Two XSS security issues have been fixed upstream in python-djblets: http://openwall.com/lists/oss-security/2014/06/06/23 They have been assigned CVEs: http://openwall.com/lists/oss-security/2014/06/07/4 Upstream patches are linked in the first post. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => makowski.mageia, shlomifWhiteboard: (none) => MGA4TOO
Fedora has issued an advisory for this on June 10: https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134416.html They fixed it by upgrading to 0.7.30.
URL: (none) => http://lwn.net/Vulnerabilities/602701/
Looking at the patch Fedora added in F20, we may need something similar: http://pkgs.fedoraproject.org/cgit/python-djblets.git/plain/FED01-Fix-dependencies.patch?h=f20 However, we currently can't satisfy the django-pipeline requirement as we only have 1.3.x packaged (I'm guessing for django 1.5) and not a parallel 1.2.x (which I guess would be for django 1.4). Which begs the question of does this package currently even work :o)
Since ReviewBoard no longer depend on Django14, here what we can do : in Cauldron Mga5 : - update python-djblets to 0.8.8 and make it depend on django (16) In Mga4 - update python-djblets to 0.7.30 and let it depend on django14 and make it depend on python-django14-pipeline version 1.2.24 - in python-django-pipeline (version 1.3.15) add a sub package python-django14-pipeline with version 1.2.24 and add a conflict between python-django-pipeline and python-django14-pipeline
Correction : In Mga4 - update python-djblets to 0.7.30 and let it depend on django14 and make it depend on python-django14-pipeline version 1.2.24 - in python-djblets add a sub package python-django14-pipeline with version 1.2.24 and add a conflict between python-django-pipeline and python-django14-pipeline
here the last news : In Mga4 - updated python-djblets to 0.7.30 and let it depend on django14 and make it depend on python-django14-pipeline version 1.2.24 - in python-djblets add a sub package python-django14-pipeline with version 1.2.24 and add a conflict between python-django-pipeline and python-django14-pipeline python-djblets-0.7.30-1.1.mga4 (build avalaible in 4/testing In Cauldron - updated python-djblets to 0.8.9 python-djblets-0.8.9-1.mga5 (don't build) But there is a problem with our latests django at build time so Cauldron don't build, and I needed to use python-django14 < 1.4.14 under mga4 the build error is (http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140906085840.philippem.valstar.4704): running build_media Traceback (most recent call last): File "contrib/internal/build-media.py", line 24, in <module> ret = call_command('collectstatic', interactive=False, verbosity=2) File "/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line 95, in call_command raise CommandError("Unknown command: %r" % name) django.core.management.base.CommandError: Unknown command: 'collectstatic' I suspect that the latest Django security fix lead to this error. I let Nicolas to check this with python-djblets upstream team.
