Bug 1175784 - (CVE-2020-24583) VUL-0: CVE-2020-24583,CVE-2020-24584: python-Django,python-Django1: issues with permissions on intermediate-level directories on Python 3.7+
(CVE-2020-24583)
VUL-0: CVE-2020-24583,CVE-2020-24584: python-Django,python-Django1: issues wi...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Alberto Planas Dominguez
Security Team bot
https://smash.suse.de/issue/265981/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-26 11:35 UTC by Alexandros Toptsoglou
Modified: 2020-09-01 13:33 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patches (4.15 KB, application/x-xz)
2020-08-26 11:37 UTC, Alexandros Toptsoglou
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 10 Robert Frohl 2020-09-01 13:31:12 UTC
In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing
`Django 3.1.1 <https://docs.djangoproject.com/en/dev/releases/3.1.1/>`_,
`Django 3.0.10 <https://docs.djangoproject.com/en/dev/releases/3.0.10/>`_ and
`Django 2.2.16 <https://docs.djangoproject.com/en/dev/releases/2.2.16/>`_.
These releases address the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
======================================================================================

On Python 3.7+, ``FILE_UPLOAD_DIRECTORY_PERMISSIONS`` mode was not
applied to intermediate-level directories created in the process of uploading
files and to intermediate-level collected static directories when using the
``collectstatic`` management command.

You should review and manually fix permissions on existing intermediate-level
directories.

CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
===============================================================================================================

On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than ``0o077`` (no group or others
permissions).

Affected supported versions
===========================

* Django master branch
* Django 3.1
* Django 3.0
* Django 2.2

Resolution
==========

Patches to resolve the issue have been applied to Django's master branch and
the 3.1, 3.0, and 2.2 release branches. The patches may be obtained from the following changesets:

CVE-2020-24583:

* On the `master branch <https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9>`__
* On the `3.1 release branch <https://github.com/django/django/commit/934430d22aa5d90c2ba33495ff69a6a1d997d584>`__
* On the `3.0 release branch <https://github.com/django/django/commit/08892bffd275c79ee1f8f67639eb170aaaf1181e>`__
* On the `2.2 release branch <https://github.com/django/django/commit/375657a71c889c588f723469bd868bd1d40c369f>`__

CVE-2020-24584:

* On the `master branch <https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71>`__
* On the `3.1 release branch <https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b>`__
* On the `3.0 release branch <https://github.com/django/django/commit/cdb367c92a0ba72ddc0cbd13ff42b0e6df709554>`__
* On the `2.2 release branch <https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f>`__

The following releases have been issued:

* Django 3.1.1 (`download Django 3.1.1 <https://www.djangoproject.com/m/releases/3.1/Django-3.1.1.tar.gz>`_ | `3.1.1 checksums <https://www.djangoproject.com/m/pgp/Django-3.1.1.checksum.txt>`_)
* Django 3.0.10 (`download Django 3.0.10 <https://www.djangoproject.com/m/releases/3.0/Django-3.0.10.tar.gz>`_ | `3.0.10 checksums <https://www.djangoproject.com/m/pgp/Django-3.0.10.checksum.txt>`_)
* Django 2.2.16 (`download Django 2.2.16 <https://www.djangoproject.com/m/releases/2.2/Django-2.2.16.tar.gz>`_ | `2.2.16 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.16.checksum.txt>`_)

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security@djangoproject.com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.
Comment 11 Robert Frohl 2020-09-01 13:33:56 UTC
only relevant for openSUSE