBoard but are not specific to it, hence released into the public domain.
It appears that both CVEs relate to the *same* problem: "(There are two CVE IDs because of the two discoverers.)"
 http://openwall.com/lists/oss-security/2014/06/06/23
is the most comprehensive description of the problem, with even a proof-of-concept; but is this tied to ReviewBoard?
Both Openwall links mention json_dumps(), both CVEs mention util/templatetags/djblets_js.py in Djblets. Is the former a component of the latter? Is the heirarchy:
ReviewBoard -> Djblets
    util/templatetags/djblets_js.py
        json_dumps()
Is there any way we can play directly with this? Is ReviewBoard necessary? Is Django necessary? What on earth is a Gravatar image? Do we have a Python guru?

CC: (none) => lewyssmith

Comment 11 Philippe Makowski 2014-11-06 13:25:50 CET
Review Board is a web-based collaborative code review tool, available as free software under the MIT License.
Djblets is a collection of useful classes and functions for Django, needed by Review Board.

In fact tests exists in source code.

https://github.com/djblets/djblets/commit/7afc593b9e94f2c5bb1690f257f5f31790ad43f0

and 

https://github.com/djblets/djblets/commit/d3e428a6f7bc4c04d100b06e663c071fdc1717d9

so you can try this :

from djblets.util.templatetags.djblets_js import json_dumps
obj = {'xss': '</script><script>alert(1);</script>'}
assert json_dumps(obj) == '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E''alert(1);\\u003C/script\\u003E"}'


At least it would test CVE-2014-3994
Comment 12 Lewis Smith 2014-11-06 21:08:31 CET
Many thanks Philippe for Comment 11. Could be a saver.

BTAIM I had contacted someone with (rusty) Python experience, and give his comments anyway in case they might serve...

1. Djblets is a set of standalone tools for developers (kind of like how you can use the Apache Portable Runtime without using the Apache Web Server). Because it's a set of developer tools, 'poking it like a user would' testing doesn't really exist. However looking at the source repository at https://github.com/djblets/djblets/tree/master/tests suggests there's a test suite. I assume steps to test would be:
 a. Install the package 'python-djblets-0.7.30-1.1.mga4' as in the bug report and (http://svnweb.mageia.org/packages/updates/4/python-djblets/)
 b. Grab a copy of the tests and run them. I guess that's something like 'python runtests.py' Who knows, maybe a 'find' command will drag out that script somewhere in the Djiblets install directory. The tests themselves need something called 'nose', which is a Python testing framework (see how deep the rabbithole goes). Mageia already has that (http://svnweb.mageia.org/packages/cauldron/python-nose/?pathrev=564597) but you may need to install it.
2. Django is another set of tools, allowing developers to write rich web apps. It is definitely needed by Djblets. Again, if 'mga4' works like other package managers you get Django when you get Djblets. The test script 'runtests.py' directly references Django.
3. ReviewBoard is actually free software under the MIT license, which meets the FSF definition. To exercise the specific CVE you need to set a ReviewBoard instance up, do some configuration, then do the 'user' steps detailed in the CVE. This is outside of the 'Python guru' area, and should hopefully be do-able with a read of the ReviewBoard docs at https://www.reviewboard.org/docs/
Comment 13 David Walser 2014-11-06 22:54:38 CET
For the future, it would be nice if the package ran the test suite at build time, if that's possible.  At least the mga4 spec doesn't have that right now.
Comment 14 Philippe Makowski 2014-11-07 09:14:33 CET
(In reply to David Walser from comment #13)
> For the future, it would be nice if the package ran the test suite at build
> time, if that's possible.  At least the mga4 spec doesn't have that right
> now.

yes, but some test are ok locally but faild on BS, and it would also implied that we package tests.
Comment 15 Philippe Makowski 2014-11-07 09:16:56 CET
(In reply to Lewis Smith from comment #12)
>  b. Grab a copy of the tests and run them. 

no, simply run under Python :

from djblets.util.templatetags.djblets_js import json_dumps
obj = {'xss': '</script><script>alert(1);</script>'}
assert json_dumps(obj) == '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E''alert(1);\\u003C/script\\u003E"}'

that's enough
Comment 16 Lewis Smith 2014-11-12 18:40:17 CET
Trying MGA4 x64 re Comment 11 Comment 15 (many thanks Philippe for the code).