according to upstream "We are not known to be compatible with Django 1.7. It is likely you will hit some significant problems. Please downgrade to 1.6." So we have a problem, we can't upgrade python-djblets to 0.8.9 in Mga5 Cauldron I will do then the same in mga5 than in mga4 : - updated python-djblets to 0.7.30 and let it depend on django14 and make it depend on python-django14-pipeline version 1.2.24 - in python-djblets add a sub package python-django14-pipeline with version 1.2.24 and add a conflict between python-django-pipeline and python-django14-pipeline
Need a freeze push for python-djblets-0.7.31 in mga5
python-djblets-0.7.31-1.mga5 build success So I think we can proceed : Advisory: ======================== Updated python-djblets packages fixe two XSS vulnerabilities in Djblets (CVE-2014-3994 and CVE-2014-3995) References: - https://bugzilla.redhat.com/show_bug.cgi?id=1106845 - http://openwall.com/lists/oss-security/2014/06/06/23 - http://openwall.com/lists/oss-security/2014/06/07/4 ======================== Updated packages in core/updates_testing: ======================== python-djblets-0.7.30-1.1.mga4 from SRPMS: python-djblets-0.7.30-1.1.mga4
Assignee: mageia => qa-bugs
Thanks Philippe! This was really a complex one. Advisory: ======================== Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name (CVE-2014-3994). Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 Django allows remote attackers to inject arbitrary web script or HTML via a user display name (CVE-2014-3995). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3994 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3995 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134416.html
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
Trying to get started on this great unknown, I think that the background is thus: ReviewBoard is a *commercial* code reviewing program. Djblets is a bundle of Python thingies which emerge from ReviewBoard but are not specific to it, hence released into the public domain. It appears that both CVEs relate to the *same* problem: "(There are two CVE IDs because of the two discoverers.)" http://openwall.com/lists/oss-security/2014/06/06/23 is the most comprehensive description of the problem, with even a proof-of-concept; but is this tied to ReviewBoard? Both Openwall links mention json_dumps(), both CVEs mention util/templatetags/djblets_js.py in Djblets. Is the former a component of the latter? Is the heirarchy: ReviewBoard -> Djblets util/templatetags/djblets_js.py json_dumps() Is there any way we can play directly with this? Is ReviewBoard necessary? Is Django necessary? What on earth is a Gravatar image? Do we have a Python guru?
CC: (none) => lewyssmith
Review Board is a web-based collaborative code review tool, available as free software under the MIT License. Djblets is a collection of useful classes and functions for Django, needed by Review Board. In fact tests exists in source code. https://github.com/djblets/djblets/commit/7afc593b9e94f2c5bb1690f257f5f31790ad43f0 and https://github.com/djblets/djblets/commit/d3e428a6f7bc4c04d100b06e663c071fdc1717d9 so you can try this : from djblets.util.templatetags.djblets_js import json_dumps obj = {'xss': '</script><script>alert(1);</script>'} assert json_dumps(obj) == '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E''alert(1);\\u003C/script\\u003E"}' At least it would test CVE-2014-3994
Many thanks Philippe for Comment 11. Could be a saver. BTAIM I had contacted someone with (rusty) Python experience, and give his comments anyway in case they might serve... 1. Djblets is a set of standalone tools for developers (kind of like how you can use the Apache Portable Runtime without using the Apache Web Server). Because it's a set of developer tools, 'poking it like a user would' testing doesn't really exist. However looking at the source repository at https://github.com/djblets/djblets/tree/master/tests suggests there's a test suite. I assume steps to test would be: a. Install the package 'python-djblets-0.7.30-1.1.mga4' as in the bug report and (http://svnweb.mageia.org/packages/updates/4/python-djblets/) b. Grab a copy of the tests and run them. I guess that's something like 'python runtests.py' Who knows, maybe a 'find' command will drag out that script somewhere in the Djiblets install directory. The tests themselves need something called 'nose', which is a Python testing framework (see how deep the rabbithole goes). Mageia already has that (http://svnweb.mageia.org/packages/cauldron/python-nose/?pathrev=564597) but you may need to install it. 2. Django is another set of tools, allowing developers to write rich web apps. It is definitely needed by Djblets. Again, if 'mga4' works like other package managers you get Django when you get Djblets. The test script 'runtests.py' directly references Django. 3. ReviewBoard is actually free software under the MIT license, which meets the FSF definition. To exercise the specific CVE you need to set a ReviewBoard instance up, do some configuration, then do the 'user' steps detailed in the CVE. This is outside of the 'Python guru' area, and should hopefully be do-able with a read of the ReviewBoard docs at https://www.reviewboard.org/docs/
For the future, it would be nice if the package ran the test suite at build time, if that's possible. At least the mga4 spec doesn't have that right now.
(In reply to David Walser from comment #13) > For the future, it would be nice if the package ran the test suite at build > time, if that's possible. At least the mga4 spec doesn't have that right > now. yes, but some test are ok locally but faild on BS, and it would also implied that we package tests.
