Bug 1194116 - (CVE-2021-45452) VUL-0: CVE-2021-45452: python-Django,python-Django1: Potential directory-traversal via Storage.save()
(CVE-2021-45452)
VUL-0: CVE-2021-45452: python-Django,python-Django1: Potential directory-trav...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/319215
CVSSv3.1:SUSE:CVE-2021-45452:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-28 14:28 UTC by Thomas Leroy
Modified: 2022-05-20 18:49 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Upstream patch (6.78 KB, patch)
2021-12-28 14:32 UTC, Thomas Leroy
Details | Diff
Upstream patch 2.2.x (5.27 KB, patch)
2021-12-28 14:34 UTC, Thomas Leroy
Details | Diff
Upstream patch 3.2.x (6.02 KB, patch)
2021-12-28 14:34 UTC, Thomas Leroy
Details | Diff
Upstream patch 4.0.x (6.86 KB, patch)
2021-12-28 14:35 UTC, Thomas Leroy
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-12-28 14:28:13 UTC
CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
====================================================================

Storage.save() allowed directory-traversal if directly passed suitably
crafted file names.

Affected versions
=================

* Django main development branch
* Django 4.0
* Django 3.2
* Django 2.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 4.0.1
* Django 3.2.11
* Django 2.2.26
Comment 3 Thomas Leroy 2021-12-28 14:32:55 UTC
Created attachment 854846 [details]
Upstream patch
Comment 4 Thomas Leroy 2021-12-28 14:34:19 UTC
Created attachment 854847 [details]
Upstream patch 2.2.x
Comment 5 Thomas Leroy 2021-12-28 14:34:40 UTC
Created attachment 854848 [details]
Upstream patch 3.2.x
Comment 6 Thomas Leroy 2021-12-28 14:35:12 UTC
Created attachment 854849 [details]
Upstream patch 4.0.x
Comment 7 Thomas Leroy 2021-12-28 15:30:11 UTC
The following codestreams are affected:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django    1.11.29-3.25.3	
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1 	 1.11.29-3.25.1
Comment 8 Thomas Leroy 2021-12-29 09:00:24 UTC
openSUSE affected codestreams:
- openSUSE:Leap:15.2/python-Django (EOL by the time of the CRD)
- openSUSE:Backports:SLE-15-SP2/python-Django (EOL by the time of the CRD)
- openSUSE:Backports:SLE-15-SP3/python-Django
- openSUSE:Backports:SLE-15-SP4/python-Django
- openSUSE:Factory/python-Django
- openSUSE:Leap:15.2/python-Django1
- openSUSE:Backports:SLE-15-SP2/python-Django1 (EOL by the time of the CRD)
- openSUSE:Backports:SLE-15-SP3/python-Django1
- openSUSE:Backports:SLE-15-SP4/python-Django1
Comment 10 Fergal Mc Carthy 2022-01-13 17:49:42 UTC
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django:
  * https://build.suse.de/request/show/262170

SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1:
  * https://build.suse.de/request/show/262169
Comment 11 Swamp Workflow Management 2022-01-18 14:19:01 UTC
SUSE-SU-2022:0102-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194115,1194116,1194117
CVE References: CVE-2021-45115,CVE-2021-45116,CVE-2021-45452
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Django-1.11.29-3.33.1
SUSE OpenStack Cloud 8 (src):    python-Django-1.11.29-3.33.1
HPE Helion Openstack 8 (src):    python-Django-1.11.29-3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-01-18 14:37:08 UTC
SUSE-SU-2022:0103-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194115,1194116,1194117
CVE References: CVE-2021-45115,CVE-2021-45116,CVE-2021-45452
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Django1-1.11.29-3.30.1
SUSE OpenStack Cloud 9 (src):    python-Django1-1.11.29-3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Christian Almeida de Oliveira 2022-01-19 11:37:50 UTC
SOC updates released, back to security team.
Comment 14 Jan Zerebecki 2022-01-27 05:02:46 UTC
This seems to have caused the CI to now fail, not sure why it didn't in the run when it was released.