I have tried from the *current* Python 2.7.6, python-djblets-0.7.28-2, python-django-pipeline-1.3.15-3, python-django14-1.4.14-1.3 (understood: to show the fault before the update):
$ python
executing just the first line yields:
">>> from djblets.util.templatetags.djblets_js import json_dumps
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/djblets/util/templatetags/djblets_js.py", line 28, in <module>
    from django.core.serializers import serialize
  File "/usr/lib/python2.7/site-packages/django/core/serializers/__init__.py", line 21, in <module>
    from django.core.serializers.base import SerializerDoesNotExist
  File "/usr/lib/python2.7/site-packages/django/core/serializers/base.py", line 7, in <module>
    from django.db import models
  File "/usr/lib/python2.7/site-packages/django/db/__init__.py", line 11, in <module>
    if DEFAULT_DB_ALIAS not in settings.DATABASES:
  File "/usr/lib/python2.7/site-packages/django/utils/functional.py", line 184, in inner
    self._setup()
  File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 40, in _setup
    raise ImportError("Settings cannot be imported, because environment variable %s is undefined." % ENVIRONMENT_VARIABLE)
ImportError: Settings cannot be imported, because environment variable DJANGO_SETTINGS_MODULE is undefined."

Putting the given script into a file and doing:
$ python tmp/giblets.py
yielded the same O/P.

So? please. TIA
Comment 17 Philippe Makowski 2014-11-13 14:18:22 CET
Tests under x86_64

(for the test you need python-simplejson)

so :
urpmi python-simplejson

go to /tmp
create a file settings.py with :
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.staticfiles',
]

create a python test file (giblets.py) with :
import os
from djblets.util.templatetags.djblets_js import json_dumps
obj = {'xss': '</script><script>alert(1);</script>'}
assert json_dumps(obj) == '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E''alert(1);\\u003C/script\\u003E"}'

then from /tmp run :
PYTHONPATH=/tmp DJANGO_SETTINGS_MODULE=settings python giblets.py

before update it should return :
$ PYTHONPATH=/tmp DJANGO_SETTINGS_MODULE=settings python giblets.py 
Traceback (most recent call last):
  File "giblets.py", line 5, in <module>
    assert json_dumps(obj) == '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E''alert(1);\\u003C/script\\u003E"}'
AssertionError

after update with testing (python-djblets-0.7.30-1.1.mga4), no output, no error

$ PYTHONPATH=/tmp DJANGO_SETTINGS_MODULE=settings python giblets.py
$
Philippe Makowski 2014-11-13 14:22:59 CET

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 18 Lewis Smith 2014-11-13 20:54:05 CET
Philippe

Comment 17: what a tour de force! Many thanks for all that detailed info; there is no way that most of us would have got near this - short of installing & mastering ReviewBoard. Other update testers now have it set up for them.
Comment 19 David Walser 2014-11-18 19:19:01 CET
Testing complete Mageia 4 i586 using Philippe's procedure in Comment 17.

Corrected advisory, listing the python-django14-pipeline package.

Could someone please upload the following advisory?

Sysadmins, please upload to core/updates_testing once the advisory is uploaded.  Thanks.

Advisory:
========================

Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py
in Djblets before 0.7.30 for Django, as used in Review Board, allows remote
attackers to inject arbitrary web script or HTML via a JSON object, as
demonstrated by the name field when changing a user name (CVE-2014-3994).

Cross-site scripting (XSS) vulnerability in
gravatars/templatetags/gravatars.py in Djblets before 0.7.30 Django allows
remote attackers to inject arbitrary web script or HTML via a user display
name (CVE-2014-3995).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3995
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134416.html
========================

Updated packages in core/updates_testing:
========================
python-djblets-0.7.30-1.1.mga4
python-django14-pipeline-0.7.30-1.1.mga4

from python-djblets-0.7.30-1.1.mga4.src.rpm

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 20 Rémi Verschelde 2014-11-19 13:10:53 CET
Advisory uploaded.

CC: (none) => remi
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok advisory

Comment 21 Mageia Robot 2014-11-21 13:45:25 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0462.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 22 David Walser 2014-11-21 19:05:41 CET
LWN reference for CVE-2014-3995:
http://lwn.net/Vulnerabilities/622612/
http://lwn.net/Vulnerabilities/622613/

Note You need to log in before you can comment on or make changes to this bug.