(In reply to Lewis Smith from comment #12) > b. Grab a copy of the tests and run them. no, simply run under Python : from djblets.util.templatetags.djblets_js import json_dumps obj = {'xss': '</script><script>alert(1);</script>'} assert json_dumps(obj) == '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E''alert(1);\\u003C/script\\u003E"}' that's enough
Trying MGA4 x64 re Comment 11 Comment 15 (many thanks Philippe for the code). I have tried from the *current* Python 2.7.6, python-djblets-0.7.28-2, python-django-pipeline-1.3.15-3, python-django14-1.4.14-1.3 (understood: to show the fault before the update): $ python executing just the first line yields: ">>> from djblets.util.templatetags.djblets_js import json_dumps Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/site-packages/djblets/util/templatetags/djblets_js.py", line 28, in <module> from django.core.serializers import serialize File "/usr/lib/python2.7/site-packages/django/core/serializers/__init__.py", line 21, in <module> from django.core.serializers.base import SerializerDoesNotExist File "/usr/lib/python2.7/site-packages/django/core/serializers/base.py", line 7, in <module> from django.db import models File "/usr/lib/python2.7/site-packages/django/db/__init__.py", line 11, in <module> if DEFAULT_DB_ALIAS not in settings.DATABASES: File "/usr/lib/python2.7/site-packages/django/utils/functional.py", line 184, in inner self._setup() File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 40, in _setup raise ImportError("Settings cannot be imported, because environment variable %s is undefined." % ENVIRONMENT_VARIABLE) ImportError: Settings cannot be imported, because environment variable DJANGO_SETTINGS_MODULE is undefined." Putting the given script into a file and doing: $ python tmp/giblets.py yielded the same O/P. So? please. TIA
Tests under x86_64 (for the test you need python-simplejson) so : urpmi python-simplejson go to /tmp create a file settings.py with : INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.sites', 'django.contrib.staticfiles', ] create a python test file (giblets.py) with : import os from djblets.util.templatetags.djblets_js import json_dumps obj = {'xss': '</script><script>alert(1);</script>'} assert json_dumps(obj) == '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E''alert(1);\\u003C/script\\u003E"}' then from /tmp run : PYTHONPATH=/tmp DJANGO_SETTINGS_MODULE=settings python giblets.py before update it should return : $ PYTHONPATH=/tmp DJANGO_SETTINGS_MODULE=settings python giblets.py Traceback (most recent call last): File "giblets.py", line 5, in <module> assert json_dumps(obj) == '{"xss": "\\u003C/script\\u003E\\u003Cscript\\u003E''alert(1);\\u003C/script\\u003E"}' AssertionError after update with testing (python-djblets-0.7.30-1.1.mga4), no output, no error $ PYTHONPATH=/tmp DJANGO_SETTINGS_MODULE=settings python giblets.py $
Whiteboard: (none) => has_procedure mga4-64-ok
Philippe Comment 17: what a tour de force! Many thanks for all that detailed info; there is no way that most of us would have got near this - short of installing & mastering ReviewBoard. Other update testers now have it set up for them.
Testing complete Mageia 4 i586 using Philippe's procedure in Comment 17. Corrected advisory, listing the python-django14-pipeline package. Could someone please upload the following advisory? Sysadmins, please upload to core/updates_testing once the advisory is uploaded. Thanks. Advisory: ======================== Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name (CVE-2014-3994). Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 Django allows remote attackers to inject arbitrary web script or HTML via a user display name (CVE-2014-3995). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3994 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3995 https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134416.html ======================== Updated packages in core/updates_testing: ======================== python-djblets-0.7.30-1.1.mga4 python-django14-pipeline-0.7.30-1.1.mga4 from python-djblets-0.7.30-1.1.mga4.src.rpm
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0462.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2014-3995: http://lwn.net/Vulnerabilities/622612/ http://lwn.net/Vulnerabilities/622613/