> [2022-01-26T17:19:18.049Z]       File "/opt/stack/venv/horizon-20220124T153100Z/lib/python2.7/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 364, in copy_file
> [2022-01-26T17:19:18.049Z]         self.storage.save(prefixed_path, source_file)
> [2022-01-26T17:19:18.049Z]       File "/opt/stack/venv/horizon-20220124T153100Z/lib/python2.7/site-packages/django/core/files/storage.py", line 58, in save
> [2022-01-26T17:19:18.049Z]         validate_file_name(name, allow_relative_path=True)
> [2022-01-26T17:19:18.049Z]     TypeError: validate_file_name() got an unexpected keyword argument 'allow_relative_path'

https://ci.suse.de/blue/organizations/jenkins/cloud-ardana9-job-mu-entry-scale-kvm-deploy-x86_64/detail/cloud-ardana9-job-mu-entry-scale-kvm-deploy-x86_64/237/pipeline
Comment 17 Swamp Workflow Management 2022-02-01 20:39:32 UTC
SUSE-SU-2022:0286-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194116,1195086,1195088
CVE References: CVE-2021-45452,CVE-2022-22818,CVE-2022-23833
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Django-1.11.29-3.39.1
SUSE OpenStack Cloud 8 (src):    python-Django-1.11.29-3.39.1, venv-openstack-aodh-5.1.1~dev7-12.37.1, venv-openstack-barbican-5.0.2~dev3-12.38.1, venv-openstack-ceilometer-9.0.8~dev7-12.35.1, venv-openstack-cinder-11.2.3~dev29-14.39.1, venv-openstack-designate-5.0.3~dev7-12.36.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.33.1, venv-openstack-glance-15.0.3~dev3-12.36.1, venv-openstack-heat-9.0.8~dev22-12.40.1, venv-openstack-horizon-12.0.5~dev6-14.43.2, venv-openstack-ironic-9.1.8~dev8-12.38.1, venv-openstack-keystone-12.0.4~dev11-11.40.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.37.1, venv-openstack-manila-5.1.1~dev5-12.42.1, venv-openstack-monasca-2.2.2~dev1-11.40.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.33.1, venv-openstack-murano-4.0.2~dev2-12.33.1, venv-openstack-neutron-11.0.9~dev69-13.43.1, venv-openstack-nova-16.1.9~dev92-11.41.1, venv-openstack-octavia-1.0.6~dev3-12.38.1, venv-openstack-sahara-7.0.5~dev4-11.37.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.28.1, venv-openstack-trove-8.0.2~dev2-11.37.1
HPE Helion Openstack 8 (src):    python-Django-1.11.29-3.39.1, venv-openstack-aodh-5.1.1~dev7-12.37.1, venv-openstack-barbican-5.0.2~dev3-12.38.1, venv-openstack-ceilometer-9.0.8~dev7-12.35.1, venv-openstack-cinder-11.2.3~dev29-14.39.1, venv-openstack-designate-5.0.3~dev7-12.36.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.33.1, venv-openstack-glance-15.0.3~dev3-12.36.1, venv-openstack-heat-9.0.8~dev22-12.40.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.43.2, venv-openstack-ironic-9.1.8~dev8-12.38.1, venv-openstack-keystone-12.0.4~dev11-11.40.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.37.1, venv-openstack-manila-5.1.1~dev5-12.42.1, venv-openstack-monasca-2.2.2~dev1-11.40.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.33.1, venv-openstack-murano-4.0.2~dev2-12.33.1, venv-openstack-neutron-11.0.9~dev69-13.43.1, venv-openstack-nova-16.1.9~dev92-11.41.1, venv-openstack-octavia-1.0.6~dev3-12.38.1, venv-openstack-sahara-7.0.5~dev4-11.37.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.28.1, venv-openstack-trove-8.0.2~dev2-11.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Jan Zerebecki 2022-05-20 18:49:06 UTC
> osc maintained python-Django
openSUSE:Backports:SLE-12/python-Django
openSUSE:Backports:SLE-15-SP3:Update/python-Django
openSUSE:Backports:SLE-15-SP4/python-Django
> osc maintained python-Django1
openSUSE:Backports:SLE-15-SP3:Update/python-Django1
openSUSE:Backports:SLE-15-SP4/python-Django1

As least one of them still needs to be fixed.