Bug 874950 (CVE-2014-0472) - VUL-0: CVE-2014-0472: python-django: unexpected code execution using reverse()
Summary: VUL-0: CVE-2014-0472: python-django: unexpected code execution using reverse()
Status: VERIFIED FIXED
Alias: CVE-2014-0472
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-05-08
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/98211/
Whiteboard: maint:released:sle11-sp3-uptu:57492 m...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-24 07:03 UTC by Alexander Bergmann
Modified: 2015-02-19 10:32 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-24 07:03:08 UTC 
Via rh#1090588:

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0472 to
the following vulnerability:

Name: CVE-2014-0472
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472
Assigned: 20131219
Reference: https://www.djangoproject.com/weblog/2014/apr/21/security/

The django.core.urlresolvers.reverse function in Django before 1.4.11,
1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2
allows remote attackers to import and execute arbitrary Python modules
by leveraging a view that constructs URLs using user input and a
"dotted Python path."

-----

Note that the initial upstream patch for this introduced a regression.  The following patch corrects that regression:
https://github.com/django/django/commit/6915220ff9d6eeb2a669421d06bce9403ed6480c

The original upstream patch is:
https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b

(for the 1.6.x branch)


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1090588
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472
http://www.ubuntu.com/usn/USN-2169-1
https://www.djangoproject.com/weblog/2014/apr/21/security/
Comment 1 Swamp Workflow Management 2014-04-24 07:26:29 UTC 
The SWAMPID for this issue is 57105.
This issue was rated as moderate.
Please submit fixed packages until 2014-05-08.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 SMASH SMASH 2014-04-24 07:30:16 UTC 
Affected packages:

SLE-11-SP3: python-django
SLE-11-SP3-PRODUCTS: python-django
Comment 3 Swamp Workflow Management 2014-04-24 22:00:13 UTC 
bugbot adjusting priority
Comment 8 Vincent Untz 2014-06-27 10:21:05 UTC 
Reassigning to security team as fix was submitted.
Comment 9 Swamp Workflow Management 2014-06-27 19:45:55 UTC 
Update released for: python-django
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 10 Swamp Workflow Management 2014-06-27 23:04:26 UTC 
SUSE-SU-2014:0851-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-1418,CVE-2014-3730
Sources used:
SUSE Cloud 3 (src):    python-django-1.5.8-0.7.1
Comment 11 Alexander Bergmann 2014-08-19 08:17:37 UTC 
Fix was released. Closing bug.
Comment 12 Swamp Workflow Management 2014-09-16 13:04:27 UTC 
openSUSE-SU-2014:1132-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 874950,874955,874956,877993,878641,893087,893088,893089,893090
CVE References: CVE-2014-0472,CVE-2014-0473,CVE-2014-0474,CVE-2014-0480,CVE-2014-0481,CVE-2014-0482,CVE-2014-0483,CVE-2014-1418,CVE-2014-3730
Sources used:
openSUSE 13.1 (src):    python-django-1.5.10-0.2.8.1
openSUSE 12.3 (src):    python-django-1.4.15-2.12.1