876092 – (CVE-2014-3137) VUL-0: CVE-2014-3137: python-bottle: JSON content-type not restrictive enough

Bug 876092 (CVE-2014-3137) - VUL-0: CVE-2014-3137: python-bottle: JSON content-type not restrictive enough

Summary: VUL-0: CVE-2014-3137: python-bottle: JSON content-type not restrictive enough

Status:	RESOLVED FIXED

Alias:	CVE-2014-3137

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Todd R
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/98523/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-05-02 06:56 UTC by Alexander Bergmann
Modified:	2015-04-07 15:13 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-05-02 06:56:21 UTC

Via rh#1093255:

It was reported that the JSON content-type was not restrictive enough. Bottle treated "text/plain;application/json" as JSON, allowing attackers to bypass intended security mechanisms. From the upstream report, "For example Chrome will not allow cross-origin xmlhttprequests with the content type set to "application/json" but you can set it to "text/plain;application/json" instead and bottle will accept it.".

Upstream report: https://github.com/defnull/bottle/issues/616

Patches for master, 0.11, and 0.12, respectively:

https://github.com/defnull/bottle/commit/7c3226867d9005903e268fedd819389ab8c6336d
https://github.com/defnull/bottle/commit/a3c7b6eba63f41968c78ea61a2dd1bf334cff4b0
https://github.com/defnull/bottle/commit/2589f5a808da9d0c2d153c379557e1a090acdf04

CVE-2014-3137 was assigned to this issue.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1093255

Comment 1 Swamp Workflow Management 2014-05-02 22:00:17 UTC

bugbot adjusting priority

Comment 3 Marcus Meissner 2014-09-05 09:32:36 UTC

assign to last submitter in factory

Comment 4 Todd R 2014-10-28 14:14:57 UTC

This was fixed in the devel:languages:python package back in May.  The version in Factory and 13.2 has the fix as well.  If someone wants to backport the fix to 13.1 or earlier they can do so.

Comment 5 Johannes Segitz 2015-04-07 15:13:57 UTC

(In reply to Todd R from comment #4)
Fixed as described by Todd, no backport for openSUSE 13.1 available. Please reopen if you intent to submit a fix for openSUSE 13.1