Bug 923172 - (CVE-2015-2316) VUL-1: CVE-2015-2316: python-django,python-Django: Django: possible denial of service in strip_tags()
(CVE-2015-2316)
VUL-1: CVE-2015-2316: python-django,python-Django: Django: possible denial o...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Bernhard Wiedemann
Security Team bot
https://smash.suse.de/issue/114930/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-19 12:24 UTC by Marcus Meissner
Modified: 2015-10-13 13:08 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-19 12:24:18 UTC
via https://www.djangoproject.com/weblog/2015/mar/18/security-releases/

Denial-of-service possibility with strip_tags()

Last year django.utils.html.strip_tags was changed to work iteratively. The problem is that the size of the input it's processing can increase on each iteration which results in an infinite loop in strip_tags(). This issue only affects versions of Python that haven't received a bugfix in HTMLParser; namely Python < 2.7.7 and 3.3.5. Some operating system vendors have also backported the fix for the Python bug into their packages of earlier versions.

To remedy this issue, strip_tags() will now return the original input if it detects the length of the string it's processing increases. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape.

Thanks Andrey Babak for reporting the issue.

This issue has been assigned the identifier CVE-2015-2316.
Comment 1 Marcus Meissner 2015-03-19 12:24:35 UTC
can you cross check if 1.4 is not affected too please
Comment 2 Marcus Meissner 2015-03-19 12:25:11 UTC
and 1.5.x
Comment 3 Swamp Workflow Management 2015-03-19 23:00:13 UTC
bugbot adjusting priority
Comment 4 Bernhard Wiedemann 2015-03-20 12:49:50 UTC
1.4 and 1.5 implement strip_tags with a regexp
so should not be affected.

will need an update for python-Django-1.6 in SUSE Cloud 5
Comment 6 Bernhard Wiedemann 2015-03-20 14:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (923172) was mentioned in
https://build.opensuse.org/request/show/292041 13.2 / python-Django
Comment 7 Bernhard Wiedemann 2015-03-24 17:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (923172) was mentioned in
https://build.opensuse.org/request/show/292722 13.2 / python-Django
Comment 8 Swamp Workflow Management 2015-03-25 16:32:54 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61316
Comment 10 Swamp Workflow Management 2015-04-01 16:05:34 UTC
openSUSE-SU-2015:0643-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 913053,913055,913056,923172,923176
CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317
Sources used:
openSUSE 13.2 (src):    python-Django-1.6.11-3.4.1
Comment 11 Swamp Workflow Management 2015-04-09 19:04:58 UTC
SUSE-SU-2015:0694-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 923172,923176
CVE References: CVE-2015-2316,CVE-2015-2317
Sources used:
SUSE Cloud 5 (src):    python-Django-1.6.11-0.7.1
Comment 12 Swamp Workflow Management 2015-06-23 14:06:01 UTC
SUSE-SU-2015:1109-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 913053,913055,913056,923172,923176
CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317
Sources used:
SUSE Enterprise Storage 1.0 (src):    python-Django-1.6.11-4.1
Comment 13 Swamp Workflow Management 2015-06-23 14:07:21 UTC
SUSE-SU-2015:1112-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 913053,913055,913056,923172,923176
CVE References: CVE-2015-0219,CVE-2015-0221,CVE-2015-0222,CVE-2015-2316,CVE-2015-2317
Sources used:
SUSE Enterprise Storage 1.0 (src):    python-Django-1.6.11-4.1
Comment 14 Vincent Untz 2015-10-13 12:17:54 UTC
Unless I'm mistaken, this one has already been released. Can we close as FIXED?
Comment 15 Marcus Meissner 2015-10-13 13:08:46 UTC
yes, was released